The Federal Communications Commission (FCC) is fining the country’s largest wireless carriers a combined $196 million for illegally selling the location data of customers to third-parties in a case that dates back to 2020.
In announcing the fines this week, the FCC said that Verizon, AT&T, T-Mobile, and Verizon sold the data to aggregators – also called data brokers – who then sold access to the data to location-based service providers. T-Mobile and Verizon merged in a $26 billion deal in 2020 after the commission opened its investigation.
“Our communications providers have access to some of the most sensitive information about us,” FCC Chairwoman Jessica Rosenworcel said in a statement. “These carriers failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are.”
AT&T was hit with a fine of more than $57 million, while Verizon was fined almost $47 million, according to the agency. The combined T-Mobile and Sprint were fined a total of more than $92 million, with $80 million of that being laid on T-Mobile. All three carriers said they disagreed with the penalties and plan to appeal.
Though the case against the carriers was opened during the previous presidential administration, the action by the FCC this week was only the latest in an increasingly aggressive push by the Biden Administration – not only through the FCC, but also other agencies like the Federal Trade Commission (FTC) – to punish companies that sell or license individuals’ private data without first getting their consent.
This has included not only companies that store such data of their customers, but also data brokers that aggregate sensitive information and then sell it third parties without the customers’ OK. The administration has argued that not only is it a violation of a person’s right to privacy but also can be a national security risk.
“The protection and use of sensitive personal data such as location information is sacrosanct,” said Loyaan Egal, chief of the FCC’s Enforcement Bureau and chair of its Privacy and Data Protection Task Force. “When placed in the wrong hands or used for nefarious purposes, it puts all of us at risk. Foreign adversaries and cybercriminals have prioritized getting their hands on this information, and that is why ensuring service providers have reasonable protections in place to safeguard customer location data and valid consent for its use is of the highest priority for the Enforcement Bureau.”
According to the FCC, the behavior of the wireless carriers was particularly egregious. All of the providers tried to place the responsibility of gaining customer consent onto others downstream who were receiving the data.
“This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access,” the FCC wrote.
Federal law requires the carriers themselves to protect customer information, including location data, to protect the confidentiality of customers’ information, and to get the expressed consent of customers before disclosing or giving access to the information to others. That includes when they share data with third parties.
The case was opened after public reports surfaced that customer location data was being used by a Missouri sheriff, Cory Hutcheson, via location-finding service Securus that provided communications services to correctional facilities, to track people. Hutcheson in 2019 was convicted wire fraud and identity theft and sentenced to six months in prison. The FCC’s Rosenworcel wrote in the orders against the carriers that the data ended up in the possession of bail bond companies, bounty hunters, and “other shady actors.”
Even after the carriers were made aware of how the information was being used, they continued with their practices without putting in safeguards to protect the data and to get customer consent, according to the FCC.
“Our smartphones are always with us, and as a result these devices know where we are at any given moment,” Rosenworcel wrote. “This geolocation data is especially sensitive. It is a reflection of who we are and where we go. In the wrong hands, it can provide those who wish to do us harm the ability to locate us with pinpoint accuracy. That is exactly what happened when news reports revealed that the largest wireless carriers in the country were selling our real-time location information to data aggregators.”
Two FCC commissioners, Brendan Carr and Nathan Simington, disagreed with the agency’s actions, with Carr writing in his dissenting statement that the case should have been given to the FTC, given that it fell outside of the FCC’s purview, adding that the “eye-popping” fines of almost $200 million are “inconsistent with the law and basic fairness.”
For his part, Simington argued that the FCC decided on such high fines after breaking down single acts into their smaller components and arbitrarily placing a fine on each one. In addition, such a punishment will lead to legitimate location data services steer away from highly regulated carriers and instead turn to unregulated apps that pull in similar location data.
The FTC in recent months has aggressively pursued cases of data brokers selling geolocation data without consent. In a two-week span in January, the agency banned aggregators OutLogic and InMarket from selling or sharing such data with third parties.
In addition, the FCC is considering putting rules in place to protect survivors of domestic violence from being stalked by their abusers through real-time location and other connectivity services in their cars.
Recent Articles By Author