FCC Wants Your ID to Get a Phone Number

A proposed KYC rule would force every originating voice carrier to collect government-issued ID, a home address, and a second phone number from every new and renewing customer. EFF and ACLU filed joint comments on June 25. The reply window closes July 26.

Smartphone on a desk next to a notebook, with a blurred city street visible through a window

TL;DR: On April 30, 2026, the FCC voted out a Further Notice of Proposed Rulemaking (FCC 26-27) under CG Docket No. 17-59 that would convert the agency's existing "Know Your Customer" rule into a federal identity-verification mandate for every U.S. originating voice carrier. The minimum data set: legal name, physical home address, government-issued ID number, and an alternate telephone number. High-volume customers would also turn over the IP address they call from and a stated reason for the service. Penalties would land at $2,500 per illegal call. EFF and ACLU filed joint comments on June 25 warning that the rule would end anonymous phone service, hand carriers a new sensitive dataset the industry has a poor track record of protecting, and still not meaningfully reduce robocalls, since most originate overseas and existing call-authentication standards remain under-deployed. The reply-comment window closes July 26.

What the FCC Proposed

FCC 26-27, released May 1, 2026 and adopted unanimously with separate statements from Chairman Brendan Carr and Commissioner Olivia Trusty, layers an explicit minimum data set on top of the agency's existing "Know Your Customer" obligation at 47 CFR § 64.1200(n)(4) [1]. The current rule already requires originating providers to take "affirmative, effective measures" to vet new and renewing customers, but it leaves the specific measures to the carrier's discretion [1]. The new FNPRM is the FCC's attempt to define what "affirmative, effective" actually means.

For every new and renewing customer, originating carriers would have to collect and retain four fields at minimum: legal name, physical address, a government-issued identification number, and an alternate telephone number [1]. The Commission explicitly floats banning virtual addresses, P.O. boxes, mail-forwarding services, and hosted servers from qualifying as a "physical address" [1]. For high-volume customers, including business and foreign customers, carriers would also have to capture the stated intended use of the service (e.g., marketing, education, political campaign) and the IP address from which each call is placed, when applicable [1].

Verification, retention, and re-verification are spelled out in detail. Carriers would need supporting records (government ID copies, corporate formation records, proof of good standing, active-phone-number confirmation, third-party address confirmation, and commercial-presence checks for high-volume accounts) before granting service [1]. Records would be retained for four years after the customer relationship ends, matching the spoofing and TCPA statute of limitations at 47 U.S.C. § 227(b)(4)(E)(ii) [1]. Red-flag triggers for re-verification include dormant accounts suddenly pumping out traffic, U.S. companies sending traffic from foreign IP addresses, registered-agent addresses, and crypto payments [1].

Penalties would land at $2,500 per call for KYC violations, codified into 47 CFR § 1.80(b)(11), the same line-item rate the FCC just adopted for per-call robocall-blocking violations [1]. Per-customer penalties are explicitly rejected as inadequate to "correlate penalties to the volume of illegal calls made."

Why This Is a Surveillance Problem

The EFF and ACLU, in joint comments filed June 25, 2026, called the proposal "just a data-collection scheme" in a separate Deeplinks post by Chao Liu and Cooper Quintin [2]. Their core argument: the rule would force every U.S. phone customer into a federal identity-verification regime, kill anonymous phone service, and pile up a new exploitable data trove on telecom servers, all to address a problem the existing tools are already failing to solve.

The technical claim is straightforward. The FCC's own call-authentication framework, STIR/SHAKEN, is the path the agency has been pushing for years, but it has not been fully implemented by every American telecom provider [2]. Most illegal robocalls originate overseas, where no U.S. KYC regime reaches. The Federal Trade Commission has put annual U.S. calling-scam losses at an estimated $850 million, with nuisance costs "increasing costs into the billions," per the FCC's own prior findings [1]. Adding a domestic ID requirement does not touch the overseas call paths that produce most of the volume.

