Spectrum & Regulation

Spectrum is not owned the way land is. It is administered, region by region and service by service, against a single global reference. At the top sits the International Telecommunication Union (ITU), a specialized agency of the United Nations. Its radiocommunication arm, the ITU-R, is the global agency responsible for management of the radio-frequency spectrum and satellite orbit resources. Its central instrument is the Radio Regulations (RR), a binding international treaty that determines how the radio-frequency spectrum is shared between different services. The RR runs to over 2,300 pages of text and charts, and its core is the Table of Frequency Allocations in Article 5, which states, band by band, which radiocommunication services may use each slice of spectrum.

For allocation purposes the ITU divides the world into three Regions. Region 1 covers Europe, Africa, the Middle East west of the Persian Gulf, and the former Soviet states. Region 2 covers the Americas, including Greenland. Region 3 covers most of Asia and Oceania. The Regions exist precisely because allocations differ between them: a band can be assigned to one service in the Americas and a different service in Europe, which is why the same physical radio may be legal on a channel in one Region and prohibited in another. The Radio Regulations are revised at the World Radiocommunication Conference (WRC), which convenes roughly every four years; recent and scheduled conferences include WRC-23, WRC-27, and WRC-31.

The ITU framework is a treaty, not a domestic statute. Each member state implements it through a national regulator that issues legally enforceable rules inside its own territory. In the United States that is the Federal Communications Commission (FCC). In Canada it is Innovation, Science and Economic Development Canada (ISED). In the United Kingdom it is Ofcom. Across Europe, technical standards are developed by the European Telecommunications Standards Institute (ETSI) and spectrum policy is harmonized through the European Conference of Postal and Telecommunications Administrations (CEPT) and its Electronic Communications Committee (ECC), while market access is governed by the EU Radio Equipment Directive. National regulators may deviate from the ITU table only to the extent that they cause no harmful interference to other member states operating in accordance with the Regulations.

The Federal Communications Commission is the independent United States agency that regulates interstate and international communications by radio, television, wire, satellite, and cable. For wireless work, its decisive function is engineering and equipment policy, handled by the Office of Engineering and Technology (OET). The OET writes the technical rules for radio devices, runs the laboratory and equipment-authorization program, assigns grantee codes, and maintains the public database of authorized equipment.

The rules that govern almost every Wi-Fi radio sold in the US live in Title 47 of the Code of Federal Regulations, Part 15 (47 CFR Part 15), titled Radio Frequency Devices. Part 15 sets the conditions under which radio-frequency devices may operate without an individual license, provided they meet specified technical limits and do not cause harmful interference. Part 15 sorts devices into three classes: unintentional radiators (digital circuitry that emits RF as a byproduct), incidental radiators (devices not designed to emit RF but that do), and intentional radiators (deliberate transmitters such as a Wi-Fi card or access point). The fundamental bargain of Part 15 is stated on every compliant label: the device may not cause harmful interference, and it must accept any interference received, including interference that may cause undesired operation.

Before an intentional radiator can be marketed in the US it must be authorized. The FCC operates two procedures, and the one that applies depends on the device class. Supplier's Declaration of Conformity (SDoC) is a self-declaration process used for unintentional radiators, where the responsible party tests the product and declares compliance without filing with the FCC. Certification is the more rigorous procedure required for intentional radiators, which is to say every Wi-Fi transmitter. Certification is performed by a Telecommunication Certification Body (TCB), an FCC-recognized third party that reviews test data produced by an accredited laboratory and issues the grant of authorization, which is then published in the FCC database.

A certified device must carry an FCC ID, the public identifier tying the physical product to its grant of authorization. The FCC ID has exactly two parts. The first is the grantee code, assigned permanently by the Commission to a single company. A grantee code that begins with a letter (A through Z) is three characters long; a grantee code that begins with a digit (2 through 9) is five characters long. To avoid visual ambiguity, the code does not use the digits 0 or 1. The second part is the product code, defined by the grantee itself to identify the specific product. Under 47 CFR 2.926 the product code consists of Arabic numerals, capital letters, and may include the dash or hyphen, with the total number of those characters not exceeding 14.

The practical value of the FCC ID is that it is a key into a public record. The official lookup is the FCC's OET Equipment Authorization (EAS) database, reachable from the FCC ID Search page; a widely used third-party mirror is fccid.io. Because the printed string does not mark where the grantee code ends, a search resolves the boundary and returns the grantee's identity, the equipment class, the tested frequency ranges, measured output power, internal and external photographs, the user manual, and the test reports filed for certification. For a field operator this turns any labeled radio into a documented capability profile.

Because allocations differ by Region and by country, products ship with a regulatory domain setting that constrains which channels and power levels the radio will use. The same access point sold worldwide gates its behavior on this setting, which is why a channel that is routine in one country may be disabled in another. Two quantities define the legal envelope: the channels (frequency) and the power. Power is usually expressed as EIRP, effective isotropic radiated power, which combines transmitter conducted power and antenna gain into the total a perfect omnidirectional antenna would need to match the signal; this is the number regulators cap, and it is why a higher-gain antenna forces a lower conducted power.

