The Federal Communications Commission (FCC) has imposed a penalty of $200 million on the largest wireless carriers for illegally sharing access to customers’ location information without consent.
Sprint and T-Mobile – which have merged since the investigation began – face fines of more than $12 million and $80 million, respectively. AT&T is fined more than $57 million. Verizon is fined almost $47 million.
“Our communications providers have access to some of the most sensitive information about us. These carriers failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are,” said FCC Chairwoman Jessica Rosenworcel.
The FCC Enforcement Bureau investigations of the four carriers found that each carrier sold access to its customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers.
Carriers attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained. This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.
Under the law, including section 222 of the Communications Act, carriers are required to take measures to protect certain customer information, including location information. Carriers are also required to maintain the confidentiality of such customer information and to obtain affirmative, express customer consent before using, disclosing, or allowing access to such information. These obligations apply equally when carriers share customer information with third parties.
The investigations that led to today’s fines started following public reports that customers’ location information was being disclosed by the largest American wireless carriers without customer consent or other legal authorization to a Missouri Sheriff through a “location-finding service” operated by Securus, a provider of communications services to correctional facilities, to track the location of numerous individuals.
