Wireless Carriers Face $200M FCC Fine As Data Privacy Waters Roil

The Federal Communications Commission (FCC) has fined the top US wireless carriers a collective $200 million for sharing access to customers' location information without consent, the culmination of an action proposed four years ago as authorities continue to grapple with how to reel in companies' handling of sensitive personal data. For carriers, who note that the fines are based on outdated programs that no longer exist, the action represents unsettled regulatory waters as requirements for handling customer data security and privacy in the modern era continue to shake out.

Specifically, the FCC fined Sprint and T-Mobile USA, which have merged since the investigation began, more than $12 million and $80 million, respectively; AT&T more than $57 million; and Verizon almost $47 million.

The agency proposed the fines in 2020 based on an investigation that started after reports that a Missouri sheriff consistently used a "location-finding service" operated by Securus, a company that provides and monitors telecommunications service in correctional facilities, to access the location information of the wireless carriers' customers without their consent between 2014 and 2017.

The case ultimately revealed that the four telecom providers had programs in place at the time that were selling customer-location data to two data-aggregation firms, who then resold access to this data to other entities.

"This action demonstrated the carriers offloading obligations to obtain customer consent onto downstream recipients of location information," which in many instances meant customers did not actually consent to releasing their data, according to an FCC press release (PDF) on the decision. For their part, the carriers say that the data was shared with the third parties in order to enable location-based safety services such as roadside assistance.

"Our communications providers have access to some of the most sensitive information about us," said FCC Chairwoman Jessica Rosenworcel in a statement on the fines. "These carriers failed to protect the information entrusted to them."

This is likely not the end of the fines: The commission also said that it plans to continue to resolve these types of older privacy cases regarding customer data, holding "all carriers accountable and making sure they fulfill their obligations to their customers as stewards of this most private data," she said.

Wireless Cos Push Back on FCC Privacy Fines

All of the carriers confirmed to Dark Reading that they will go to court to appeal the decision, which was based on a provision of the Communications Act of 1934 that requires US wireless carriers to take reasonable steps to safeguard specific customer data, such as location information.

Generally, the companies claim the action by the FCC is based on outdated scenarios at the telecom providers that have since been remedied, and they no longer allow third parties to access sensitive customer location-based data.

Verizon spokesman Rich Young says the order concerns an old program at Verizon that required customers to opt in and was shut down more than five years ago. The program "was intended to support services like roadside assistance and medical alerts," he tells Dark Reading, and Verizon shuttered it when the company discovered it was being used fraudulently.

"Verizon is deeply committed to protecting customer privacy," Young says. "Unfortunately, the  FCC's order gets it wrong on both the facts and the law, and we plan to appeal this decision."

For its part, T-Mobile USA gave Dark Reading a statement to much the same effect: "This industry-wide third-party aggregator location-based services program was discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection, and emergency response would not be disrupted. We take our responsibility to keep customer data secure very seriously and have always supported the FCC's commitment to protecting consumers, but this decision is wrong, and the fine is excessive. We intend to challenge it."

AT&T too plans to appeal the fines, which apply for a service that was discontinued in 2019.

"The FCC order lacks both legal and factual merit," a spokesperson says. "It unfairly holds us responsible for another company's violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company's failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged. We expect to appeal the order after conducting a legal review."

A spokesman for CTIA, a telecommunications industry trade association representing US carriers and resellers, also criticized the fines, citing a "broken enforcement process" on the part of the FCC that deserves examination by Congress.

"After touting the potential of location-based services to provide benefits like roadside assistance and emergency medical alerts, the FCC refused CTIA's request for guidance on how providers should run those programs, and is now penalizing providers for facilitating them," said CTIA senior vice president and chief communications officer Nick Ludlum, in a media statement.

Carrier Uncertainly: Customer-Privacy Worries Persist

Complaints that the FCC is behind the times may indeed be justified, as the commission is not known for moving quickly on clarifying how telecom and VoIP providers handle customer privacy.

For instance, it took the FCC 16 years to update how telecom and VoIP providers report data-breaches, issuing new rules in February of this year that they must notify customers whenever there's personally identifiable information (PII) involved in a cyber incident. The new rules — which also require carriers and service providers to report breaches to the FCC, the FBI, and the Secret Service within seven days of discovery — were the first since 2007 to be issued by the commission regarding data-breach notifications.

Meanwhile, the issue of customer privacy when it comes to carriers continues to be a worry, and the fines appear to demonstrate a heavy hand by the FCC in holding communications providers accountable when private customer data leaks. Abroad, other privacy troubles concerning how carriers handle customer data also are brewing.

For example, a huge swathe of telecom customers in Namibia recently were faced with losing their phone service if they didn't hand over sensitive biometric data to the country's premier telco, Mobile Telecommunications Ltd. The potential privacy threat occurred after a well-intentioned plan to combat mobile fraud and identity theft went astray.