FCC Slams Wireless Carriers with Massive Fines for Illegal Location Data Sharing

The Federal Communications Commission has levied major fines totaling nearly $200 million against the nation's top wireless carriers for improperly sharing customers' real-time location data without consent.

Verizon, AT&T, T-Mobile and Sprint were all found to have violated federal law by selling access to their customers' location information to data brokers and other third parties without taking reasonable measures to protect the sensitive data or obtain affirmative consent from customers.

The largest fine of $91 million was handed to T-Mobile, which had already merged with Sprint by the time the $12 million Sprint fine was issued. AT&T faces a $57 million penalty, while Verizon was fined $48 million.

"Our communications providers have access to some of the most sensitive information about us. These carriers failed to protect the information entrusted to them," said FCC Chairwoman Jessica Rosenworcel. "We are talking about some of the most sensitive data in their possession: customers' real-time location information, revealing where they go and who they are."

The FCC investigations found the wireless companies improperly shared customer location data with "location aggregators" who then resold access to third-party location-based service providers, often without valid customer consent being obtained.

Even after becoming aware their safeguards were inadequate, the carriers continued selling access to the sensitive geolocation data, compounding the violations. This put customer data at risk of falling into the wrong hands for nefarious purposes, regulators warned.

"Foreign adversaries and cybercriminals have prioritized getting their hands on this information, and that is why ensuring service providers have reasonable protections...is of the highest priority," said Loyaan Egal, FCC Enforcement Bureau Chief.

The fines conclude investigations sparked by reports that a Missouri sheriff improperly obtained real-time location data from carriers through a prison communications service to track individuals' movements without proper authorization.

While the carriers have 30 days to pay the fines, they can also continue contesting the orders. Some fines were reduced from initial 2020 amounts after the FCC reviewed additional carrier evidence, though the law prevents the penalties from being increased post-investigation.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.