The U.S. Federal Communications Commission (FCC) on Monday announced that it has fined the nationโs largest wireless carriers nearly $200 million for illegally sharing customersโ personal data without their consent and without taking reasonable measures to safeguard that information against unauthorized disclosure.
Under the fines proposed in February 2020, Sprint and T-Mobile – which have merged since the investigation began – face fines of more than $12 million and $80 million, respectively, while AT&T has been fined more than $57 million, and Verizon Communications almost $47 million, the FCC said.
According to the FCC, each of the four carriers sold access to its customersโ location information to โaggregators,โ who then resold the data onward to their own third-party location-based service providers.
โIn doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained,โย the FCC said in a news release.
โThis initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.โ
For instance, the FCCโsย findings against AT&Tย show that AT&T sold access to its customersโ location information (directly or indirectly) to at least 88 third-party entities.
On the other hand, Verizon sold access to customer location data directly or indirectly to 67 third-party entities, while location data of Sprint and T-Mobile customers found its way to 86 and 75 third-party entities, respectively.
In separate statements on Monday, AT&T, Verizon, and T-Mobile all said they would appeal the decision, pointing out that the program the FCC has fined them for ended more than five years ago.
AT&T condemned the order as lacking โboth legal and factual merit. It unfairly holds us responsible for another companyโs violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that companyโs failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged.โ
A Verizon spokesperson also said in a statement that had โgotten it wrong on both the facts and the law, and we plan to appeal this decision.โ
The company is โdeeply committed to protecting customer privacy. In this case, when one bad actor gained unauthorized access to information relating to a very small number of customers, we quickly and proactively cut off the fraudster, shut down the program, and worked to ensure this couldn’t happen again.โ
T-Mobile also intends to challenge the decision, as it finds the FCC decision wrong and the fine too excessive.
It added that its location data-sharing program was โdiscontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection, and emergency response would not be disrupted.
We take our responsibility to keep customer data secure very seriously and have always supported the FCCโs commitment to protecting consumers, but this decision is wrong, and the fine is excessive. We intend to challenge it.โ
