Carriers Apparently Disclosed Their Customers’ Location Information Without Their Consent and Continued to Sell Access to That Information Without Reasonable Safeguards
Will Wiquist, (202) 418-0509
For Immediate Release
WASHINGTON, February 28, 2020—The Federal Communications Commission today proposed fines against the nation’s four largest wireless carriers for apparently selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information. As a result, T-Mobile faces a proposed fine of more than $91 million; AT&T faces a proposed fine of more than $57 million; Verizon faces a proposed fine of more than $48 million; and Sprint faces a proposed fine of more than $12 million. The FCC also admonished these carriers for apparently disclosing their customers’ location information, without their authorization, to a third party.
The FCC’s Enforcement Bureau opened this investigation following public reports that a Missouri Sheriff, Cory Hutcheson, used a “location-finding service” operated by Securus, a provider of communications services to correctional facilities, to access the location information of the wireless carriers’ customers without their consent between 2014 and 2017. In some cases, Hutcheson provided Securus with irrelevant documents like his health insurance policy, his auto insurance policy, and pages from Sheriff training manuals as evidence of his authorization to access wireless customer location data.
“American consumers take their wireless phones with them wherever they go. And information about a wireless customer’s location is highly personal and sensitive. The FCC has long had clear rules on the books requiring all phone companies to protect their customers’ personal information. And since 2007, these companies have been on notice that they must take reasonable precautions to safeguard this data and that the FCC will take strong enforcement action if they don’t. Today, we do just that,” said FCC Chairman Ajit Pai. “This FCC will not tolerate phone companies putting Americans’ privacy at risk.”
The Communications Act requires telecommunications carriers to protect the confidentiality of certain customer data related to the provision of telecommunications service, including location information. The FCC’s rules make clear that carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to this data. The rules also require that carriers or those acting on their behalf generally must obtain affirmative, express consent from a customer before using, disclosing, or allowing access to this data. And carriers are liable for the actions of those acting on their behalf.
All four carriers mentioned above sold access to their customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers (like Securus). Although their exact practices varied, each carrier relied heavily on contract-based assurances that the location-based services providers (acting on the carriers’ behalf) would obtain consent from the wireless carrier’s customer before accessing that customer’s location information.
Hutcheson’s unauthorized access of hundreds of wireless customers’ location information made clear that the carriers’ existing measures to safeguard this data were inadequate. Yet all four carriers apparently continued to sell access to their customers’ location information without putting in place reasonable safeguards to ensure that the dozens of location-based services providers acting on their behalf were actually obtaining consumer consent. Although the carriers had several commonsense options to impose reasonable safeguards (such as verifying consent directly with customers via text message or app), the carriers apparently failed to take the reasonable steps needed to protect customers from unreasonable risk of unauthorized disclosure. The size of the proposed fines for the four wireless carriers differs based on the length of time each carrier apparently continued to sell access to its customer location information without reasonable safeguards and the number of entities to which each carrier continued to sell such access.
The proposed actions, formally called Notices of Apparent Liability for Forfeiture and Admonishment, or NALs, contain allegations that advise the parties on how they have apparently violated the law and set forth a proposed monetary penalty. Neither the allegations nor the proposed sanctions in the NALs are final Commission actions. The parties will be given an opportunity to respond and the Commission will consider the parties’ evidence and legal arguments before taking further action to resolve these matters. The Commission may not impose a greater monetary penalty in its final resolution of whether the parties have violated the law than the amount proposed in the NAL.
Media Relations: (202) 418-0500 / ASL: (844) 432-2275 / TTY: (888) 835-5322 / Twitter: @FCC / www.fcc.gov
This is an unofficial announcement of Commission action. Release of the full text of a Commission order constitutes official
action. See MCI v. FCC, 515 F.2d 385 (D.C. Cir. 1974)