Today, the Federal Communications Commission imposed fines on T-Mobile, AT&T, Verizon, and Sprint for sharing customer location data with third parties without obtaining their consent.
According to CNN’s report, the FCC initially proposed the fine in 2020 due to the failure of major U.S. wireless carriers to safeguard the privacy of their users. Investigations revealed that these companies were sharing real-time location data with intermediaries referred to as aggregators, who subsequently sold it to third-party location-based service providers.
In 2018, a probe led by Sen. Ron Wyden uncovered that the data ended up with Securus, a company offering communication services to prisons. Concerns arose that prison authorities could potentially exploit the data to surveil individuals nationwide.
Subsequently, the carriers pledged to sever ties with the involved aggregators. However, it later emerged that they continued to share location information through alternative channels. Although the carriers eventually committed to terminating all location aggregation contracts, it took them a year, and even longer in some instances, to suspend these contracts.
Today, the FCC has officially confirmed the fines it proposed in 2020. Sprint and T-Mobile face fines exceeding $12 million and $80 million, respectively, while AT&T has been ordered to pay over $57 million. Additionally, Verizon has been fined nearly $47 million.
The FCC highlights that the telecom firms “neglected to safeguard the information entrusted to them.” It asserts that by selling access to customer location data, the four carriers shifted their responsibility to acquire consent to other entities. Despite discovering that their security measures were inadequate, the carriers persisted in selling access to location data and failed to take reasonable measures to prevent unauthorized access.
Under American law, carriers are mandated to implement reasonable measures to protect specific customer data, including location information, and they must obtain consent before sharing such data with any party.
