The FCC has imposed fines totaling $196 million on T-Mobile, AT&T, and Verizon for unauthorized sales of customer location data, sparking debates over privacy.
The Federal Communications Commission (FCC) has finalized a series of penalties totaling $196 million against major U.S. wireless carriers for the illicit sale of customer location data. The fines have been imposed on T-Mobile, AT&T, and Verizon for their unauthorized sharing of sensitive customer information without consent and inadequate measures to protect it.
In a statement released today, the FCC outlined the penalties: $80.1 million for T-Mobile, $57.3 million for AT&T, and $46.9 million for Verizon. Additionally, T-Mobile is responsible for a $12.2 million fine initially levied on Sprint, which T-Mobile acquired subsequent to the proposed penalties.
The FCC's Enforcement Bureau investigations found that each carrier sold access to customer location data to "aggregators," who subsequently resold the information to third-party service providers. Carriers were accused of shifting the responsibility of obtaining customer consent to these third parties, often resulting in no valid consent being acquired. The investigations also highlighted that carriers continued to sell this information without adequate safeguards even after acknowledging the ineffectiveness of their existing protections.
The issue was first exposed in 2018 when location data was reportedly used without consent to track individuals for a Missouri Sheriff through a service operated by Securus. FCC Chairwoman Jessica Rosenworcel stated, "This ugly practice violates the law—specifically Section 222 of the Communications Act, which protects the privacy of consumer data."
All three carriers have announced their intentions to appeal the fines. T-Mobile, in a statement to Ars, emphasized that the data-sharing programs had been discontinued over five years ago and that it intended to challenge the "excessive" fine. AT&T and Verizon also signaled plans to appeal, citing immediate actions taken to rectify contractual breaches and the support of critical services that relied on location data.
The FCC's decision, which was delayed by previous partisan deadlock, came as a 3-2 vote with Republicans Brendan Carr and Nathan Simington dissenting. The Republicans argued that the fines might dissuade legal use of consent-based location data services and criticized the retroactive application of liability.
Commissioner Carr specifically contended that the FCC had not previously classified non-call location information as Customer Proprietary Network Information (CPNI) and questioned the FCC's authority to impose liability for such data.
Despite the carriers' objections, the FCC maintains that phone location data falls within the definition of CPNI as outlined in the Communications Act. The orders reinforce the message that carriers are obligated to safeguard customer geolocation information, a stance reinforced by Rosenworcel's statement on following through with the fines initially proposed by the previous administration.