US carriers fined with $200m for selling location data of users

San Francisco: The US Federal Communications Commission (FCC) has proposed a fine of over $200 million for all major US mobile carriers for selling the location data of customers to some agencies.

The Federal Communications Commission today proposed fines against the nation’s four largest wireless carriers for apparently selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information. As a result, T-Mobile faces a proposed fine of more than $91 million, AT&T faces a proposed fine of more than $57 million, Verizon faces a proposed fine of more than $48 million, and Sprint faces a proposed fine of more than $12 million, the FCC said in a statement on Friday.

The Enforcement Bureau of FCC opened this investigation after reports surfaced that a Missouri Sheriff, Cory Hutcheson, used a “location-finding service” operated by Securus, a provider of communications services to correctional facilities, to access the location information of the wireless carriers’ customers without their consent between 2014 and 2017.

“American consumers take their wireless phones with them wherever they go. And information about a wireless customer’s location is highly personal and sensitive. The FCC has long had clear rules on the books requiring all phone companies to protect their customers’ personal information. And since 2007, these companies have been on notice that they must take reasonable precautions to safeguard this data and that the FCC will take strong enforcement action if they don’t. Today, we do just that,” said FCC Chairman Ajit Pai.

“This FCC will not tolerate phone companies putting Americans’ privacy at risk.”

The FCC also admonished these carriers for apparently disclosing their customers’ location information, without their authorization, to a third party.

The four major US carriers mentioned sold access to their customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers (like Securus).

Although their exact practices varied, each carrier relied heavily on contract-based assurances that the location-based services providers (acting on the carriers’ behalf) would obtain consent from the wireless carrier’s customer before accessing that customer’s location information.