The Federal Communications Commission on Monday fined four major carriers nearly $200 million after the agency said they were selling customers' location data without their consent.
The fines include an $80 million fine against T-Mobile, a $57 million fine against AT&T, a $46 million fine against Verizon, and a $12 million fine against Sprint.
Monday's fines against carriers come as policymakers in Washington increasingly struggle with how to rein in so-called data brokers' collection and sale of sensitive data on Americans. Although the telecommunications companies targeted by the FCC are not complete data brokers, their decision to access and sell sensitive data represents how sensitive information has become another commodity to be bought and sold.
“These carriers failed to protect the information entrusted to them,” FCC Chairwoman Jessica Rosenworcel said in a statement. “Here we're talking about some of the most sensitive data they own: the real-time location of their customers, which reveals where they go and who they are. ”
The FCC fined the companies for violating provisions of the Communications Act that require carriers to take “all reasonable precautions” to protect sensitive information on their customers' networks, including location data. There is.
Since 2007, federal regulations have required wireless carriers to obtain explicit consent from customers to opt-in to such data-sharing arrangements, but an FCC investigation found that in many cases, communications It turned out that the four carriers had effectively outsourced their requirements to the companies that purchased the wireless carriers. data.
All four companies, at least until 2019, had programs in place to sell access to their customers' location data to two data aggregators, LocationSmart and Zumigo. These companies sold that data to dozens of different third-party location service providers and other companies.
Rather than trying to get consent directly from customers to opt-in to location sharing, carriers are effectively outsourcing that job to the companies selling the data and passing that obligation through their own contracts. Transferred to location service provider. The FCC stated that this was insufficient to comply with federal requirements and that “contractual safeguards between carriers and such third parties eliminate the need for the customer's express consent.” It is not something that should be done.”
AT&T's internal audit of its customer data sharing program finds numerous instances in which the aggregators that purchased the data failed to follow carriers' information security requirements, as well as questions about the “integrity” of its record-keeping and subscriber consent practices. It turns out that. Details of the three additional audits were not shared with regulators.
Sprint claimed that it had a similar audit program in place to ensure that the aggregators that purchased customer location data met security and privacy requirements, but the FCC said the audit was actually conducted in 2018. The investigation, which the New York Times said was conducted before 2015 (the same year), found that Missouri sheriffs were being sold by telecommunications carriers to track the locations of judges and state law enforcement officers. It was revealed how the data was used, leading to an extensive investigation by the FCC.
Spokespeople for the fined companies harshly criticized the FCC's decision to impose the fines.
AT&T spokesman Alexander Byers said in a statement that the FCC's order has “no legal or factual merit” and that the company plans to review the matter and appeal.
“Unreasonably hold us accountable for another company’s violation of our contractual requirements to obtain consent, ignore immediate steps we take to address that company’s failures, and ignore actions such as emergency medical alerts and roadside assistance.” It unfairly penalizes us for supporting life-saving location services,” which the FCC itself had previously encouraged. ”
An anonymous T-Mobile spokesperson said in an emailed statement that the company stopped selling location data to third-party aggregators five years ago and plans to appeal the decision. Ta.
“We take our responsibility to keep customer data safe very seriously and have always supported the FCC's efforts to protect consumers, but this decision is wrong and the fine is excessive.”
Verizon spokesman Rich Young said the company's program to sell location-based data, also discontinued five years ago, was “intended to support services such as roadside assistance and medical alerts.” said.
“In this case, one malicious actor gained unauthorized access to information about a very small number of customers, and we quickly and aggressively blocked the fraudster, shut down the program, and ensure this never happens again. “We tried to prevent that from happening,” he said. Young by email. “Unfortunately, the FCC's order is wrong both in fact and law, and we plan to appeal this decision.”
Updated April 29, 2024: This article has been updated with statements from AT&T, T-Mobile, and Verizon.