The FCC fined the nation’s largest wireless carriers for sharing access to customer location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure. Sprint and T-Mobile (NASDAQ: TMUS) have merged since the fines were proposed in February 2020. Their penalties are more than $12 million and $80 million, respectively. AT&T (NYSE: T) is fined more than $57 million, and Verizon (NYSE: VZ) is charged nearly $47 million.
“Our communications providers have access to some of the most sensitive information about us. These carriers failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are,” said FCC Chairwoman Jessica Rosenworcel. “As we resolve these cases – which were first proposed by the last Administration – the Commission remains committed to holding all carriers accountable and making sure they fulfill their obligations to their customers as stewards of this most private data.”
The FCC Enforcement Bureau investigations of the four carriers found that each telecom sold access to its customers’ location information to “aggregators.” They, in turn, resold access to such information to third-party location-based service providers. The bureau says each carrier tried to offload its obligations to obtain customer consent onto downstream recipients of location information. In many instances that meant no valid customer consent was obtained. “This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access,” said the bureau.
Under section 222 of the Communications Act, carriers are required to take reasonable measures to protect certain customer information, including location information. Carriers are also required to maintain the confidentiality of such customer information and to obtain affirmative, express customer consent before using, disclosing, or allowing access to such information. These obligations apply equally when carriers share customer information with third parties.
“The protection and use of sensitive personal data such as location information is sacrosanct,” said Enforcement Bureau Chief Loyaan Egal. “When placed in the wrong hands or used for nefarious purposes, it puts all of us at risk. Foreign adversaries and cybercriminals have prioritized getting their hands on this information, and that is why ensuring service providers have reasonable protections in place to safeguard customer location data and valid consent for its use is of the highest priority for the Enforcement Bureau.”
“After touting the potential of location-based services to provide benefits like roadside assistance and emergency medical alerts, the FCC refused CTIA’s request for guidance on how providers should run those programs, and is now penalizing providers for facilitating them,” said CTIA SVP/Chief Communications Officer Nick Ludlum. “And its calculation of fines relies on an unlawful methodology. The FCC’s action demonstrates why Congress must examine the FCC’s broken enforcement process.”
Republicans on the Commission dissented from the majority. Commissioner Brendan Carr said, “These actions are inconsistent with the law and basic fairness. The FCC has reached beyond its authority in these cases.” Commissioner Nathan Simington said: “We opt, instead, to appear ‘tough on crime’ in a way that actually reduces consumer data privacy by pushing legitimate users of location data toward unregulated data brokerage.”
The investigations that led to Monday’s fines began following public reports that customers’ location information was being disclosed by the carriers without customer consent or other legal authorization to a Missouri Sheriff through a “location-finding service” operated by a company that provides communications services to correctional facilities, to track the location of individuals. The FCC said after being made aware of this unauthorized access, all four carriers continued to operate their programs without putting in place reasonable safeguards to ensure that location-based service providers with access to their customers’ location information were really receiving customer consent.
The Forfeiture Orders finalize Notices of Apparent Liability (NAL) issued against these carriers in February 2020. The fine amount for AT&T and Sprint are unchanged since the original NAL was proposed. Both the T-Mobile and Verizon fines were reduced after the bureau reviewed the carriers’ submissions in response to the NALs. The law does not permit forfeiture amounts for specified violations to escalate after an NAL is issued.
By Leslie Stimson, Inside Towers Washington Bureau Chief
Reader Interactions