The Federal Communications Commission has approved a proposal to fine T-Mobile, AT&T and two other cellphone carriers more than $200 million for selling customers’ location data to companies that allowed it to be misused by rogue law enforcement officers and others.
The proposed fines, announced Friday, are among the largest the FCC has sought in years, representing a major action by an agency whose chairman has pushed for a lighter touch to industry regulation under President Donald Trump.
It has taken the commission nearly two years since the first complaint about the practice to get to this point. The agency is making the move after repeated public reports about data abuse — and after several companies continued to sell access to troves of personal information for months despite saying they were sharply limiting the practice.
In notices sent to the carriers, the FCC said it would seek more than $91 million from T-Mobile, $57 million from AT&T, $48 million from Verizon and $12 million from Sprint. The agency found the carriers had violated a section of the Telecommunications Act requiring them to protect the confidentiality of customers’ call information. The penalties reflect the length of time the carriers failed to safeguard the data and the number of companies with which they shared it. T-Mobile’s fine is highest in part because it shared with over 80 entities, according to the documents. Sprint, by contrast, shared with fewer than a dozen.
Ajit Pai, the FCC chairman, said the move demonstrated that the agency was serious about privacy. “We took decisive action to protect American consumers, and we are confident in the balance that we struck,” he said at a news conference on Friday.
Three of the five commissioners at the agency, all Republicans, approved the measure. One Democratic commissioner dissented, and another approved partially. Both Democrats objected to the amount of time that passed before the FCC acted, among other things.
“We took nearly two years to even propose a fine,” Jessica Rosenworcel, the dissenting Democratic commissioner, said in an interview. “That’s not acting with urgency, and that’s not understanding the scope of the risk to the public.”
The FCC’s proposal is not the final word on how much the companies will pay. A T-Mobile spokeswoman said the company intended “to dispute the conclusions” of the FCC investigation, including the fine. The other companies, which will also have the chance to contest the findings, did not respond to requests for comment.
The carriers already have argued against the finding that they broke the law, contending that the rules apply only when a phone is making a call, not when it’s communicating with a network for purposes like sending data, according to the documents. Michael O’Rielly, a Republican commissioner, said in a statement that he found the argument persuasive and was approving the measure with “serious reservations.”
The sale of location data has become a hot business as smartphones have proliferated and technology for gleaning their whereabouts has become more precise. The information is valuable to marketers, police departments and even investment firms because it can provide revealing details about people’s daily lives, such as where they live, what shops they frequent and what doctors they visit.
The trade in location data is largely unregulated. The FCC’s action is possible only because the telecommunications industry is subject to more stringent regulations than technology companies are. Firms ranging from small app makers to tech giants like Google collect massive amounts of the data from GPS, Wi-Fi and other signals, without specific laws addressing what they can do with it.
Cellphone carriers aimed to get a chunk of the business through deals with so-called location aggregators, middleman companies that provided the information to other businesses. Cellular network data is often less precise than information from apps, but it covers the vast majority of the population and is almost always available.
To protect privacy, the carriers relied on a system of contracts that required location companies to seek customers’ consent — by responding to a text message, for example, or pressing a button on an app. But the carriers failed to catch multiple companies and people following customers without their permission.
The FCC said it began its investigation immediately after an article in The New York Times showed how the system had led to privacy breaches. The Times in 2018 reported that the data was eventually making its way to law enforcement, including to a former sheriff who used it to track people without a warrant. He gained access by uploading documents he falsely claimed were legal orders — including his car and health insurance policies and work training manuals, according to local news reports of his prosecution.
Securus Technologies, the company that offered the data to law enforcement, is better known for providing telephone services to inmates. Pai, the FCC chairman, represented Securus while working at a law firm in 2011; he also worked as a lawyer for Verizon.
After the Securus episode, the companies said they would sharply limit the practice. But in early 2019, the technology website Motherboard showed that carriers were still selling data, and that it was ending up in the hands of bounty hunters.
Later that year, the companies said in response to questions from an FCC commissioner that they had stopped selling the information.
The FCC said that the initial Times report “exposed serious inadequacies with the safeguards” the companies were using to protect their data. Because the carriers did not address the problem in a timely manner, the agency said, they “failed to take reasonable measures” as required under the law.
Privacy hawks at the agency and on Capitol Hill have objected to the fines, saying they were too late and too small. Despite being an unusually large penalty by FCC standards, the proposed judgment is modest compared with the companies’ revenue, which totaled more than $350 billion last year.
Sen. Ron Wyden, D-Ore., who first raised concerns about the data sharing, said in a statement that the amount was “comically inadequate” to deter future violations.
He added that other technology companies had been willing to accept fines as part of the cost of doing business. “The only way to truly protect Americans’ personal information is to pass strong privacy legislation,” he said.