On April 29, 2024, the Federal Communications Commission (“FCC”) announced that it had fined the nation’s largest wireless carriers a total of $196 million for violating consumer data privacy rights. AT&T, Sprint, T-Mobile and Verizon are accused of: 1) illegally sharing access to customers’ location information without consent; and 2) failing to take reasonable measures to protect said information from unauthorized disclosure. In an accompanying statement, FCC Charwoman Jessica Rosenworcel stressed the importance of prioritizing data privacy, stating that “geolocation data is especially sensitive. It is a reflection of who we are and where we go. In the wrong hands, it can provide those who wish to do us harm the ability to locate us with pinpoint accuracy.”
The fines are the culmination of the FCC’s investigation into the carriers’ respective data privacy practices following a massive consumer data leak in 2018, which originated with LocationSmart, a then little-known location data aggregator. Following the leak, Senator Ron Wyden asked the carriers to cease the practice of selling consumer location information to third-party data brokers. Notices of Apparent Liability were issued to the carriers in February 2020. The Forfeiture Orders announced by the FCC on April 29, 2024 made the fines provided in the Notices official. All three carriers (Sprint & T-Mobile have since merged) announced that they intend to appeal the fines, alleging that they almost immediately addressed the violative data privacy practices in response to Senator Wyden’s letter.
How did the Carriers Violate Consumer Data Privacy Rights?
In 2018, data broker Securus, which sold consumer location data to local police forces, was hacked. Subsequently, a “whistleblower” revealed that the consumer location data was originally acquired from data aggregator LocationSmart, possibly at no cost. The FCC Enforcement Bureau proceeded to investigate the carriers and found that they were selling access to their customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers. The FCC alleges that, by doing so, the major carriers skirted their data privacy responsibilities, failing to obtain requisite consumer consent prior to disclosing their location information to third-party entities.
Among other operative provisions, Section 222 of the Communications Act of 1934, which protects the privacy of consumer data, requires that:
- Every telecommunications carrier has a duty to protect the confidentiality of proprietary information of, and relating to, other telecommunication carriers, equipment manufacturers, and customers, including telecommunication carriers reselling telecommunications services provided by a telecommunications carrier; and
- A telecommunications carrier shall disclose customer proprietary network information, upon affirmative written request by the customer, to any person designated by the customer.
The vote on the previously noticed fines was deadlocked at 2-2 until the final FCC Commissioner decided to approve them in September 2023. All three major carriers immediately announced their intent to appeal the Forfeiture Orders following the FCC’s announcement. Preliminarily, the carriers argue that: 1) they are being held liable for a third party’s failure to obtain consumer consent; 2) the FCC is ignoring the immediate steps taken by the carriers to address their data privacy shortcomings; and 3) they are being punished for providing data necessary to sustain emergency services, such as roadside assistance and medical alerts.
The FCC’s Major Fines Send a Message to All Data Brokers and Aggregators
As our readers are aware, the federal government is enacting policies that restrict how companies may acquire and sell consumer data. State governments are following in these footsteps. The fines issued by the FCC are miniscule compared to the carriers’ respective bottom lines. However, other businesses will likely find an FCC Notice of Apparent Liability quite devastating. As such, data brokers and aggregators must regularly update their data privacy compliance practices to steer clear of a regulatory inquiry.
[View source.]
