FCC fines the three major carriers $200 million
The Federal Communications Commission has levied fines of $200 million against the three national operators, saying that AT&T, T-Mobile US and Verizon illegally provided access to customers’ location information without end-users’ consent or sufficient safeguards.
AT&T faces a forfeiture of more than $57 million. Verizon is being fined nearly $47 million. T-Mobile US faces fines of more than $80 million, plus more than $12 million against Sprint, since the two carriers have merged since the violations allegedly occurred.
The matter first surfaced in the spring of 2018, when security researchers found that third-party companies such as LocationSmart were sourcing real-time location data from mobile network operators and selling it to non-law-enforcement agencies or individuals, and that related website hacks meant such information could be accessed for free. Press reports from Motherboard in January 2019 highlighted the use of this data to locate individual phones for as little as $300. The FCC ultimately undertook an investigation as a result, with former FCC Chairman Ajit Pai pushing the matter forward in 2020. Each of the carriers was accused of disclosing their customers’ location information, without their consent, to a third party who wasn’t authorized to receive it — and dragging their feet on shutting down that access once the problem became clear.Â
Current FCC Chairwoman Jessica Rosenworcel led another, related investigation in 2022 that more broadly explored how carriers use customer location data. In 2023, the she established the FCC’s Privacy and Data Protection Task Force which is focused on coordinating the agency’s actions in terms of enforcement, rulemakings and public awareness on privacy and data protection, as well as data breaches and vulnerabilities.
“Our communications providers have access to some of the most sensitive information about us. These carriers failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are,” said Rosenworcel. “As we resolve these cases – which were first proposed by the last Administration – the Commission remains committed to holding all carriers accountable and making sure they fulfill their obligations to their customers as stewards of this most private data.”
The two Republican members of the Commission dissented from the decision. Commissioner Brendan Carr noted that after the location-based services (LBS) data issues came to light, the carriers all ended their LBS programs—so the fines don’t address an ongoing carrier practice, and he also argued that the issue should have been handled by the Federal Trade Commission rather than the FCC. Carr had previously voted in support of forfeitures and said that he had done so so that the matter would be fully investigated, but he said that his current dissent was based on the amount and reasoning behind the fines exceeded FCC authority.
Commissioner Nathan Simington also took issue with the FCC’s approach to determining the fines in the context of its authority and the regulatory message it sent.
“Let us not forget that, at every moment, any of thousands of unregulated apps may pull GPS location information, Wi-Fi and Bluetooth signal strength, and other fragments of data indicating location from customer handsets at every moment the device is on. Indeed, this can be, and routinely is, accomplished even without consumer permission,” Simington commented. “By sending a strong market signal that any alleged violation of Commission rules regarding [Customer Proprietary Network Information or CPNI] safekeeping (whether or not the rules actually were violated) can and will result in an outsize fine, we have effectively choked off one of the only ways that valid and legal users of consent-based location data services had to access location data for which legal safeguards and oversight actually exist.
“It was available for the Commission to work with the carriers to issue consent decrees to promote best practices to develop further safeguards around location-based and aggregation services, and to actively monitor ongoing compliance in an effort to vouchsafe a regulated means of consensually sharing handset location data with legitimate users of the same,” he pointed out. “We opt, instead, to appear ‘tough on crime’ in a way that actually reduces consumer data privacy by pushing legitimate users of location data toward unregulated data brokerage.”
