The Federal Communications Commission (FCC) has fined major wireless carriers, including AT&T, Sprint, T-Mobile, and Verizon, nearly $200 million for illegally sharing customers" location data without consent and failing to protect this sensitive information adequately. The fines were imposed due to the carriers selling access to location data to aggregators, who later resold it to third-party service providers without obtaining valid customer consent.
The carriers have been found in violation of federal law, which requires them to safeguard customer information and obtain explicit consent before sharing it. Sprint and T-Mobile, which have merged since the investigation started, are fined over $12 million and $80 million, respectively. AT&T faces a fine exceeding $57 million, while Verizon is fined nearly $47 million.
FCC Chairwoman Jessica Rosenworcel said:
“Our communications providers have access to some of the most sensitive information about us. These carriers failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are.
As we resolve these cases – which were first proposed by the last Administration – the Commission remains committed to holding all carriers accountable and making sure they fulfill their obligations to their customers as stewards of this most private data.”
The FCC Enforcement Bureau investigations revealed that the four carriers sold access to customers" location data to "aggregators", who then resold it to third-party service providers. This practice allowed the carriers to shift the responsibility of obtaining consent onto downstream recipients, leading to instances where no valid customer consent was obtained. The FCC says that even after realizing that their safeguards were ineffective, the carriers continued to sell access to location information without implementing adequate measures to protect it from unauthorized access.
According to section 222 of the Communications Act, carriers are mandated to take reasonable measures to safeguard customer information, including location data. They are required to maintain the confidentiality of such information and must obtain explicit customer consent before disclosing or allowing access to it.
This includes situations where data is being shared with third parties, like in this case.
Despite the fines, the carriers plan to appeal the decision, arguing that the penalties are excessive and lack legal merit.