Missouri Sheriff Cory Hutcheson wanted to get tough on drug dealers but spent six months in prison after being convicted of illegally tracking mobile phone users without a warrant by GPS locations services provider Securus Technologies. He could have faced up to 20 months but skated on a sweetheart deal. Yesterday, the FCC got tough on the major carriers who allowed unlawful GPS access with a $200 million fine but they’re not looking for a deal, they are appealing the fines and believe they’ll be able to walk away without paying a dime.
The Federal Communications Commission (FCC) has imposed fines totaling nearly $200 million on leading U.S. wireless carriers AT&T, Sprint, T-Mobile, and Verizon for unlawfully sharing customer location data without proper consent and adequately protecting this sensitive information. The fines stem from the carriers’ practices of selling access to this data to aggregators, who subsequently resold it to third-party service providers, bypassing the necessary customer permissions.
The fines relate to the sharing of real-time location data, which was revealed in 2018. The FCC proposed the penalties in 2020 when the Commission had a Republican majority. The agency finalized them yesterday, with Republican Commissioners Carr and Simington dissenting.
The problem came to light with reports of customer location data being disclosed by the most prominent American wireless carriers without customer consent or other legal authorization to a Missouri Sheriff through a ‘location-finding service’ operated by Securus Technologies.
The carriers faced substantial penalties for violating federal privacy laws that mandate consumer data protection and require explicit customer approval before sharing. Sprint and T-Mobile merged entities received fines of over $12 million and $80 million, respectively, while AT&T and Verizon were fined over $57 million and nearly $47 million, respectively.
FCC Chairwoman Jessica Rosenworcel commented on the issue, highlighting the sensitivity of real-time location data that carriers mishandled. She emphasized the FCC’s commitment to uphold consumer privacy rights and hold violators accountable, continuing efforts initiated by the previous administration.
Investigations by the FCC Enforcement Bureau found that the carriers had offloaded the responsibility of obtaining customer consent to third parties through their dealings with aggregators. This practice continued even after the carriers recognized the inadequacies in their protective measures, leading to unauthorized access and use of location data.
Under section 222 of the Communications Act, carriers must protect customer information by implementing reasonable security measures and ensuring data confidentiality, particularly when disclosing data to third parties.
All four carriers are readying legal teams to appeal the FCC’s decision
All four carriers disagreed with the decision and announced plans to appeal it.
T-Mobile spokesperson Tara Darrow stated, “The industry-wide third-party aggregator program for location-based services was terminated over five years ago, following measures we implemented to ensure essential services such as roadside assistance, fraud protection, and emergency response continued uninterrupted.”
AT&T spokesperson Alex Byers also announced plans to appeal, criticizing the FCC’s ruling as lacking in “legal and factual merit.” Byers explained, “The decision unfairly blames us for another company’s breach of consent protocols, overlooks the immediate actions we took to rectify that company’s failures, and paradoxically penalizes us for facilitating critical location services such as emergency medical alerts and roadside assistance, which were once advocated by the FCC itself. We plan to file an appeal after a thorough legal evaluation,” Byers told TechCrunch.
Verizon spokesperson Rich Young declared the company’s intention to appeal: “The FCC’s order is incorrect regarding both the facts and the law.” He detailed that Verizon acted swiftly to address an incident involving unauthorized data access by a malicious party. “We immediately terminated the offender’s access, discontinued the program, and took steps to prevent such incidents in the future,” he noted. “It is important to remember that the FCC’s order relates to a defunct program that was shut down over five years ago, which had always required clear, opt-in consent from customers to support services like roadside assistance and medical alerts.”
Commissioner Carr conveys that the case should have been in the FTC’s hands
In his dissenting vote, Commissioner Brendan Carr criticized the FCC’s decision, stating that the nature of the data and the statutory limitations of the FCC’s authority make this a case better suited for the FTC. He argued that the FCC had overstepped its bounds by redefining customer proprietary network information (CPNI) to include any carrier handling of a customer’s location data. According to Carr, this broadened definition is unsupported by the Communications Act or previous FCC precedents.
The Commissioner expressed concerns over the retroactive nature of the fines and the need for clear precedent or adequate notice given to the carriers about these new legal expectations. He emphasized that the FCC’s approach conflicts with the principles of fair notice and the agency’s historically narrow interpretation of CPNI, which is traditionally linked directly to telecommunications services.
Commissioner Simington believes FCC action could be harmful to legitimate location data services
Commissioner Nathan Simington, who also dissented, said that the fines that were issued disproportionately exceeded statutory maximums by considering each part of an aggregated service as a separate violation.
He also raised concerns about the implications of the FCC’s aggressive enforcement stance. He pointed out that while the FCC targets regulated mobile network operators for their handling of location data, thousands of unregulated applications routinely access similar data without user consent. He suggested that the FCC’s approach might inadvertently harm consumer privacy by driving legitimate location data services to operate outside regulated frameworks.
Simington proposed an alternative approach involving collaborating with carriers on consent decrees to develop and monitor compliance with enhanced data protection standards rather than imposing punitive fines. He criticized the Commission’s current tactics as prioritizing a punitive image over practical engagement with data privacy and security realities.