The FCC recently fined major US mobile carriers a total of nearly $200 million for illegally sharing and selling customers’ real-time location data without their consent [1].
Description
Carriers [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], including AT&T [8], Verizon [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], Sprint (now merged with T-Mobile) [2], and T-Mobile [3] [4] [5] [7] [8] [9] [11], sold access to aggregators who then resold it to location-based service providers without proper customer consent [5] [10], leading to unauthorized access by parties such as bail-bond companies and bounty hunters [9]. Despite previous investigations and public reports [1], the carriers failed to implement safeguards to ensure customer consent before selling the data [1]. President Biden’s executive order aims to prevent data brokers from selling Americans’ personal data to hostile states [10]. Verizon [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], for example [1], shut down the program in question more than half a decade ago and emphasized that it required affirmative customer consent for services like roadside assistance and medical alerts [1]. The fines imposed by the FCC ranged from $12 million to $80 million for Sprint and T-Mobile, and over $57 million to $47 million for AT&T and Verizon [8], respectively [8], based on the number of days each carrier continued sharing data after being notified of the illegality [8]. Federal regulators found that the carriers failed to protect sensitive customer information and did not obtain valid consent for sharing location data [4]. Carriers are required by law to protect location information unless they have express consent to share it [4]. The penalties were proposed in 2020 and Verizon and T-Mobile’s fines were reduced after additional evidence was reviewed [4]. Verizon [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], AT&T [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], and T-Mobile all dispute the FCC’s order [4], stating it lacks legal and factual merit and unfairly holds them responsible for another company’s violations [4] [11]. The carriers shared user location information with data resellers known as “location aggregators,” who then passed the data to their own third-party customers [7] [11]. Despite promises to stop the practice [7] [9] [11], carriers took nearly a year or longer to do so [7] [11]. AT&T was fined $57 million [9] [11], Verizon nearly $47 million [4] [5] [6] [7] [8] [9] [11], Sprint $12 million [1] [2] [5] [6] [7] [8] [11], and T-Mobile $80 million [5] [7] [11]. The carriers plan to appeal the decision [1] [7] [11], stating that the FCC order lacks legal and factual merit and unfairly holds them responsible for another company’s violation of consent requirements [11]. Verizon emphasized its commitment to protecting customer privacy and stated that it quickly shut down the program when unauthorized access occurred [11]. T-Mobile discontinued its location data-sharing program over five years ago and intends to challenge the FCC’s decision [11], calling the fine excessive [11]. This privacy scandal is part of a larger issue surrounding the unauthorized sale of location data by data brokers [6], who profit from analyzing and reselling such information [6]. Despite the significant fines imposed by the FCC [6], the penalties are relatively small compared to the revenue generated by these telecom giants [6].
Conclusion
The fines imposed by the FCC on major US mobile carriers for illegally sharing and selling customers’ real-time location data without consent highlight the importance of protecting sensitive customer information. While the carriers plan to appeal the decision [7] [11], the incident underscores the need for stricter regulations and enforcement to prevent unauthorized access to personal data. The impact of this privacy scandal extends beyond financial penalties, raising concerns about data privacy and security in an increasingly digital world.
References
[1] https://techcrunch.com/2024/04/30/us-fines-telcos-200m-for-sharing-customer-location-data-without-consent/
[2] https://www.theverge.com/2024/4/29/24144599/fcc-fine-att-sprint-verizon-t-mobile-location-data
[3] https://arstechnica.com/tech-policy/2024/04/fcc-fines-big-three-carriers-196m-for-selling-users-real-time-location-data/
[4] https://www.usatoday.com/story/money/business/2024/04/29/verizon-att-tmobile-fine-fcc-data/73503403007/
[5] https://www.cnet.com/tech/mobile/fcc-fines-verizon-t-mobile-and-at-t-200-million-for-sharing-customer-location-data/
[6] https://www.techspot.com/news/102798-fcc-slaps-top-telecom-companies-200-million-fines.html
[7] https://www.cnn.com/2024/04/29/tech/fcc-fines-att-verizon-200-million/index.html
[8] https://krebsonsecurity.com/2024/04/fcc-fines-major-u-s-wireless-carriers-for-selling-customer-location-data/
[9] https://news.yahoo.com/fcc-fines-americas-largest-wireless-carriers-200-million-for-selling-customer-location-data-121246900.html
[10] https://www.infosecurity-magazine.com/news/fcc-fines-carriers-200m-selling/
[11] https://abc30.com/fcc-fines-wireless-carriers-phone-company-locations-personal-data-leak/14745739/