The United States Federal Communications Commission (FCC) today announced [PDF] that it has fined AT&T, Verizon, and Sprint/T-Mobile $196 million collectively for illegally selling access to customer location information without consent.
Sprint and T-Mobile (now merged into T-Mobile) have been fined $12 million and $80 million, respectively. Verizon has been fined almost $47 million, and AT&T has been fined more than $57 million.
The FCC first began investigating the four major U.S. carriers in 2019 after they were found selling real-time location information from customer devices to third-party data aggregators, which led to that location data being sold a second time to private investigators, bounty hunters, law enforcement agencies, credit card companies, and more.
Following the investigation, the FCC confirmed that wireless carriers had violated federal law by sharing consumer location data. Fines were proposed back in 2020, but carriers were given an opportunity to provide evidence and legal arguments against the decision before the fines were formally imposed.
The fines vary based on the length of time that each carrier sold access to customer location information without safeguards, and the number of entities that were provided access. The FCC determined that carriers were obligated to protect the personal information of their customers, which they did not do.
"Our communications providers have access to some of the most sensitive information about us. These carriers failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: customers' real-time location information, revealing where they go and who they are," said FCC Chairwoman Jessica Rosenworcel. "As we resolve these cases - which were first proposed by the last Administration - the Commission remains committed to holding all carriers accountable and making sure they fulfill their obligations to their customers as stewards of this most private data."
The four carriers had different practices, but each carrier relied on contract-based assurances that the data aggregators purchasing the real-time location information would get consent from customers before accessing their location, which did not happen. Even after learning that data was being misused in this way, the FCC says the carriers "continued to sell access to location information without taking reasonable measures to protect it from unauthorized access."
