T-Mobile, Verizon, and AT&T fined heavily for selling access to real-time customer location data

The Federal Communications Commission today  fined  T-Mobile, AT&T, Verizon, and Sprint for sharing customer location information with third parties without their consent. 

As CNN  reports, the fine was first proposed in 2020 by the FCC due to the failure of America's biggest wireless carriers to protect the privacy of their users. It was found that the companies were sharing real-time location data with middlemen known as aggregators who then sold it to third-party location-based service providers.

Our communications providers have access to some of the most sensitive information about us. These carriers failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are." - FCC Chairwoman Jessica Rosenworcel.

A 2018 probe by Sen. Ron Wyden revealed that the information ended up in the hands of Securus, a company that provides communication services to prisons. It was feared that prison officials could use the data to spy on everyone in the country. Following the report, the carriers promised to part ways with the aggregators that were involved but it was later found that they were still using other avenues to share location information. The carriers later promised to terminate all location aggregation contracts but it took them a year, or even more in some cases, to suspend the contracts.

No one who signed up for a cell plan thought they were giving permission for their phone company to sell a detailed record of their movements to anyone with a credit card. I applaud the FCC for following through on my investigation and holding these companies accountable for putting customers’ lives and privacy at risk." - Ron Wyden

The FCC has today finalized the fine it proposed in 2020. Sprint and T-Mobile have been fined more than $12 million and $80 million, respectively, AT&T will have to pay more than $57 million, and AT&T has been fined nearly $47 million.

The agency notes that the telecom companies "failed to protect the information entrusted to them." It says that by selling access to customer location information, the four carriers offloaded their obligation to obtain consent to other companies. The carriers continued selling access to location information even after learning that "their safeguards were ineffective" and took no reasonable step to protect it from unauthorized access.

The American law requires carriers to take reasonable measures to safeguard certain customer information, including location data and they are also required to obtain consent before sharing this information with anyone.

Chief of the FCC Enforcement Bureau and Chair of its Privacy and Data Protection Task Force Loyaan A. Egal says that when this data is placed in the wrong hands, it puts everyone at risk. 

All of the carriers will appeal this decision.