FCC launches investigation into mobile carriers’ geolocation data practices
Image: The Record
Andrea Peterson August 26, 2022

FCC launches investigation into mobile carriers’ geolocation data practices

FCC launches investigation into mobile carriers’ geolocation data practices

The Federal Communication Commission on Thursday shared responses from mobile carriers to a probe of how they handle geolocation data and announced a new investigation into carrier compliance with agency rules about disclosing how such data is stored and shared. 

“Our mobile phones know a lot about us. That means carriers know who we are, who we call, and where we are at any given moment,” FCC Chairwoman Jessica Rosenworcel said in a press release. “That’s why the FCC is taking steps to ensure this data is protected.”

The agency sent inquiries to 15 carriers, including AT&T, T-Mobile, Verizon, Google-Fi and others in July asking them to spell out their policies around geolocation data, including how long information was retained, as well as how and why it might be shared with third parties. 

The agency requires mobile companies to get consumer consent for sharing information, unless such sharing is necessary to complete a service or required by law. 

In 2020, the agency proposed more than $200 million in still pending fines for major carriers for selling user location data without consent or appropriate safeguards. Rosenworcel tasked the FCC’s Enforcement Bureau with the new investigation into the companies’ compliance with rules requiring them “to fully disclose to consumers how they are using and sharing geolocation data.” 

Justin Brookman, head of tech policy at Consumer Reports, praised the decision to make carriers’ responses public. 

“The quality and specificity of answers definitely ranges among the respondents, but there’s some interesting, concrete information in there, especially on data retention periods,” he said.

In some cases, the responses referred back to dense, publicly available privacy policies. Others answered questions directly point by point.  

However, that transparency isn’t enough, according to Brookman.

“People have no choice but to share very sensitive data like geolocation with mobile carriers just for those products to work. There should be substantive constraints on what they do with that information and for how long they keep it,” Brookman said. 

Public Knowledge Vice President Harold Feld also called for regulatory action, saying the FCC should “set new rules of the road” for mobile subscribers’ privacy. 

”These letters show that, despite the constant invocation of carriers of ‘industry standards’ and ‘best practices,’ carrier geolocation data practices are all over the map,” Feld said.

For example, the length of time carriers retained location data — determined by proximity to cellular towers — ranged widely, and was as long as five years at AT&T. 

Although the FCC ceded control over broadband privacy during the previous administration, it still has substantive regulatory authority over phone providers. However, that authority would be curtailed were a bipartisan privacy bill currently being considered by Congress to pass. 

The bill would also generally preempt state-level privacy laws — some of which provide stronger protections than the proposed federal standards. California in particular has rolled out its own data privacy enforcement regime, and carrier responses to the FCC probe highlight how it has affected practices. 

For example, UScellular told the agency that California subscribers may opt out of data retention due to compliance with the state’s privacy regulation, although others may not ”because the retention of such data is important for network management and other business purposes.”

Charter’s response also noted that it had a specific webform and toll-free number for current or former subscribers who are California residents to request to delete personal data the company collected. 

Jonathan Greig contributed reporting to this story.

Andrea (they/them) is senior policy correspondent at The Record and a longtime cybersecurity journalist who cut their teeth covering technology policy ThinkProgress (RIP), then The Washington Post from 2013 through 2016, before doing deep dive public records investigations at the Project on Government Oversight and American Oversight. Their work has also been published at Slate, Politico, The Daily Beast, Ars Technica, Protocol, and other outlets. Peterson also produces independent creative projects under their Plain Great Productions brand and can generally be found online as kansasalps.