Is Your Phone Company Selling Your Call Records?

FCC rules on CPNI sound protective — but the disclosure requirements are broad, the opt-outs are buried, and most businesses have no idea what their provider shares.

The Short Answer Is: Probably Not “Selling.” But Also… Kind Of.

Let’s start with the uncomfortable truth: your phone company knows a lot about you. Not the content of your calls — that requires a wiretap order. But everything around your calls: who you called, when, for how long, how often, from where, and the patterns that emerge from all of that data over time.

This information has a name. It’s called CPNI — Customer Proprietary Network Information — and the FCC has rules about it. Those rules sound protective. They use words like “privacy” and “consent” and “safeguards.”

But here’s the thing: the rules mostly require your provider to tell you what they’re doing with your data. They don’t necessarily stop them from doing it.

What CPNI Actually Is

CPNI is the data your phone company collects just by providing you service. Under FCC rules (47 CFR § 64.2003), it includes:

  • Call detail records (CDRs): Every call you make or receive — the number you called, the number that called you, the date, the time, the duration
  • Service usage data: How many minutes you use, when you use them, what features you use
  • Billing information: What services you subscribe to, what you pay, your payment history
  • Location data: For mobile and some VoIP services, where you were when you made the call

This is not abstract. Your CDRs are a detailed record of your business relationships. If you’re a law firm, your call records show which clients you’re talking to and how often. If you’re a healthcare practice, they show which patients are calling you. If you’re in sales, they map your entire prospect and customer network.

The content of the calls is private. But the pattern of who you talk to, when, and for how long — that’s arguably just as revealing.

What the FCC Rules Actually Say

The FCC’s CPNI rules (under Section 222 of the Telecommunications Act) have a basic structure:

The default rule: Your provider can use your CPNI to provide you the services you’ve ordered and for billing purposes. That’s the baseline — no additional consent needed.

Marketing to you: Your provider can use your CPNI to market similar services to you — things in the same category as what you already buy. They can do this without your explicit consent as long as they’ve notified you and given you an opportunity to opt out.

Sharing with affiliates and third parties: Here’s where it gets interesting. Your provider can share your CPNI with affiliates (companies under the same corporate umbrella) for marketing purposes — again, with notice and opt-out. Sharing with unaffiliated third parties requires opt-in consent.

The practical effect: The opt-out model means that by default, your data flows. If you didn’t read the privacy notice your provider sent you (or emailed you, or buried in your account portal), and you didn’t actively opt out, your provider and its affiliates can use your call data for marketing purposes.

Most people don’t read those notices. Most businesses don’t either. The system relies on inaction, and inaction means consent.

“Affiliates” Is Doing a Lot of Heavy Lifting

The affiliate sharing provision is where the real action is. In modern telecom, “affiliates” can encompass an enormous number of companies.

Take a major provider that’s been through a few mergers and acquisitions. Their corporate family might include the phone company, an internet provider, a data analytics company, an advertising platform, a media company, and a dozen other entities. Under the CPNI rules, your call data can flow to all of them as long as they’re under the same corporate umbrella and the provider has given you opt-out notice.

When T-Mobile merged with Sprint, the combined company’s affiliate network expanded significantly. When AT&T owned DirecTV, WarnerMedia, and Xandr (an advertising platform), “affiliates” included an ad-tech company. The corporate structures change, the affiliates multiply, and your CPNI flows to wherever the corporate family tree reaches.

This isn’t a violation of the rules. It’s exactly what the rules allow.

What VoIP Providers Specifically Do

Traditional phone companies (AT&T, Verizon, Lumen) are clearly subject to CPNI rules because they’re regulated as telecommunications carriers. VoIP is more complicated.

“Interconnected VoIP” providers — those that can make and receive calls to/from the regular phone network — are subject to some FCC rules (like E911 requirements) but the CPNI framework was designed for traditional carriers. The FCC has extended some CPNI protections to VoIP through various orders, but enforcement is inconsistent and the boundaries are blurry.

What this means in practice: VoIP providers generally follow CPNI-like rules voluntarily or because they’re also operating as CLECs (Competitive Local Exchange Carriers). But some — especially the smaller ones, the app-based ones, the free ones — operate in a regulatory gray area where FCC CPNI rules may not clearly apply, and they fall back on their own privacy policies.

