The U.S. Federal Communications Commission (FCC) on Monday announced that it has fined the nation’s largest wireless carriers nearly $200 million for illegally sharing customers’ personal data without their consent and without taking reasonable measures to safeguard that information against unauthorized disclosure.
Under the fines proposed in February 2020, Sprint and T-Mobile – which have merged since the investigation began – face fines of more than $12 million and $80 million, respectively, while AT&T has been fined more than $57 million, and Verizon Communications almost $47 million, the FCC said.
According to the FCC, each of the four carriers sold access to its customers’ location information to “aggregators,” who then resold the data onward to their own third-party location-based service providers.
“In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained,” the FCC said in a news release.
“This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.”
For instance, the FCC’s findings against AT&T show that AT&T sold access to its customers’ location information (directly or indirectly) to at least 88 third-party entities.
On the other hand, Verizon sold access to customer location data directly or indirectly to 67 third-party entities, while location data of Sprint and T-Mobile customers found its way to 86 and 75 third-party entities, respectively.
In separate statements on Monday, AT&T, Verizon, and T-Mobile all said they would appeal the decision, pointing out that the program the FCC has fined them for ended more than five years ago.
AT&T condemned the order as lacking “both legal and factual merit. It unfairly holds us responsible for another company’s violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company’s failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged.”
A Verizon spokesperson also said in a statement that had “gotten it wrong on both the facts and the law, and we plan to appeal this decision.”
The company is “deeply committed to protecting customer privacy. In this case, when one bad actor gained unauthorized access to information relating to a very small number of customers, we quickly and proactively cut off the fraudster, shut down the program, and worked to ensure this couldn’t happen again.”
T-Mobile also intends to challenge the decision, as it finds the FCC decision wrong and the fine too excessive.
It added that its location data-sharing program was “discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection, and emergency response would not be disrupted.
We take our responsibility to keep customer data secure very seriously and have always supported the FCC’s commitment to protecting consumers, but this decision is wrong, and the fine is excessive. We intend to challenge it.”
