Private Lessons

US regulator to fine leading carriers over data violations

Last week, the US Federal Communications Commission (FCC) approved a proposal to fine the four largest wireless carriers in the country more than $200 million for failing to protect consumer location data. Carriers had been selling real-time geolocation information to middlemen known as location aggregators, which would then make that data available to third parties.

The FCC judged that the carriers had violated a section of the Telecommunications Act requiring them to protect the confidentiality of customers’ call information. The regulator said that it has long had clear rules requiring all phone companies to protect their customers’ personal information. Since 2007, these companies have been on notice that they must take reasonable precautions to safeguard this data and that the FCC will take strong enforcement action if they don’t.

The commission took nearly two years to get to this point and propose the fines since complaints about the practice were brought to its attention. Its move comes after repeated public reports about data abuse and after several companies continued to sell access to personal information for months despite saying they were limiting the practice. Companies that engage in this can collect massive amounts of data from GPS, Wi-Fi and other signals as there’s no specific law addressing the use of the data.

Carriers disclosed information about customers’ location without their consent and sold it instead of protecting their privacy rights. The sale of location data has become widespread as smartphones have proliferated and technology for pinpointing their location has become more precise. The information is invaluable to police departments and marketers, for example, as it can reveal details about people’s daily lives. Marketers then use this to target people with ads. Although cellular data is often less precise than app information, it’s nearly always available and covers most of the population.

The FCC’s rules allow it to seek fines for each day that a violation continues. The fines represent a major step by the agency, and are some of the largest that it has imposed in several years. The highest fine was reserved for T-Mobile at $91 million, followed by AT&T at $57 million, Verizon at $48 million and Sprint at $12 million. The penalties reflect the length of time the carriers failed to protect the data and the number of companies with which they shared the data. T-Mobile’s fine is highest in part because it shared the information with more than 80 entities; Sprint shared the data with the least number of companies.

This is an unusually large fine by FCC standards, but a modest one compared with the companies’ revenues, which collectively totalled almost $400 billion in 2019. The carriers can still appeal the fines; T-Mobile says it will, and Sprint, AT&T and Verizon are still reviewing them.

Given the trend toward protecting private data rather than making money from it, carriers will need to examine their business models and ensure customer information is used conservatively.