FCC Fines Carriers $200m For Selling User Location Data

Written by

Four of America’s largest mobile operators sold access to customer location data to third parties without gaining customer consent or putting adequate safeguards in place, the FCC has claimed.

The US communications regulator issued its judgement yesterday, fining Sprint ($12m), T-Mobile ($80m), AT&T ($57m) and Verizon ($47m) close to $200m in total for breaking the law.

Section 222 of the Communications Act requires carriers to take “reasonable measures” to protect customer information, including their location details, to maintain its confidentiality, and to obtain express customer consent before using, disclosing or allowing access to it. These obligations also apply equally when carriers share that information with third parties, the FCC said.

However, the regulator claimed that all four carriers sold access to customer location data to aggregators, who resold it to third-party location-based service providers. None of these parties gained customer consent, the FCC claimed.

Read more on FCC action: FCC Proposes Massive $300m Fine for Robocall Firm

Even after becoming aware that safeguards were ineffective, the carriers continued to sell this data on without protecting it from unauthorized access, the FCC added.

“Our communications providers have access to some of the most sensitive information about us.  These carriers failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are,” said FCC chairwoman, Jessica Rosenworcel. 

“As we resolve these cases – which were first proposed by the last administration – the commission remains committed to holding all carriers accountable and making sure they fulfil their obligations to their customers as stewards of this most private data.”

The FCC’s investigations began after reports claimed customer location data was being accessed by a Missouri sheriff through a location-finding service operated by Securus to track individuals. The carriers continued their policy of selling access to location data even after becoming aware of this unauthorized access, the FCC said.

America’s shadowy industry of data brokers recently became a target for executive action after President Biden signed an executive order (EO) in February. The first-of-its-kind action is designed to prevent data brokers lawfully selling Americans’ personal data to entities in hostile states.

What’s hot on Infosecurity Magazine?