The United States Federal Communications Commission (FCC) announced on Monday, April 29th, that it has issued a total of $200 million in fines to the four major U.S. mobile operators for illegally sharing customer location data after concluding an investigation.
T-Mobile received the highest fine, amounting to $80 million, and the subsidiary Sprint, acquired by the company in 2020, was fined $12 million. According to the FCC’s announcement, AT&T was fined over $57 million, and Verizon was fined nearly $7 million.
During the Trump administration in 2020, the FCC first accused these major telecommunications companies of illegally sharing customer location data and not taking reasonable measures to protect that information.
The four telecom giants have pushed back against the accusations and indicated they plan to challenge the fines.
The FCC stated that its enforcement division’s investigation revealed that each telecom operator was selling customers’ real-time location information to intermediaries, who then resold the location data to private investigators, bounty hunters, law enforcement agencies, credit card companies, and others.
Throughout this process, each telecom operator attempted to shift the obligation of obtaining customer consent onto downstream entities, often resulting in ineffective customer authorization.
According to the FCC, telecom operators are required by regulations including Section 222 of the Communications Act to take reasonable measures to protect customer location information. They must also keep such customer information confidential and obtain explicit consent from customers before using, disclosing, or allowing access to such information.
“Our communication service providers have access to some of our most sensitive information. These operators failed to protect the information entrusted to them,” said FCC Chairwoman Jessica Rosenworcel in a statement. “Here, we’re talking about some of the most sensitive data they hold: customers’ real-time location information, which reveals their whereabouts and identities.”
She added, “As we resolve these cases initially raised by the previous administration, the Commission will continue to hold all operators accountable to ensure they fulfill their duties as custodians of customers’ most private data.”
All fined telecom operators have expressed their intentions to appeal this decision.
An AT&T spokesperson stated that the FCC’s order lacks legal and factual basis. It unfairly demands the company to be held responsible for another company’s contract violation and disregards the immediate actions taken by the company to address the issue.
“We intend to appeal this order after a legal review,” AT&T said.
A spokesperson for T-Mobile also questioned the allegations, deeming the fines as “excessive.”
T-Mobile stated: “This industry-wide third-party location aggregation service program ceased over five years ago after we took measures to ensure critical services like roadside assistance, fraud protection, and emergency response remained uninterrupted. We take our responsibility to protect customer data security seriously and have consistently supported the FCC’s commitment to consumer protection, but this decision is flawed and the fines are excessive. We plan to challenge this.”
Verizon’s spokesperson also plans to challenge the agency’s order.
“When a bad actor gained access to a very small number of customers’ information without authorization, we acted swiftly and proactively to cut off the fraudster’s access, shut down the process, and ensured that this situation would not recur,” Verizon said. “Unfortunately, the FCC’s order is incorrect both factually and legally, and we plan to appeal this decision.”