FCC fines carriers $200 million for illegally sharing user location

​The Federal Communications Commission (FCC) has fined the largest U.S. wireless carriers almost $200 million for sharing their customers' real-time location data without their consent.

FCC's forfeiture orders finalize Notices of Apparent Liability (NAL) issued against AT&T, Sprint, T-Mobile, and Verizon in February 2020.

The fines imposed on Monday include $12 million for Sprint and $80 million for T-Mobile (the two carriers have merged since the investigation began), more than $57 million for AT&T, and an almost $47 million fine for Verizon.

An investigation was launched after reports that the largest American wireless carriers disclosed customers' location information to a Missouri Sheriff through Securus' "location-finding service" without consent or legal authorization. 

Despite being informed of the unauthorized access, all four carriers continued to operate their programs without reasonable safeguards to ensure that location-based service providers with access to customers' location information obtained consent.

During the investigation, the FCC's Enforcement Bureau found that each of the four mobile carriers sold their customers' real-time location data to "aggregators," who then resold this information to third-party location-based service providers, revealing where the customers were going and who they were.

"In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained," the FCC said.

"This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access."

However, according to section 222 of the Communications Act, U.S. wireless carriers must take reasonable steps to safeguard specific customer data, such as location information.

They are also required to keep this customer information confidential and seek the customer's consent before using, revealing, or providing access to it.

"When placed in the wrong hands or used for nefarious purposes, it puts all of us at risk," said Loyaan A. Egal, the head of FCC's Enforcement Bureau.

"Foreign adversaries and cybercriminals have prioritized getting their hands on this information, and that is why ensuring service providers have reasonable protections in place to safeguard customer location data and valid consent for its use is of the highest priority for the Enforcement Bureau."