In the US, 5 GHz Wi-Fi is split into U-NII sub-bands. U-NII-1 spans 5.150 to 5.250 GHz, U-NII-2A spans 5.250 to 5.350 GHz, U-NII-2C spans 5.470 to 5.725 GHz, and U-NII-3 spans 5.725 to 5.850 GHz. The two middle blocks, U-NII-2A and U-NII-2C, share spectrum with weather, aviation, and military radar, so devices there must run Dynamic Frequency Selection (DFS): the radio listens for radar, and on detecting it must vacate the channel, typically within seconds, and stay off it. DFS is the reason a 5 GHz network can momentarily drop and re-home to a new channel.

The 6 GHz band added 1,200 MHz of spectrum (5.925 to 7.125 GHz) as U-NII-5 through U-NII-8. Rather than DFS, the FCC protects the band's incumbents (chiefly thousands of fixed microwave links) with Automated Frequency Coordination (AFC). Standard-power outdoor access points must query an AFC system with their location; the system returns the channels and power levels that are safe to use there. Lower-power categories, Low Power Indoor (LPI) and Very Low Power (VLP), are allowed across the band without AFC, at reduced power and under a contention-based protocol. Europe and the UK opened 6 GHz on a different, narrower footprint and under ETSI rules, a concrete example of why the regulatory domain, not the hardware, decides what is legal.

Operating a radio within Part 15 is a separate question from what you may lawfully do with the data a wireless deployment observes. Wi-Fi monitoring, probe-request logging, and captive-portal collection routinely gather identifiers and behavior that privacy statutes treat as protected, and the two largest regimes a field operator will encounter are the EU's GDPR and California's CCPA.

The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, has applied across the EU since 25 May 2018. Article 4(1) defines personal data as "any information relating to an identified or identifiable natural person," where an identifiable person is one who can be identified directly or indirectly, including by reference to an online identifier. Recital 30 makes the wireless connection explicit: natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols, such as internet protocol addresses or radio frequency identification tags. The clear implication for wireless work is that device identifiers tied to a person, including IP addresses and the MAC-style identifiers a sniffer collects, are personal data when they can be linked to an individual. Article 4(2) defines processing broadly enough to cover essentially any handling of that data: collection, recording, storage, use, disclosure, or erasure, whether automated or not. GDPR therefore reaches the moment of capture, not just later analysis.

The California Consumer Privacy Act (CCPA) of 2018 took effect on 1 January 2020 and was amended by the California Privacy Rights Act (CPRA), whose changes became operative on 1 January 2023. The CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Like GDPR, that definition is broad enough to capture network identifiers, geolocation, and browsing activity collected over a wireless link. The two regimes differ in structure (GDPR is a comprehensive consent-and-lawful-basis framework; the CCPA is a consumer-rights and disclosure framework), but the operative lesson is the same: a Wi-Fi capture that can be tied to a person is regulated data, and lawful collection depends on authorization, scope, and jurisdiction, not on whether the radio itself is Part 15 compliant. Treat the radio rules and the data rules as two independent gates that both must be cleared.

• ITU-R, Managing the radio-frequency spectrum for the world: https://www.itu.int/en/mediacentre/backgrounders/Pages/itu-r-managing-the-radio-frequency-spectrum-for-the-world.aspx
• ITU Radio Regulations (Article 5, Table of Frequency Allocations): https://www.itu.int/pub/R-REG-RR
• FCC, Equipment Authorization (OET Laboratory Division): https://www.fcc.gov/engineering-technology/laboratory-division/general/equipment-authorization
• FCC, Equipment Authorization Procedures: https://www.fcc.gov/general/equipment-authorization-procedures
• FCC, Grantee Code: https://www.fcc.gov/oet/ea/granteecode
• FCC, FCC ID Search: https://www.fcc.gov/oet/ea/fccid
• 47 CFR 2.926, FCC identifier (Cornell Legal Information Institute): https://www.law.cornell.edu/cfr/text/47/2.926
• eCFR, 47 CFR Part 15, Radio Frequency Devices: https://www.ecfr.gov/current/title-47/chapter-I/subchapter-A/part-15
• eCFR, 47 CFR Part 15 Subpart E, U-NII Devices: https://www.ecfr.gov/current/title-47/chapter-I/subchapter-A/part-15/subpart-E
• ISED Canada, RSS-247, Digital Transmission Systems and Licence-Exempt LAN Devices: https://ised-isde.canada.ca/site/spectrum-management-telecommunications/en/devices-and-equipment/radio-equipment-standards/radio-standards-specifications-rss/rss-247-digital-transmission-systems-dtss-frequency-hopping-systems-fhss-and-licence-exempt-local
• Ofcom, Rules on using radio equipment: https://www.ofcom.org.uk/spectrum/rules
• ETSI EN 301 893 (5 GHz RLAN harmonised standard): https://www.etsi.org/deliver/etsi_en/301800_301899/301893/02.02.01_60/en_301893v020201p.pdf
• ETSI EN 300 328 (2.4 GHz wideband transmission harmonised standard): https://www.etsi.org/deliver/etsi_en/300300_300399/300328/02.02.02_60/en_300328v020202p.pdf
• EUR-Lex, Regulation (EU) 2016/679 (GDPR) full text: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
• GDPR Article 4, Definitions: https://gdpr-info.eu/art-4-gdpr/
• GDPR Recital 30, Online identifiers for profiling and identification: https://gdpr-info.eu/recitals/no-30/
• California Office of the Attorney General, California Consumer Privacy Act (CCPA): https://oag.ca.gov/privacy/ccpa
• California Privacy Protection Agency, CCPA statute text: https://cppa.ca.gov/regulations/pdf/ccpa_statute.pdf