And privacy policies can say pretty much anything.

We covered the “you are the product” dynamic for free phone services in our guide to free phone systems. The data practices of free VoIP apps make traditional CPNI concerns look quaint.

The Data Broker Connection

Even providers that don’t directly sell your CPNI may contribute to a broader data ecosystem. Aggregated and de-identified call data — stripped of your name but containing patterns like “business at this address makes frequent calls to these area codes” — can be valuable for analytics, marketing, and location intelligence companies.

The FCC’s rules focus on individually identifiable CPNI. Aggregated data falls into a grayer area. And “de-identified” data has been repeatedly shown by researchers to be re-identifiable, especially when combined with other data sources.

There’s also the law enforcement angle. Phone companies receive hundreds of thousands of legal demands for call records every year — subpoenas, court orders, and national security requests. This is legal and regulated, but it means your call records are accessible to government agencies with appropriate legal process. Your provider’s data retention policies determine how far back those records go. Some providers retain CDRs for years.

What the Privacy Policy Actually Says (Read Yours)

Go find your phone provider’s privacy policy right now. Search for these terms:

  • “CPNI” — Does the policy explain what it is and how they use it?
  • “Affiliates” — Who are the affiliates, and what data do they receive?
  • “Marketing” — Can they use your call data to market to you?
  • “Third parties” — Under what circumstances do they share data with non-affiliates?
  • “Aggregate” or “de-identified” — Do they reserve the right to share aggregated call data?
  • “Opt out” — How do you opt out, and what does opting out actually cover?
  • “Retention” — How long do they keep your call records?
  • “Law enforcement” — What’s their policy on responding to legal demands?

If the privacy policy is vague, short, or doesn’t mention CPNI at all — that’s not reassuring. Either they haven’t thought about it, or they’d rather you not ask.

What You Can Do

Opt Out

If your provider offers a CPNI opt-out, take it. This typically restricts them from using your call data for marketing purposes and from sharing it with affiliates for marketing. It won’t stop them from using the data for billing and service delivery (that’s necessary for them to function), but it limits the marketing and affiliate sharing.

The opt-out process varies by provider. Some have it in your account settings. Some require a phone call. Some require a written request. The FCC requires providers to make the opt-out available, but they don’t require it to be easy.

Ask Your Provider Directly

“What do you do with our call detail records beyond providing us service?” A straightforward question. The answer — or the inability to give a clear answer — tells you a lot.

Consider Smaller, Independent Providers

Smaller providers — especially those that aren’t part of a large corporate family — tend to have simpler data practices by default. If your provider is a standalone company with no affiliates, the affiliate sharing provisions are a moose point. There’s no affiliate network for your data to flow through.

This isn’t a guarantee of better privacy practices, but the structural incentive to monetize your data is lower when the company’s only business is providing you phone service.

Think About Encryption

If the metadata (who you called, when, for how long) concerns you, the call content might too. Standard VoIP calls traverse the internet unencrypted by default. Anyone positioned on the network path between you and your provider could theoretically intercept the audio. Encrypted VoIP — SIP over TLS and SRTP — protects the call content in transit. It doesn’t hide the metadata from your provider (they still need it for routing and billing), but it protects the conversation itself.

Review Retention Policies

How long does your provider keep your call records? Some keep them for 90 days. Some keep them for years. Shorter retention means there’s less historical data available — to the provider, to their affiliates, and to anyone who might compel access through legal process.

A Note About Us

We’re going to be direct about what we do: we collect the CDRs and usage data necessary to provide and bill for our service. That’s unavoidable — we need to know where to route your calls and what to bill you for.

What we don’t do: we don’t sell your call data. We don’t share it with affiliates for marketing purposes (we don’t have a labyrinth of affiliate companies for it to flow to). We don’t feed it into an advertising ecosystem. We don’t retain it longer than we need to.

We’re a phone company. We make money by providing phone service. Your call records are not our product. They’re a byproduct of our product, and we treat them accordingly.

Want to know exactly what your current provider does with your data? Drop us a line — we can help you figure out the right questions to ask. And if you want a provider where the answer to “what do you do with my call records?” is short and boring, we’re that provider. No pressure, no 47-slide deck.