The data-stewardship argument is harder to dismiss. Carriers have a documented history of large customer-data breaches. The AT&T 2024 disclosures alone involved 7.6 million current and 65 million former customers' data, plus 109 million customer call and text records downloaded by attackers [2]. The 2023 Comcast/Xfinity breach exposed roughly 36 million customers' last-four-SSN-plus-DOB records [2]. The Salt Typhoon operation, which the FBI has tracked as an ongoing threat, hit CALEA infrastructure and demonstrated that carriers' lawful-intercept systems are themselves high-value targets [2]. Adding government-issued ID numbers and home addresses to every carrier's customer database expands the blast radius of the next breach.

The access-to-service argument is where the rule breaks for specific populations. Roughly 15 million U.S. adults lack a driver's license, around 2.6 million lack any government-issued photo ID, about 21 million lack a non-expired driver's license, and roughly 34.5 million lack a current driver's license or state ID that matches their current name and address [2]. The populations disproportionately affected are Black Americans, Hispanic Americans, people with disabilities, lower-income individuals, and undocumented immigrants, since the rule as drafted requires ID that many in those groups do not have [2]. The FCC itself raises the law-enforcement rationale in paragraph 28 of FCC 26-27: enhanced KYC information could "assist law enforcement to more easily identify callers" in drug, violent-crime, and human-trafficking investigations [1]. The EFF and ACLU counter that using telecom KYC for general law-enforcement access is exactly the kind of mission creep that should not be built into a robocall rule.

The Lingo Precedent and the National Security Frame

The FCC is not building this from scratch. In 2024 the agency entered into a consent decree with Lingo Telecom, LLC, after finding that Lingo "in a failure to utilize reasonable 'Know Your Customer' (KYC) protocols, applied incorrect STIR/SHAKEN attestations to spoofed robocalls" [1]. The Lingo settlement required legal business name, place of formation, proof of good standing, EIN or business registration, physical business address, active telephone number, type of goods or services, and the name of an authorized individual [1]. The FNPRM essentially proposes to make Lingo's specific data set the floor for every carrier in the country.

Chairman Carr's statement frames the rule as a national-security and counter-espionage measure, not just a consumer-protection one [1]. Paragraph 34 of FCC 26-27 cites the agency's national-security authority and points to bad actors using illegal calls to "surveil and target government officials and sensitive infrastructure," explicitly tying telecom KYC to the same threat surface that Salt Typhoon exploited on the carrier lawful-intercept side [1]. That dual framing, consumer protection plus national security, is what gives the proposal structural momentum. It is also what puts privacy advocates on alert, since national-security rationales have a track record of expanding data-collection regimes beyond their original scope.

What to Watch

The formal comment window opened on publication of FCC 26-27 in the Federal Register, with comments due 30 days after publication and reply comments due 60 days after publication, per the Commission's standard rulemaking schedule under 47 CFR §§ 1.415 and 1.419 [1]. EFF and ACLU filed their joint comments on June 25, 2026, with the reply-comment window closing on July 26, 2026 [2]. If you want to file, the proceeding is CG Docket No. 17-59, and comments go through the FCC's ECFS portal [1].

Three things are worth tracking. First, whether the FCC narrows the rule's scope around prepaid SIM cards and the proposed ban on virtual addresses, after WISPA's April 23, 2026 ex parte filing flagged small-provider burden [1]. Second, whether the per-call $2,500 forfeiture survives into the report-and-order phase, since that number is the financial lever that makes the rule actually bite. Third, whether the AI-KYC "safe harbor" the FCC floats in paragraph 26 ends up shaping the final rule, given how broadly carriers are already using automated identity tools and how poorly those tools perform for the populations most likely to lack standard government ID [1].

If you rely on prepaid service, a burner phone, or a virtual-office address for a small business line, the window to file comments is open now. Related coverage: the EFF-led analysis of AI scam calls, the deepfake bank-KYC bypass story, and the broader pattern of federal identity mandates feeding data breaches are all live on the news desk.

Sources

  1. FCC 26-27: Further Notice of Proposed Rulemaking, In the Matter of Advanced Methods to Target and Eliminate Unlawful Robocalls, CG Docket Nos. 17-59 and 02-278 (adopted April 30, 2026, released May 1, 2026)
  2. EFF Deeplinks: “FCC’s Spam Call Proposal Is Just a Data Collection Scheme” by Chao Liu and Cooper Quintin (June 25, 2026)