The Federal Communications Commission (FCC) has fined major wireless carriers, including AT&T, Sprint, T-Mobile and Verizon, nearly $200 million for illegally sharing customer location data without consent and failing to adequately protect that sensitive information. The fines were imposed due to the providers selling access to location data to aggregates, who later resold it to third-party service providers without obtaining valid customer consent.
The providers were found in violation of federal law, which requires them to maintain customer information and obtain express consent before sharing it. Sprint and T-Mobile, which have merged since the investigation began, were fined more than $12 million and $80 million, respectively. AT&T faces a fine exceeding $57 million, while Verizon was fined nearly $47 million.
FCC Chair Jessica Rosenwortzel said:
“Our telecommunications providers have access to some of the most sensitive information about us. These providers have failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: real-time location information of customers, revealing where they are going and who they are.
As we resolve these cases — first proposed by the last administration — the Commission remains committed to holding all providers accountable and ensuring they fulfill their obligations to their customers as stewards of this highly private data.”
Investigations by the FCC’s Bureau of Enforcement revealed that the four carriers sold access to customers’ location data to “aggregators,” who then resold it to third-party service providers. This practice allowed providers to shift the responsibility for obtaining consent onto downstream recipients, leading to cases where valid client consent was not obtained. The FCC says that even after realizing that their safeguards were ineffective, carriers continued to sell access to location information without implementing adequate measures to protect it from unauthorized access.
as per Section 222 of the Communications Law, providers are obligated to take reasonable measures to protect customer information, including location data. They are required to maintain the confidentiality of the aforementioned information and must obtain the express consent of the customer before disclosing or providing access to it.
This includes situations where data is shared with third parties, as in this case.
Despite the fines, The providers plan to appeal the decisionon the grounds that the punishments are excessive and legally unconstitutional.