FCC takes $200 million bite out of wireless carriers for sharing location data

The Federal Communications Commission levied nearly $200 million in fines against four telecommunications giants Monday following an agency investigation that concluded the companies had sold location data of customers without their consent.

The penalties include $80 million in fines for T-Mobile, $57 million for AT&T, $46 million for Verizon and $12 million for Sprint.

Monday’s fines against the carriers come as policymakers in Washington are increasingly grappling with how to rein in the collection and sale of Americans’ sensitive data by so-called data brokers. The telecommunications firms targeted by the FCC are not out and out data brokers, but their access to and decision to sell sensitive data is representative of how sensitive information has become yet another commodity to be bought and sold. 

“These carriers failed to protect the information entrusted to them,” FCC Chairwoman Jessica Rosenworcel said in a statement. “Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are.”

The FCC is fining the companies for violating provisions of the Communications Act that require carriers to take “every reasonable precaution” to protect the confidentiality of customer network proprietary information, including location data.

Since 2007, federal regulations have required wireless carriers to get explicit consent of customers to opt-in to such data-sharing arrangements, but an FCC investigation found that in many cases, the four carriers had effectively outsourced that requirement to the companies who bought the data.

All four companies had programs in place until at least 2019 that sold access to the location data of customers to two data aggregators, LocationSmart and Zumigo. Those companies in turn sold that data to dozens of different third-party location-based service providers and other businesses.

Instead of seeking to gain direct consent from customers to opt-in to sharing their location, the carriers effectively outsourced the job to the companies they were selling the data to, passing that obligation down to location-based service providers through their own contracts. The FCC determined that this was insufficient to comply with federal requirements and that “contractual safeguards between a carrier and such a third party do not obviate the need for explicit customer consent.”

Internal audits of the customer data-sharing program by AT&T identified numerous cases where the aggregators who purchased data failed to follow the carrier’s information security requirements, as well as problems with record keeping and “completeness” of subscriber consent practices. The details of three additional audits were not shared with regulators.

Sprint claimed to have a similar auditing program in place to ensure that the aggregators that bought customer location data met security and privacy requirements, but the FCC stated there was no evidence that audits were actually conducted prior to 2018 — the same year a New York Times investigation revealed how a Missouri sheriff used data sold by the carriers to track the location of a judge and state law enforcement officers, spurring a broader inquiry by the FCC.  

Spokespeople for the companies that were fined sharply criticized the FCC’s decision to levy penalties against them.

AT&T spokesperson Alexander Byers said in a statement that the FCC order “lacks both legal and factual merit” and the company expects to appeal after a legal review.

“It unfairly holds us responsible for another company’s violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company’s failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged.” 

An unnamed T-Mobile spokesperson said in an emailed statement that the company halted sales of location-data to third-party aggregators five years ago and that the company intends to challenge the decision.

“We take our responsibility to keep customer data secure very seriously and have always supported the FCC’s commitment to protecting consumers, but this decision is wrong, and the fine is excessive.”

Verizon spokesperson Rich Young said the company’s program selling location based data has also been discontinued for half a decade and was “intended to support services like roadside assistance and medical alerts.”

“In this case, when one bad actor gained unauthorized access to information relating to a very small number of customers, we quickly and proactively cut off the fraudster, shut down the program, and worked to ensure this couldn’t happen again,” said Young in an email. “Unfortunately, the FCC’s order gets it wrong on both the facts and the law, and we plan to appeal this decision.”

Updated April 29, 2024: This article has been updated with statements from AT&T, T-Mobile and Verizon.