The Federal Communications Commission (FCC or Commission) has proposed to impose fines against T-Mobile, AT&T, Verizon, and Sprint for disclosing consumer location data, without consent, and continuing to sell access to that information to third parties, without reasonable safeguards. T-Mobile faces a proposed fine of $91 million, AT&T faces a proposed fine of $57 million, Verizon faces a proposed fine of $48 million, and Sprint faces a proposed fine of $12 million. The amount of the fines is determined by the length of time each carrier sold unauthorized access and the number of entities it sold access to. FCC rules require that carriers obtain affirmative and express consent from customers before disclosing or allowing access to location information and carriers are liable for any actions of those acting on their behalf.
In most cases, the carriers had sold access to the location data to “aggregators” who then resold the information to third-party location-based service providers, who acted on the carriers’ behalf. While the carriers relied on contract-based assurances that the third parties obtained consent from customers, the Commission believes that the carriers did not take reasonable steps to protect against unauthorized access. The Notices of Apparent Liability (NALs) that proposed the above fines are only proposed sanctions as the final Commission action will be determined after the carriers are given the opportunity to provide evidence and make legal arguments to rebut these allegations.