FCC Fines Wireless Carriers for Mishandling Customer Location Data

The Federal Communications Commission is doling out almost $200 million in fines to the largest mobile carriers in the U.S. for giving customers’ location information to unauthorized third parties.

The FCC is fining T-Mobile, Sprint, AT&T and Verizon for selling customer location data to information location aggregators, which then resold the data to other third parties. According to the FCC, many of these third parties had not obtained valid customer consent. The FCC stated that the offending wireless carriers "attempted to offload [their] obligations to obtain customer consent onto downstream recipients of location information."

FCC Fines Wireless Carriers

The four companies received notices of apparent liability from the FCC in 2020, in which the agency said it intended to fine them. Following a lengthy review of the charges, the FCC issued forfeiture orders to all four companies on Monday.

T-Mobile's tab added up to $80 million, not including the $12 million that now-acquired Sprint tallied in fines. T-Mobile managed to get more than $11.5 million knocked off its fine since 2020, after demonstrating that a smaller number of continuing violations had occurred in its location-based services (LBS) program.

AT&T and Verizon are paying fines of $57 million and $47 million, respectively. The Commission noted that it reduced Verizon's fine by more than $1.4 million after Verizon demonstrated that two of the companies it sold location data to did not actually participate its LBS.

What the Carriers Did

The forfeiture orders indicate that all four carriers were working with aggregators, which bought and resold customer location data. All of the carriers used LocationSmart and Zumigo, as well as dozens of others.

The carriers' LBS programs came under scrutiny when the New York Times reported on illegal location tracking by a Missouri sheriff. He had pulled data from Securus, a communications platform prisons use for inmates' phone and video calls. Securus ran LBS software using customer location data from the wireless carriers. The sheriff illegally pulled data from Securus software to spy on multiple people. Moreover, the FCC learned that the carriers automatically registered these information requests as "approved use cases."

The FCC said the carriers failed to implement reasonable safeguards following the 2018 article.

FCC Commissioner Brendan Carr dissented from the forfeiture orders, although he had voted in favor of the notices of apparent liability in 2020. He argued for the federal trade commission (FTC) to be the agency to enforce the findings of the FCC.

"FCC orders rest on a newfound definition of customer proprietary network information (CPNI) that finds no support in the Communications Act or FCC precedent," Carr wrote. "And without providing advance notice of the new legal duties expected of carriers (to the extent we could adopt those new duties at all), the FCC retroactively announces eye-popping forfeitures totaling nearly $200 million."

FCC Chairwoman Jessica Rosenworcel said the carriers "failed" to protect customer information.

FCC's Jessica Rosenworcel

"Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are,” Rosenworcel said. “As we resolve these cases – which were first proposed by the last administration – the Commission remains committed to holding all carriers accountable and making sure they fulfill their obligations to their customers as stewards of this most private data."

The FCC is on a bit of a roll, having last week restored net neutrality and banned Chinese broadband providers.