Cellphone Carriers Face $200 Million Fine for Not Protecting Location Data

The Federal Communications Commission has approved a proposal to fine T-Mobile, AT&T and two other cellphone carriers more than $200 million for selling customers’ location data to companies that allowed it to be misused by rogue law enforcement officers and others.

The proposed fines, announced on Friday, are among the largest the F.C.C. has sought in years, representing a major action by an agency whose chairman has pushed for a lighter touch to industry regulation under President Trump.

It has taken the commission nearly two years since the first complaint about the practice to get to this point. The agency is making the move after repeated public reports about data abuse — and after several companies continued to sell access to troves of personal information for months despite saying they were sharply limiting the practice.

Ajit Pai, the F.C.C. chairman, said on Friday that the agency would seek more than $91 million from T-Mobile, $57 million from AT&T, $48 million from Verizon and $12 million from Sprint. The agency found the carriers had violated a section of the Telecommunications Act requiring them to protect the confidentiality of their customers’ call information.

“We took decisive action to protect American consumers, and we are confident in the balance that we struck,” he said at a news conference after the agency’s regular open meeting.

Two of the five commissioners at the agency, both Democrats, have objected to the amount of time that passed before the F.C.C. took action, among other things.

“We took nearly two years to even propose a fine,” Jessica Rosenworcel, a Democratic commissioner who voted against the measure, said in an interview. “That’s not acting with urgency, and that’s not understanding the scope of the risk to the public.”

The F.C.C.’s proposal is not the final word on how much the companies will pay. A T-Mobile spokeswoman said the company intended “to dispute the conclusions” of the F.T.C. investigation, including the fine. The other companies, which will also have the chance to contest the findings, did not immediately respond to requests for comment.

The sale of location data has become a hot business as smartphones have proliferated and as technology for gleaning their whereabouts has become more precise. The information is valuable to marketers, law enforcement and even investment firms because it can provide revealing details about people’s daily lives, such as where they live, what shops they frequent and what doctors they visit.

The trade in location data is largely unregulated. The F.C.C.’s action is possible only because the telecommunications industry is subject to more stringent regulations than technology companies are. Firms ranging from small app makers to tech giants like Google collect and use massive amounts of location data gleaned from GPS, Wi-Fi and other signals, without specific laws addressing what they can do with it.

Cellphone carriers aimed to get a chunk of the business through deals with so-called location aggregators, middleman companies that then provided the information to other businesses. Cellular network data is often less precise than information from apps, but it is almost always available and covers the vast majority of the population.

To protect privacy, the carriers relied on a system of contracts that required location companies to seek customers’ consent, for example by responding to a text message or pressing a button on an app. But the carriers failed to catch multiple companies and people who were following customers without their permission.

The F.C.C.’s investigation began after articles in The New York Times and elsewhere showed the privacy risks this system posed. The Times in 2018 reported that the data was eventually making its way to law enforcement, including to an official who was using it to track people without a warrant.

Afterward, the companies said they would sharply limit the practice, but in early 2019 the Motherboard technology website showed that carriers were still selling data, and that it was ending up in the hands of bounty hunters.

Later that year, the companies said in response to questions from an F.C.C. commissioner that they had stopped selling the data.

The F.C.C. is fining companies based on the number of days the practice carried on after the initial reports, according to three people familiar with the agency’s findings, which have not yet been released.

Privacy hawks on the commission and on Capitol Hill have objected to the fines, saying they were too late and too small. Despite being an unusually large penalty by F.C.C. standards, the proposed judgment is modest compared with the companies’ revenue, which totaled more than $350 billion last year.

Senator Ron Wyden, an Oregon Democrat who first raised concerns about the data sharing and has repeatedly questioned the companies and the F.C.C. over the issue, said in a statement on Thursday that the amount was “comically inadequate” to deter future privacy violations.

Source link