The FCC has issued forfeiture orders (Orders) imposing huge fines on four of the nation’s largest wireless carriers for sharing access to customers’ geolocation information without customer consent and for failing to take reasonable measures to protect that information against unauthorized disclosure. The FCC fined Sprint and T-Mobile (which have merged) more than $12 and $80 million, respectively, AT&T, more than $57 million, and Verizon, almost $47 million. The Orders are the culmination of a four-year investigation starting after a May 2018, New York Times article detailed security breaches involving the carriers’ practice of selling access to customer location information. The carriers were selling such information to aggregators, who then resold the information to third-party location-based service (LBS) providers without customer consent. The breaches involved LBS providers giving law enforcement and others access to customer mobile device location information for tracking without the owner’s knowledge or consent. The FCC rejected arguments that location information was not CPNI, and that the carriers did not have fair notice, asserting the Communications Act and CPNI rules cover such information. The FCC found each carrier liable for willfully and repeatedly violating the Communications Act and rules by disclosing its customers’ location information without their consent, and for failing to take reasonable steps to protect customer location information, even after they had knowledge of the unauthorized disclosures. AT&T and T-Mobile have already stated that they will appeal the FCC’s decisions.
