Early this week, the Federal Communications Commission (FCC) announced it had fined the largest U.S. wireless carriers for sharing access to customers’ geolocation information without consent and without taking reasonable measures to protect against unauthorized disclosure. These Forfeiture Orders follow the issuance of Notices of Apparent Liability for Forfeiture and Admonishment by former Chairman Ajit Pai in 2020, and subsequent agency investigation by the agency’s Privacy and Data Protection Task Force.

The orders buttress FCC Chairwoman Jessica Rosenworcel’s consumer protection agenda, which includes launching the Privacy and Data Protection Task Force last year. The FCC has been increasing its regulatory oversight under the task force, which it described as “an FCC staff working group focused on coordinating across the agency on the rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors, including data breaches (such as those involving telecommunications providers) and vulnerabilities involving third-party vendors that service regulated communications providers.”

Both of the agency’s Republican commissioners disagreed with the fine. In a dissent, Commissioner Brendan Carr wrote that the FCC had exceeded its authority under Section 222 of the Communications Act by determining that geolocation data is customer proprietary network information (CPNI), and said the Federal Trade Commission (FTC) is the appropriate agency to act.

The Forfeiture Orders concern programs implemented by the carriers beginning around a decade ago, where they contracted with aggregators who in turn contracted with location-based service (LBS) providers. Rosenworcel noted that the data included customers’ real-time location, which the carriers sold to “aggregators,” who then resold access to such information to third-party location-based service providers.

The FCC alleged that the carriers attempted to offload the obligations under the CPNI rules to obtain customer consent onto third-party “downstream” recipients of the location information. According to the carriers, the aggregators and LBS providers were supposed to notify customers and collect affirmative customer consent for any use of location information. However, the orders conclude that the carriers were still responsible because they provided those third parties with access to customers’ customer CPNI without obtaining for themselves the requisite approval.

The carriers argued that the various guidelines, policies, and contractual obligations demonstrated that they undertook reasonable safeguards to protect customer data. But the FCC was not convinced, pointing out an example in which one carrier was unable to compel an LBS provider to cooperate with its internal investigation.

Under Section 222 of the Communications Act, telecommunications carriers are required to take reasonable measures to protect certain customer information, including location information. Although the carriers argued that location data was not CPNI under the Act, the FCC held that location data easily fits under the Act’s CPNI definition: “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship.”

Carriers are also required to maintain the confidentiality of such CPNI and to obtain affirmative, express customer consent before using, disclosing, or allowing access to such information. These obligations apply equally when carriers share customer information with third parties.

One of the carriers argued that it obtained implicit consent. The FCC rejected this, stating that the location information at issue here did not fall within the scenarios in which opt-out customer approval is allowed. Rather, opt-in consent was required, meaning that the customer needed to give “affirmative, express consent” after being given appropriate notice of the carrier’s request. This does not allow for the use of implicit consent.

There is a good possibility that the carriers will challenge the FCC’s orders in federal court, arguing that the FCC made factual errors and that it exceeded its authority under Section 222. Meanwhile, carriers that hold CPNI data regarding geolocation may wish to be more cautious about obtaining prior consents before using, disclosing, or allowing access to that data.