-
The FCC said carriers sold access to location data to third parties without customer consent
-
Investigations started years ago after media reports of data being sold
-
AT&T, T-Mobile and Verizon each released statements saying they plan to appeal
The FCC announced Monday that it’s fining AT&T, T-Mobile and Verizon for illegally sharing access to customers’ location information without consent and without taking "reasonable measures" to protect the data from unauthorized disclosure.
The fines are related to media reports and investigations going back to at least 2018. The FCC issued Notices of Apparent Liability (NAL) against the carriers in February 2020.
The biggest fine – $80 million – is levied against T-Mobile. AT&T’s fine is more than $57 million, and Verizon’s fine is almost $47 million. The FCC also fined Sprint, which was acquired by T-Mobile in 2020, more than $12 million.
“Our communications providers have access to some of the most sensitive information about us. These carriers failed to protect the information entrusted to them," FCC Chairwoman Jessica Rosenworcel said in a statement.
Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are,” Rosenworcel said.
The agency said the investigations that led to the fines started after public reports that customers’ location information was being shared with a Missouri sheriff through a “location-finding service” operated by Securus, a provider of communications services to correctional facilities, to track the location of individuals.
Carriers react
All three of the biggest carriers said they plan to appeal the fines.
AT&T said the FCC order lacks both legal and factual merit. “It unfairly holds us responsible for another company’s violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company’s failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged,” AT&T said in a statement.
“Verizon is deeply committed to protecting customer privacy. In this case, when one bad actor gained unauthorized access to information relating to a very small number of customers, we quickly and proactively cut off the fraudster, shut down the program, and worked to ensure this couldn't happen again. Unfortunately, the FCC’s order gets it wrong on both the facts and the law, and we plan to appeal this decision,” said Verizon spokesman Rich Young.
“Keep in mind, the FCC's order concerns an old program that Verizon shut down more than half a decade ago. That program required affirmative, opt-in customer consent and was intended to support services like roadside assistance and medical alerts,” Young added.
In its statement, T-Mobile said: "This industry-wide third-party aggregator location-based services program was discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection and emergency response would not be disrupted. We take our responsibility to keep customer data secure very seriously and have always supported the FCC’s commitment to protecting consumers, but this decision is wrong, and the fine is excessive."
Others weigh in
Both Republican commissioners issued separate statements of dissent. Commissioner Brendan Carr said the Federal Trade Commission (FTC), not the FCC, was the right entity to take enforcement action if the FTC deemed one was warranted. Commissioner Nathan Simington said the FCC here opts to appear “tough on crime” in a way that “actually reduces consumer data privacy by pushing legitimate users of location data toward unregulated data brokerage."
Others see the fines as further evidence of the need for net neutrality rules.
“This fine on mobile carriers who violated their obligation not to share sensitive customer location data is a timely reminder of why it is so essential for the FCC to have its full Title II authority restored, not just for the sake of open internet rules, but also to hold ISPs accountable for consumer protection more broadly,” said Michael Calabrese, director of the Wireless Future Project at New America’s Open Technology Institute, in a statement.
“There is no better tracker of personal location than our smartphones, and so it is essential that the FCC strictly enforce carrier obligations to both keep that information private and not abuse it for commercial purposes,” he concluded.