FCC fines carriers $196 million for selling customer location data

T-Mobile, Verizon and AT&T have been fined a collective $196 million for illegally sharing access to consumers’ location data without obtaining their consent, the Federal Communications Commission (FCC) announced Monday.

The agency said the telecom giants also failed to take “reasonable measures” to safeguard customers’ location information so that it would not be disclosed without their authorization. 

Verizon has been fined nearly $47 million, AT&T more than $57 million, T-Mobile more than $80 million and Sprint more than $12 million for its practices prior to being acquired by T-Mobile in April 2020.

The four wireless companies were caught peddling customers’ location data to so-called aggregators who then resold the information to third-party data brokers, the FCC said.

“Each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained,” the agency said in a press release.  

It added that when the carriers realized their procedures weren’t working, they did not stop selling access to the location information and did not sufficiently guard it from further unauthorized access.

A spokesperson for AT&T condemned the agency’s action and said it would appeal the decision in a statement.

“The FCC order lacks both legal and factual merit,” the statement said. 

“It unfairly holds us responsible for another company’s violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company’s failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged,” the spokesperson said.

A Verizon spokesperson also said in a statement that the FCC got its facts wrong and it intends to appeal. 

The company is “deeply committed to protecting customer privacy. In this case, when one bad actor gained unauthorized access to information relating to a very small number of customers, we quickly and proactively cut off the fraudster, shut down the program, and worked to ensure this couldn't happen again.”

T-Mobile also intends to challenge the decision, it said in a statement. 

“We take our responsibility to keep customer data secure very seriously and have always supported the FCC’s commitment to protecting consumers, but this decision is wrong, and the fine is excessive,” it said.

All three companies pointed out the program the FCC has fined them for ended about five years ago.

Monday’s action took too long, said Chris Frascella, counsel at the Electronic Privacy Information Center. 

"We commend the FCC for finally penalizing wireless carriers for illegally disclosing their customers' location information, but it should not have taken more than four years,” he said via email. “The FCC needs to strengthen its protection of subscriber location data, particularly in the absence of a federal comprehensive privacy law."

Privacy hawk Sen. Ron Wyden (D-OR) first discovered what the carriers were doing in 2018, revealing at the time that a government contractor who bought the data even created what a Wyden press release called a “self-service website,” which allowed government officials to obtain the location data of any phone in the U.S. and do so without a court order. 

That website was abused by a Missouri sheriff who relied on it to track judges, as well as a U.S. marshal who used it to track previous love interests and their spouses, the Wyden release said.

More than 250 bounty hunters also obtained the location information from data brokers, it added.

“No one who signed up for a cell plan thought they were giving permission for their phone company to sell a detailed record of their movements to anyone with a credit card,” Wyden said in a statement. 

The carriers knew about the sheriff’s abuses and still did not change their practices, the FCC release said. 

The telecom companies’ practices violated section 222 of the federal Communications Act, the FCC said, citing the law’s requirement that firms keep customer information confidential and obtain affirmative consent before using, sharing, or allowing outsiders to access customer location data information. 

“These obligations apply equally when carriers share customer information with third parties,” the FCC release said.

Monday’s action finalizes a February 2020 notice of apparent liability the agency had issued against the carriers.