On April 29, 2024, the Federal Communications Commission (FCC) announced that it had fined AT&T, Inc., Verizon Communications, Sprint Corporation, and T-Mobile USA, Inc. (collectively the telecommunications companies) around $200 million for sharing customer location data in violation of the Communications Act of 1934.

Background to the decisions

The FCC highlighted that pursuant to §222(a) of the Communications Act, telecommunications carriers are required to protect the confidentiality of proprietary information of customers. §222(c) of the Communications Act establishes privacy requirements for 'customer proprietary network information' (CPNI), such as information including the location of use of a telecommunications service subscribed to by any customer of a telecommunications carrier.

Findings of the FCC

The FCC outlined that the telecommunications companies ran location-based services (LBS) until 2019, whereby customer location information was sold to companies known as 'location information aggregators,' who then resold access to such information to third-party LBS providers.

In the case of AT&T, the FCC clarified that the contractual provisions between the telecommunications companies and LBS providers meant that it was the LBS providers who were obligated to provide notice and obtain consent from consumers. In the case of Verizon, the FCC noted that while Verizon did not have contracts with LBS providers, each provider was required to submit an application that described, among other things, the 'use case' or purposes for which it would use location information, alongside the process for providing notice and obtaining opt-in consent from a Verizon customer.

Accordingly, the FCC determined that the telecommunications companies violated §222 of the Communications Act by failing to take reasonable measures to discover and protect against attempts to gain unauthorized access to their customers' location information. Notably, the FCC recognized that while companies cannot prevent all data breaches, carriers are required to take reasonable steps to safeguard their customers' CPNI. Further, the FCC held that where an unauthorized disclosure has occurred, as in the current cases, the burden of production shifts to the carrier to offer evidence that it had reasonable measures in place.

Outcomes

In light of the above decisions, the FCC provided that the following proposed fines were imposed:

• AT&T - $57,265,625;
• Verizon - $46,901,250;
• Sprint - $12,240,000; and
• T-Mobile - $80,080,000.

Notably, the FCC detailed that the Verizon and T-Mobile fines were reduced following feedback provided in response to the FCC's original Notice of Apparent Liability for Forfeiture and Admonishment.

You can read the FCC press release here, the AT&T decision here, the Verizon decision here, the Sprint decision here, and the T-Mobile decision here.