As expected, the FCC has officially proposed fines against T-Mobile and the other major U.S. carriers over the sale of customer location data.
The FCC announced today that T-Mobile, Sprint, AT&T, and Verizon will all face fines for “apparently selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information.”
T-Mobile is facing the largest fine of the four carriers with a proposed fine of more than $91 million. AT&T is being fined more than $57 million, Verizon is facing a fine of more than $48 million, and Sprint’s fine is more than $12 million. In total, the four carriers are being fined more than $208 million.
FCC Chairman Ajit Pai said that his agency has had “clear rules” about requiring phone companies to protect their customers’ personal information and that, since 2007, the companies have been on notice that they must take reasonable steps to protect this data or face enforcement. “This FCC will not tolerate phone companies putting Americans’ privacy at risk,” Pai added.
The FCC began investigating the carriers following reports that Missouri Sheriff Cory Hutcheson used a “location-finding service” from Securus to access the location of wireless carriers’ customers without their consent between 2014 and 2017. All four major U.S. carriers sold access to their customers’ location info to aggregators who then resold that info to third-party location-based services like Securus, the FCC says.
Each carrier relied on contract-based assurances that these aggregators would obtain consent from the customers before accessing their location, but Hutcheson’s unauthorized access of hundreds of customers’ location data “made clear that the carriers’ existing measures to safeguard this data were inadequate,” explains the FCC.
“Yet all four carriers apparently continued to sell access to their customers’ location information without putting in place reasonable safeguards to ensure that the dozens of location-based service providers acting on their behalf were actually obtaining consumer consent.”
All four carriers will now have a chance to respond to the FCC’s proposed fines and the FCC will consider these arguments before taking any further action. I asked T-Mobile for a statement on the FCC’s fine and received the following statement:
“We take the privacy and security of our customers’ data very seriously. When we learned that our location aggregator program was being abused by bad actor third parties, we took quick action. We were the first wireless provider to commit to ending the program and terminated it in February 2019 after first ensuring that valid and important services were not adversely impacted. While we strongly support the FCC’s commitment to consumer protection, we fully intend to dispute the conclusions of this NAL and the associated fine.”