On February 28, 2020, the Federal Communications Commission (“FCC”) proposed over $200 million in fines against the United States’ four largest wireless carriers—T-Mobile, AT&T, Verizon, and Sprint—for selling access to their customers’ location information without taking “reasonable measures to protect against unauthorized access to that information” in violation of the Telecommunications Act of 1996. The New York Times describes these fines as some of the largest that the FCC has sought in years.
The FCC’s Enforcement Bureau opened an investigation after a May 2018 New York Times article alleged that Missouri Sheriff Cory Hutcheson used a location-finding service operated by Securus, one of the largest providers of communications services to correctional facilities, to access the location information of numerous cellular customers without their authorization or consent from 2014 to 2017. Securus often provided location information to police, including Sheriff Hutcheson, without receiving proper documentation of authorization. The FCC’s investigation revealed that in some cases, Hutcheson had even provided Securus with “irrelevant documents like his health insurance policy, [and] his auto insurance policy” as documentation of his authorization to access wireless customer information.
According to the New York Times, the use of location data is largely unregulated, but the telecommunications industry is subject to more stringent regulations than technology companies are. The FCC has interpreted the Telecommunications Act to require carriers to “take reasonable measures to discover and protect against attempts to gain unauthorized access to [location] data” and to “obtain affirmative, express consent from a customer before using, disclosing, or allowing access to this data.”
Based on the findings of the FCC’s investigation, the FCC has proposed actions formally called Notices of Apparent Liability for Forfeiture and Admonishment (“NALs”). NALs advise involved parties on how they have apparently violated the law and set forth a proposed monetary penalty. The FCC has proposed to impose fines on T-Mobile of more than $91 million; AT&T of more than $57 million; Verizon of more than $48 million; and Sprint of more than $12 million. The sizes of these proposed fines differ based on the number of buyers to whom and the length of time for which each carrier sold access to its customers’ location information without reasonable safeguards.
The allegations and fines are not final. The reprimanded carriers will be given an opportunity to respond and the FCC will consider their evidence and legal arguments before taking further action. T-Mobile has already announced that it will dispute the FCC’s fines. After these arguments, the FCC may change the actions outlined in its NALs but may not increase the fines.
Not everyone is satisfied with the NALs. Privacy advocates at the FCC and on Capitol Hill have directly objected to the fines because they were too late and too small. TechCrunch asserts that $200M divided among several billion-dollar communications organizations amounts to “peanuts” and argues that the FCC did not adequately investigate the impact of the cellular carriers’ actions. Senator Ron Wyden, who raised concerns about the cellular carriers’ data-sharing in a 2018 letter to the FCC, stated that the fines are “comically inadequate” to deter future violations.
Cynthia Ahmed is a 2L at Harvard Law School.