The Federal Communications Commission has proposed $220 million in fines against AT&T, Verizon, T-Mobile, and Sprint for allegedly sharing customer location data and for failing to protect the data from unauthorized access. AT&T faces a fine of more than $57 million; Verizon faces a fine of more than $48 million; T-Mobile faces a fine of more than $91 million; and Sprint faces a fine of more than $12 million. The fine amounts vary “based on the length of time each carrier apparently continued to sell access to its customer location information without reasonable safeguards and the number of entities to which each carrier continued to sell such access.” The FCC warned the carriers about sharing customer location data without consent to another party.
The FCC opened an investigation after reports stated that Cory Hutcheson, a Missouri Sheriff, utilized a “location-finding service” run by Securus, “a provider of communications services to correctional facilities, to access the location information of the wireless carriers’ customers without their consent between 2014 and 2017.” Hutcheson supposedly gave Securus irrelevant paperwork to prove he was authorized to see this information. He provided information on his health and auto insurance policies and pages from his training manuals.
“American consumers take their wireless phones with them wherever they go,” FCC Chairman Ajit Pai said. “And information about a wireless customer’s location is highly personal and sensitive. The FCC has long had clear rules on the books requiring all phone companies to protect their customers’ personal information. And since 2007, these companies have been on notice that they must take reasonable precautions to safeguard this data and that the FCC will take strong enforcement action if they don’t. Today, we do just that. This FCC will not tolerate phone companies putting Americans’ privacy at risk.”
The wireless carriers violated the Communications Act, which “requires telecommunications carriers to protect the confidentiality of certain customer data related to the provision of telecommunications service, including location information.” Since the carriers shared consumers’ location data, this is a direct violation of the Act’s requirement. The carriers needed to take measures to protect against unauthorized attempts to access the information and to find out if any such attempts had been made. The wireless carriers should have also obtained consent for the collection, use, and dissemination of this information.
The carriers sold consumer location data to “aggregators” who resold it to other third-party companies, such as Securus. The carriers negligently believed the “location-based services providers” would obtain consent as they stated they would before they accessed the location data. However, these practices inadequately protected consumer data, as evidenced by Hutcheson’s unauthorized access to the data. The carriers continued to sell this data without adding protective measures or obtaining consent. For instance, carriers could have confirmed consent via text message, but they failed to do so.
T-Mobile stated it would fight the fine. The carrier stated that after it discovered its “location aggregator program was being abused by bad actor third parties, we took quick action.”
Some FCC Commissioners, such as Commissioners Starks and Rosenworcel, believed that the FCC did not go far enough. Starks believes the FCC should have subpoenaed carriers to determine how many Americans were affected. Rosenworcel stated that the fines were not large enough and too late, that the FCC should have kept Americans more informed during the process.
The carriers will be informed of the allegations against them and the proposed fine; they will have a chance to respond, after which the FCC will provide the final fine amount.