WASHINGTON, April 29, 2024 – The Federal Communications Commission on Monday fined the major wireless carriers more than $200 million combined for unlawfully sharing access to customers’ location information without consent and without taking reasonable steps to shield that information against unauthorized disclosure.
“Our communications providers have access to some of the most sensitive information about us. These carriers failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are,” said FCC Chairwoman Jessica Rosenworcel.
The FCC’s Enforcement Bureau fined T-Mobile $103 million, AT&T $57 million, Verizon $47 million, bringing the total to $207 million. T-Mobile’s liability includes a $12 million fine against Sprint, which T-Mobile acquired in 2020.
T-Mobile, AT&T, and Verizon issued statement saying they expect to appeal the fines.
The FCC said the law, including section 222 of the Communications Act, requires carriers to take reasonable measures to protect certain customer information, including location information.
Both FCC Republican Commissioners, Brendan Carr and Nathan Simington, issued dissents.
Carr, who conditionally supported the fines in 2020, asserted that the Federal Trade Commission should have led the investigation given the FCC’s limited jurisdiction over privacy.
“The services at issue in these cases plainly fall outside the scope of the FCC’s Section 222 authority,” Carr said.
Carr said the agency failed to provide advance notice of the new legal duties expected of carriers and retroactively announced “eye-popping forfeitures totaling nearly $200 [million]. These actions are inconsistent with the law and basic fairness. The FCC has reached beyond its authority in these cases.”
Simington’s statement said the FCC’s “tough on crime” stance “actually reduces consumer data privacy by pushing legitimate users of location data toward unregulated data brokerage.”
During its investigation begun more than four years ago, the FCC said it found that the four carriers sold access to customers’ location information to aggregators. The aggregators resold access to the data to third-party location-based service providers.
“In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained,” the FCC said in a press release.
The FCC added that carriers, after becoming aware that their safeguards were ineffective, “continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.”
Enforcement Bureau Chief Loyaan A. Egal said the safeguarding of location data was essential because foreign adversaries and cybercriminals have made getting access to the sensitive data a priority.
“The protection and use of sensitive personal data such as location information is sacrosanct,” Egal said.
The carriers’ statements indicated that their location tracking programs were related to preventing disruption to such services as roadside assistance, fraud protection and emergency response capabilities.
In a statement, T-Mobile said it relied on an “industry-wide third-party aggregator location-based services program” that was stopped five years ago. “We take our responsibility to keep customer data secure very seriously and have always supported the FCC’s commitment to protecting consumers, but this decision is wrong, and the fine is excessive. We intend to challenge it.” the company said.
AT&T said the FCC’s decision was meritless. “It unfairly holds us responsible for another company’s violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company’s failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged,” AT&T said.
In a statement, Verizon spokesman Rich Young said the problem stemmed from “one bad actor” who “gained unauthorized access to information relating to a very small number of customers.” Young added, “We quickly and proactively cut off the fraudster, shut down the program, and worked to ensure this couldn’t happen again.”
Verizon, he said, believes “the FCC’s order gets it wrong on both the facts and the law, and we plan to appeal this decision.”
CTIA, the wireless trade association with AT&T, Verizon, and T-Mobile as members, issued a statement faulting the FCC’s analysis and unwillingness to engage with the companies on how to run their programs consistent with agency policy.
“The FCC’s action today demonstrates why Congress must examine the FCC’s broken enforcement process,” CTIA said.