FCC Fines Largest Carriers for Misuse of Location Data—Many Years Later

The FCC issued fines yesterday against the country’s four largest mobile carriers for their roles in selling phone subscriber location data in violation of Section 222 of the Communications Act and of Customer Proprietary Network Information (CPNI) rules. EPIC applauds the FCC for taking this action, but notes that the agency needs to strengthen its protection of subscriber location data, especially in the absence of a federal privacy law.

Before the FCC issues a forfeiture order to fine a company, the FCC first issues a notice of apparent liability (NAL). The NALs in this case were issued against mobile carriers more than four years ago, in February 2020—a delay that is likely due in part to the Senate failing to confirm a fifth FCC Commissioner until last year. In 2020, Commissioner Starks described the investigation leading to the NALs as too slow moving, incomplete, and inadequate. He highlighted issues with the FCC’s procedures for handling company confidentiality requests and argued that these shortcomings would make it harder for other agencies (e.g., the FTC) to follow up with enforcement actions against the bad actors who were beyond the FCC’s jurisdiction.

FCC Chairwoman Rosenworcel has signaled that subscriber location data is a priority for the Commission. She issued letters of inquiry to carriers about location data practices in 2022, and at the beginning of 2024 to car companies and carriers again in response to disturbing news stories. During her tenure, Chair Rosenworcel has also created a Privacy and Data Protection Task Force. This Task Force played a role in enacting the FCC’s data breach reporting requirements, which highlight mobile location data in the first paragraph. While these are all valuable steps in the right direction, in the absence of comprehensive federal privacy protections, the FCC needs to pick up the pace; rules with meaningful penalties must be supported by prompt and robust enforcement actions to protect subscribers from misuse of their location data.

“We commend the FCC for finally penalizing wireless carriers for illegally disclosing their customers’ location information, but it should not have taken four years. The FCC needs to strengthen its protection of subscriber location data, particularly in the absence of a federal comprehensive privacy law.”

EPIC regularly advocates for policies that strengthen data security for consumer information, protecting data from unauthorized access and other misuse.