Several of the nation’s largest cellphone carriers have been collectively fined $200 million by the Federal Communications Commission (FCC) for illegally sharing access to customer location data without consent and failing to protect that information from unauthorized disclosures.
In an April 29 press release, the FCC said that T-Mobile, AT&T, Sprint, and Verizon violated the Communications Act when they sold customers’ location data without consent and continued to do so even after being informed of the violations.
FCC Chairwoman Jessica Rosenworcel said these carriers all failed in their fundamental duty required by law to protect customers’ data.
“Our communications providers have access to some of the most sensitive information about us,” she said. “These carriers failed to protect the information entrusted to them.
Subscriber Location Data Allegedly Leaked
Ms. Rosenworcel said the FCC Enforcement Bureau investigations found that each of the four carriers sold access to its customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers.According to the FCC Enforcement Bureau investigations, through these actions, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information; in many instances, no valid customer consent was sought.
“This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access,” the FCC said.
The FCC began its investigation following allegations that subscriber location data was smuggled into a resale market used by bounty hunters to track down bail jumpers.
Loyaan A. Egal, chief of the FCC Enforcement Bureau and chair of its Privacy and Data Protection Task Force, said protecting sensitive personal data, such as location information, is very important to staying safe online.
“When placed in the wrong hands or used for nefarious purposes, it puts all of us at risk,” he said.
Trade Association and Carriers Blast FCC
AT&T has called out the FCC over the allegations, which it refutes, and signaled intentions to appeal the actions because, in its view, they lack “both legal and factual merit.”In a media statement, a spokesperson for the carrier said the FCC is unfairly holding them “responsible for another company’s violation of our contractual requirements to obtain consent,” while ignoring the “immediate steps we took to address that company’s failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged.”
The spokesperson said an appeal could be in the works “after conducting a legal review” of the FCC action.
A Verizon spokesperson claimed in a media statement that the FCC had “gotten it wrong on both the facts and the law, and we plan to appeal this decision.”
According to the spokesperson, the company did everything it could after “one bad actor gained unauthorized access to information relating to a very small number of customers.”
CTIA, a trade association representing the wireless communications industry in the United States, also blasted the FCCs actions and claimed it tried to seek assistance to remedy the situation but was ignored.
“After touting the potential of location-based services to provide benefits like roadside assistance and emergency medical alerts, the FCC refused CTIA’s request for guidance on how providers should run those programs, and is now penalizing providers for facilitating them,” he said.
“And its calculation of fines relies on an unlawful methodology,” Mr. Ludlum added.
