FCC proposes fines for phone companies that shared user location data

U.S. regulators have proposed fining the four major U.S. phone companies more than $200 million combined for improperly disclosing customers’ real-time location to other companies.

The proposed fines by the Federal Communications Commission amounted to $91 million for T-Mobile, $57 million for AT&T, $48 million for Verizon and $12 million for Sprint. The amounts vary based on how long each company sold the user data and how many companies and organizations it sold the data to. The phone companies can object, and the amounts could change.

Critics complained that the FCC took too long to act and that the proposed fines were too low.

“Instead of meeting its obligation to come down hard on the wireless carriers that are guilty in this case, the FCC dragged its feet and issued penalties that let these companies off easy,” said Sen. Edward Markey (D-Mass.).

Lisa Hayes of the advocacy group Center for Democracy and Technology said the FCC’s “weak enforcement response” demonstrates why the U.S. needs a comprehensive privacy law.

Location data makes it possible to identify the whereabouts of nearly any phone in the United States within seconds.

According to published reports, phone companies were selling access to such data to little-known companies such as LocationSmart and Zumigo. These data brokers then sold the information to other “location-based” services, such as prison communications company Securus. The FCC said the phone companies failed to ask customers for consent for what companies like Securus were doing, or make sure that those companies were getting consent from customers.

The FCC action deals with the phone companies’ practice of providing data to third parties with whom users have no direct contact. It is unrelated to users sharing locations directly with apps and other services.

Federal law requires that telecommunications companies protect the confidentiality of some customer data, including location information. The FCC said those companies must try to protect against unauthorized attempts to gain access to those data and that they or those acting on their behalf must get consent from customers before using the information.

The FCC opened its investigation after a 2018 report showed Securus allowing such abuses as letting a sheriff track a judge and others using information that ultimately came from data broker LocationSmart.

Verizon, AT&T, Sprint and T-Mobile pledged to stop providing information on U.S. phone owners’ locations to LocationSmart, Zumigo and other data brokers later that year. But Congress questioned in early 2019 why sharing by some carriers seemed to have continued, as detailed in a Motherboard report about bounty hunters gaining access to the data in January 2019.

AT&T and T-Mobile said then that they would stop selling all location data from mobile phones to brokers by March 2019.

T-Mobile says it took “quick action” after it learned its location data program was being abused and ended the program in February 2019. The company said it plans to dispute the FCC’s conclusions and fines.

The other phone companies didn’t immediately return calls for comment.