Skip to content

Data Risk Management

FCC Fines Wireless Carriers $200 million for Sharing Geolocation Data without Consent

Why This Alert Is Important

While the FTC has stepped up its enforcement of privacy regulations, it’s hardly the only regulator doing so. In late April, the Federal Communications Commission announced $200 million in fines against AT&T, Sprint, T-Mobile, and Verizon for illegally sharing customers’ geolocation data without consent.


The FCC began its information into the wireless carriers in 2019, after members of Congress became aware that
data aggregators were able to purchase geolocation data on customers from the wireless carriers then resell it to a
variety of other companies. The FCC statement on the fines characterized some of the purchasers of the data as “bail-bond companies, bounty hunters, and other shady actors.” 

“Our communications providers have access to some of the most sensitive information about us. These carriers failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are,” said FCC Chairwoman Jessica Rosenworcel. “As we resolve these cases – which were first proposed by the last Administration – the Commission remains committed to holding all carriers accountable and making sure they fulfill their obligations to their customers as stewards of this most private data.”

Fines were first proposed in 2020, but the wireless carriers had an opportunity to argue against them before they were imposed. While the FCC’s position was that the four carriers had an obligation to protect the consumer data, the carriers argued that contractual assurances that the downstream recipients of the location data had the obligation to obtain consumer consent was sufficient protection for consumers. However, after becoming aware that these safeguards were not working, the carriers continued to sell access to location information without taking additional measures to protect it from unauthorized use.

What it Covers

Sprint and T-Mobile, which have merged since the investigation began, face fines of more than $12 million and $80 million, respectively. AT&T was fined more than $57 million, and Verizon was fined almost $47 million. The carriers have said that they plan to challenge the fines, citing the other companies’ “violation of our contractual requirements to obtain consent.”

These recent FCC actions will have a significant impact on communications carriers in several areas and should signal more broadly the increasing concern and focus over geolocation data for all sectors. The immediate impact will directly be on the sale of geolocation data to data aggregators. Further, carriers will have to assess their privacy and data governance programs to understand and manage the entire lifecycle of their customers’ geolocation data collection, use and sharing. This will emphasize the importance of the lawful collection of geolocation data, which means robust consent mechanisms, obtaining direct consent rather than relying on third parties to obtain consent, and effective transparency, including privacy notices and ‘just in time’ communication of data gathering and the sale of information to data aggregators.

These fines may also challenge the ‘opt-out’ model significantly in terms of whether carriers will be able to rely on that mechanism given the inherently sensitive nature of geolocation data, called out in the FCC actions, including locations of worship, medical treatment, or protests. There are also program implications for carriers’ responsibility to oversee third parties acting on their behalf, over carriers’ and third parties’ data retention practices, and finally to ensure stringent data protection measures.

Constantine Karbaliotis, Counsel, novation LLP

Data Alert Tip

Organizations must recognize that indirect or obsolete means of acquiring and managing consumer consent will no longer suffice; they must deploy enterprise consent management solutions. Find out what it takes to make sure you’re compliant in our recent infographic.

Ready to Get Started?

Get an Exterro data risk management platform demo today.

Get a Demo