US military reportedly acts against ransomware groups The cost of flying internationally Spider-Man: Across the Spider-Verse trailer Omicron vs. delta Free COVID at-home test kits Cyber Week deals

FCC proposes hefty fines for carriers that fail to protect your location data

AT&T, T-Mobile, Sprint and Verizon face $200 million in fines for sharing consumer data with third parties.

It's not a done deal, but the FCC reportedly could levy fines on carriers for failing to safeguard customers' location info.

It's not a done deal, but the FCC reportedly could levy fines on carriers for failing to safeguard customers' location info.

Jaap Arriens/Getty Images

The Federal Communications Commission has proposed fining the nation's four largest wireless carriers $200 million for selling access to their customers' real-time location information.

Under the proposal released Friday, the agency said T-Mobile would face a fine of more than $91 million. AT&T would be fined more than $57 million; Verizon more than $48 million; and Sprint more than $12 million.   

FCC Chairman Ajit Pai said the proposed fines have put wireless carriers on notice that they need to do a better job protecting consumers' privacy. 

"This FCC will not tolerate phone companies putting Americans' privacy at risk,"  he said in a statement. 

Still, the fine amounts are drops in the bucket for the nation's carriers. For instance, Verizon reported fourth quarter revenue of $34.78 billion; AT&T reported revenue of $46.82 billion; and T-Mobile reported revenue of $11.88 billion.

Democratic FCC Commissioner Jessica Rosenworcel noted the "discounted" fine in a statement and also criticized the agency for taking too long to act.

"The FCC's investigation is a day late and a dollar short," she said. "The FCC kept consumers in the dark for nearly two years after we learned that wireless carriers were selling our location information to shady middlemen ... The FCC heavily discounts the fines the carriers potentially owe under the law and disregards the scope of the problem." 

The FCC began investigating the issue in May 2018, after news surfaced that carriers were selling location data to third parties. Such data can be used for legitimate purposes like locating a lost smartphone or getting emergency roadside assistance. But it can also be sold to aggregators, who can use it to track individuals without their consent or knowledge.

The investigation

Specifically, the FCC's enforcement bureau looked into allegations that a Missouri sheriff, Cory Hutcheson, used a "location-finding service" operated by a company called Securus, which provides communications services to correctional facilities, to access the location information of the wireless carriers' customers without their consent between 2014 and 2017.  

The federal Communications Act requires phone companies to protect confidentiality of certain customer data such as location information.  The FCC said its rules also make clear that carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to this data. The rules also require that carriers get consent from customers before disclosing or using this data. 

The FCC says its investigation found that all four of the major US carriers had sold access to their customers' location information to "aggregators," who then resold access to other third-party location-based service providers, like Securus. The FCC said it was "clear that carriers' existing measures to safeguard this data were inadequate." 

"Yet all four carriers apparently continued to sell access to their customers' location information without putting in place reasonable safeguards to ensure that the dozens of location-based services providers acting on their behalf were actually obtaining consumer consent," the FCC said. 

The issue of carriers selling consumer location data sparked an outcry from several members of Congress, as well as consumer groups. A month after the initial reports surfaced, carriers said they were ending their contracts with location-aggregating companies, but it was subsequently revealed that the practice was still going on. In January 2019, US lawmakers again pressed the FCC for answers on the sale of consumer location data.

AT&T and T-Mobile said in early 2019 that they were cutting off more location data sharing.

Several consumer advocates say it took the Republican-led FCC too long to act. They also point to the fact that the FCC, under Pai's leadership, had actually rolled back privacy protections that had been adopted as part of the 2015 net neutrality rules. The FCC rolled back those rules in 2017.

"Small wonder that carriers felt safe flouting the law and selling precise geolocation information that customers disclose for the sole purpose of enabling 911 first responders to find them," said Harold Feld, senior vice president at Public Knowledge. "Only after pressure from Congress, embarrassing exposés by diligent reporters at Vice, and repeated criticism from Democratic Commissioners Rosenworcel and Starks did the chairman finally act to enforce the law -- and to the barest degree possible!"

Location information

Mobile phone companies keep detailed records of their cellphone subscribers' locations. That's because their services need specific location coordinates to route calls and data properly and for proper billing. Carriers also use this information to provide accurate emergency 911 service.

As a result, the location information that wireless carriers have about their customers is more precise than what's available from mobile app developers, which use GPS or Wi-Fi to identify location. And because it's more precise, it's considered highly valuable for marketers and others looking for location data.

Earlier this month, Pai had sent a letter to several members of Congress saying that after an investigation, the FCC had concluded that at least one wireless carrier had violated federal law in disclosing real-time location data of customers. At the time, the agency didn't disclose the carrier or what fine it planned to levy. 

Originally published Feb. 27.
Update, Feb. 28: Adds information from the FCC and comments.