US fines telcos $200M for sharing customer location data without consent
The U.S. Federal Communications Commission said on Monday that it is fining the four U.S. major wireless carriers around $200 million in total for âillegallyâ sharing and selling customersâ real-time location data without their consent.
AT&Tâs fine is more than $57 million, Verizonâs is almost $47 million, T-Mobileâs is more than $80 million and Sprintâs is more than $12 million, according to the FCCâs announcement.
âOur communications providers have access to some of the most sensitive information about us. These carriers failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: customersâ real-time location information, revealing where they go and who they are,â FCC Chairwoman Jessica Rosenworcel said in the announcement.
The FCC said its investigative arm, the Enforcement Bureau, concluded that the four companies sold access to its customersâ location data to third-party companies, which the FCC called âaggregators,â which in turn resold the location data to other companies. These series of sales and resales effectively created a whole gray market for cell phone subscribersâ historical and real-time location data. Most customers had no idea such a market for their data even existed, let alone consented to the sale of their data.
Cell phone carriers are required by law to âmaintain the confidentiality of such customer information and to obtain affirmative, express customer consent before using, disclosing, or allowing access to such information,â the FCC wrote.
The fines come years after investigations by news organizations revealed that the four carriers were sharing this type of data with law enforcement and bounty hunters, among other organizations.
In 2018, The New York Times reported that law enforcement and correction officials across the U.S. used a company called Securus Technologies to track peopleâs locations. Securusâ solution relied on âa system typically used by marketers and other companies to get location data from major cell phone carriers,â the NYT wrote.
The following year, a Motherboard investigation revealed that bounty hunters could geo-locate any cell phone customerâs location for as little as $300. âThese surveillance capabilities are sometimes sold through word-of-mouth networks,â Motherboardâs Joseph Cox, who is now at 404 Media, wrote at the time.
The FCC wrote that despite these public reports, the four carriers failed to put safeguards in place âto ensure that the dozens of location-based service providers with access to their customersâ location information were actually obtaining customer consent,â and kept selling the data.
All four carriers criticized the decision and said they intend to appeal it.
T-Mobile spokesperson Tara Darrow said in a statement that âthis industry-wide third-party aggregator location-based services program was discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection and emergency response would not be disrupted.â
Darrow said that T-Mobile, which merged with Sprint in 2020, will appeal the decision.
âWe take our responsibility to keep customer data secure very seriously and have always supported the FCCâs commitment to protecting consumers, but this decision is wrong, and the fine is excessive. We intend to challenge it,â the statement read.
AT&T spokesperson Alex Byers also said the company will appeal, and said that the FCC decision âlacks both legal and factual merit.â
âIt unfairly holds us responsible for another companyâs violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that companyâs failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged. We expect to appeal the order after conducting a legal review,â Byers said in a statement sent to TechCrunch.
Verizon spokesperson Rich Young said that the âFCCâs order gets it wrong on both the facts and the law, and we plan to appeal this decision.â
âIn this case, when one bad actor gained unauthorized access to information relating to a very small number of customers, we quickly and proactively cut off the fraudster, shut down the program, and worked to ensure this couldnât happen again,â the statement read. âKeep in mind, the FCCâs order concerns an old program that Verizon shut down more than half a decade ago. That program required affirmative, opt-in customer consent and was intended to support services like roadside assistance and medical alerts.â