U.S. Carriers Facing $200M in Fines for Selling Customer Location Data

As expected, the United States Federal Communications Commission today proposed fines against the four major wireless carriers in the United States for improperly sharing and selling real-time customer location information without taking "reasonable measures" to protect against unauthorized access to the data.

In a statement [PDF] released today, the FCC says that T-Mobile should pay the most, while Sprint should pay the least. T-Mobile faces a proposed fine of more than $91 million, while the FCC wants AT&T, Verizon, and Sprint to pay over $51 million, $48 million, and $12 million in fines, respectively.

The fines vary based on the length of time that each carrier sold access to its customer location information without safeguards and the number of entities to which each carrier sold access.

Along with the proposed fines, the statement from the FCC admonishes the four carriers for disclosing customer location data without authorization to third-party entities.

"American consumers take their wireless phones with them wherever they go. And information about a wireless customer's location is highly personal and sensitive. The FCC has long had clear rules on the books requiring all phone companies to protect their customers' personal information. And since 2007, these companies have been on notice that they must take reasonable precautions to safeguard this data and that the FCC will take strong enforcement action if they don't. Today, we do just that," said FCC Chairman Ajit Pai. "This FCC will not tolerate phone companies putting Americans' privacy at risk."

All four of the major U.S. carriers sold customer geolocation information to data aggregators like LocationSmart and Zumigo, with those companies then reselling the data to third-party location-based service providers. The data was ultimately provided to law enforcement officials, bounty hunters, bail bondsman, and more.

The FCC says that though exact practices varied, each carrier relied heavily on contract-based assurances that the location-based services providers they worked with would get consent from the customer before accessing the customer's location information, which did not happen.

Carriers had "several commonsense options to impose reasonable safeguards," but ultimately "failed to take the reasonable steps needed to protect customers from unreasonable risk of unauthorized disclosure."

The fines proposed by the FCC today are not final and each carrier will be provided with an opportunity to respond and provide evidence and legal arguments before final fines are imposed.