FCC fines major wireless carriers $200M for illegally selling customer location data

The Federal Communications Commission on Monday said it fined the largest U.S. wireless carriers $200 million on grounds that the companies sold their customers’ location data to third parties without consent while not taking steps to protect that info from security compromises.

The fines hit Sprint and T-Mobile — which merged in 2020 after the agency’s initial investigation began — some $12 million and $80 million, respectively, while AT&T and Verizon were respectively fined over $57 million and nearly $47 million.

The agency’s enforcement arm said the providers sold customer location info to data brokers, who then resold that packaged data to third-party service providers who use location information for profit-making purposes. The carriers circumvented their obligation to protect customer location data and broke rules that barred them from selling off that data without first getting permission from their users, the FCC said.

“This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access,” the agency said in a statement.

Communications laws require wireless carriers to take steps aimed at protecting customer location data and other sensitive info. They are also required to confidentially withhold customer info from unauthorized providers unless customers consent to that data being sold or distributed.

The federal communications regulator kicked off its investigation after seeing reports of a Missouri sheriff using an inmate phone monitoring service to unknowingly track peoples’ cell phone locations. The fines were first proposed in 2020 under former agency Chairman Ajit Pai.

AT&T, Verizon and T-Mobile said they intend to appeal the decision.

“The FCC order lacks both legal and factual merit. It unfairly holds us responsible for another company’s violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company’s failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged,” an AT&T spokesperson told Nextgov/FCW.

“This industry-wide third-party aggregator location-based services program was discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection and emergency response would not be disrupted,” T-Mobile said. “We take our responsibility to keep customer data secure very seriously and have always supported the FCC’s commitment to protecting consumers, but this decision is wrong, and the fine is excessive,” it added.

“Verizon is deeply committed to protecting customer privacy. In this case, when one bad actor gained unauthorized access to information relating to a very small number of customers, we quickly and proactively cut off the fraudster, shut down the program, and worked to ensure this couldn't happen again. Unfortunately, the FCC’s order gets it wrong on both the facts and the law, and we plan to appeal this decision, a Verizon spokesperson told Nextgov/FCW.

“Keep in mind, the FCC's order concerns an old program that Verizon shut down more than half a decade ago. That program required affirmative, opt-in customer consent and was intended to support services like roadside assistance and medical alerts.”

The FCC has taken sweeping steps to harden telecom user data from unpermitted access. In March, it began requiring providers to notify authorities of a data breach within seven business days of discovery.

The agency’s recent restoration of net neutrality rules has been used as a basis to augment internet security because it would allow the agency to legally stamp out foreign broadband providers deemed national security risks.

The FCC recently asked major providers to provide an update on how they are refurbishing their networks to prevent spies and cybercriminals from exploiting wireless signaling protocols that could let bad actors track targets.

Editor's note: This article has been updated to include comment from Verizon.