Consumers can now file privacy-related concerns or complaints with the FCC
The Federal Communications Commission is launching a new investigation into how mobile network operators use subscribers’ geolocation data. Chairwoman Jessica Rosenworcel also sent a letter to the top 15 largest mobile network operators and MVNOs, asking a series of questions about how they collect, store and use that type of subscriber data, and has shared the responses.
“Our mobile phones know a lot about us. That means carriers know who we are, who we call, and where we are at any given moment. This information and geolocation data is really sensitive. It’s a record of where we’ve been and who we are. That’s why the FCC is taking steps to ensure this data is protected,” Rosenworcel said in a statement, adding, “I’m publishing the responses I received from mobile carriers on how they handle
geolocation data to help shed light on this issue for consumers. Additionally, I have asked the Enforcement Bureau to launch a new investigation into mobile carriers’ compliance with FCC rules that require carriers to fully disclose to consumers how they are using and sharing geolocation data.”
The FCC has also now added the option for consumers to file privacy-related complaints and concerns directly with the agency’s Consumer Complain Center.
Rosenworcel had asked each of the operators questions along the lines of: What geolocation data do you collect and retain, and why; how long do you keep that data, where it is stored and how the data collection policies and any available opt-outs are communicated to customers. Most of the carrier responses were very similar: They claim to be upfront and transparent with consumers about what data will be collected and how it will be used, to offer choice and to be very concerned about whether their customers trust them with their data. How long do carriers keep that data? Some hedged their responses, such as Verizon saying that the data was kept for “the period for which it is needed for business purposes”, while T-Mobile US stated that while some data was only stored briefly, other network and geolocation data (particularly that related to emergency calls) was stored for two years. (More detail in the operators’ responses, here.) They also all made it clear that, as per applicable laws, they do provide location and other information to law enforcement when agencies ask for it. It plays out a bit differently for MVNOs, with, for example, Dish Network (which has most of its operations still functioning as an MVNO as it works on its facilities-based network), saying that it doesn’t have to access to or collect underlying network location data for its MVNO-served customers and that on its own network, it only collects and stores such information for network optimization purposes.
But the extent to which operators actually live up to those claims, as well as what loopholes they leave themselves, is certainly debatable. Some information is crucial and efforts are underway to improve it accuracy—such as the location of mobile 911 callers. Still, more often than not, consumers face the reality that in order to use a mobile service, they must give up most control over their personal information—particularly the extent to which their information is used for marketing—in order to do so. The Washington Post published a piece earlier this month on how subscribers’ information (including, at times, their location) is typically used for targeted advertising by carriers and third parties, and how to opt out to the extent possible (your carrier can still use your information to market to you, the piece states).
Wireless operators don’t have a particularly stellar track record in this area, either. In 2020, under the Trump administration and former FCC Chairman Ajit Pai, all four (at the time) national wireless operators faced fines due to unauthorized release and sale of subscriber geolocation information, after security researchers and individual reporters discovered that a mobile phone could be tracked and located by anyone, via network information obtained by information aggregators, for as little $300. Each of the carriers was accused of disclosing their customers’ location information, without their consent, to a third party who wasn’t authorized to receive it — and dragging their feet on shutting down that access once the problem became clear.Â
At the time, the FCC outlined a system in which there were layers of shifted responsibility and indirect relationships that allowed carriers to sell their customers’ location-based information to aggregators while also shifting the responsibility for getting consent from those customers for access to their location information—first to the aggregators, then the aggregators further shifted that responsibility to get consent to location-based services providers, some of whom didn’t have direct relationships with the carrier(s).
Verizon and AT&T took specific pains in their responses to Rosenworcel to point out that they had ended their relationships with/practice of selling geolocation data to third parties, and T-Mobile US says that its “practice is not to sell geolocation data to third parties.”