• by Wendy Davis  @wendyndavis, April 29, 2024

A divided Federal Communications Commission on Monday ordered Verizon, AT&T and T-Mobile to pay more than $200 million total for sharing customers' location data.

The order comes more than four years after the Trump-era FCC first proposed the fines by issuing a “notice of apparent liability.”

“The Commission has long recognized the importance of ensuring that information about who we call and where we go is not for sale,” FCC chair Jessica Rosenworcel stated Monday. “By following through with this order, we once again make clear that wireless carriers have a duty to keep our geolocation information private and secure.”

Republican commissioners Brendan Carr and Nathan Simington dissented from the decision to impose fines.

The order requires AT&T to pay around $57 million, Verizon around $47 million, and T-Mobile $92 million (including $12 million for Sprint, which merged with T-Mobile after the FCC first proposed the fines).

The FCC said in a “notice of apparent liability” issued in 2020 that the carriers sold access to geolocation data to aggregators that resold the information to outside companies. That notice came around one year after Vice Media's Motherboard (which stopped publishing new stories in February) detailed how a journalist was able to pay a “bounty hunter” $300 to track a phone's location to a neighborhood in Queens, New York.

The major U.S. carriers have said they no longer sell location data.

Carr, who voted in favor of the notice of apparent liability four years ago, stated Monday that he believes the FCC lacked authority to impose the fines. 

“Given the nature of the services at issue, the Federal Trade Commission, not the FCC, would have been the right entity to take a final enforcement action, to the extent the FTC determined that one was warranted,” he said in a written dissent.

Simington stated in a separate dissent that the FCC could have worked with the carriers “to issue consent decrees to promote best practices to develop further safeguards around location-based and aggregation services.”

AT&T said it expects to appeal after completing a review of the decision, while T-Mobile and Verizon said they plan to appeal.

“In this case, when one bad actor gained unauthorized access to information relating to a very small number of customers, we quickly and proactively cut off the fraudster, shut down the program, and worked to ensure this couldn't happen again,” Verizon spokesperson Rich Young stated.

Young added that the order concerns an old, opt-in program that “was intended to support services like roadside assistance and medical alerts.”

“Unfortunately, the FCC’s order gets it wrong on both the facts and the law, and we plan to appeal this decision,” he added.

T-Mobile also said the decision was “wrong” and the fine “excessive.”

An AT&T spokesperson added that the order "unfairly" holds the company responsible for a third-party's violation of a contractual requirement to obtain consumers' consent to disclose location data.

The order "ignores the immediate steps we took to address that company’s failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged,” the spokesperson stated.

Separately from this order, the FCC is expected to soon issue new privacy rules for broadband carriers.

Rosenworcel, who last year established a privacy task force at the agency, previously supported regulations that would have required internet service providers to obtain subscribers' permission before harnessing data about their web activity and app usage for ad targeting. (Those rules were later repealed by Congress.)