Multiple Courts Confirm: Carriers Must Protect Your Phone Location Data

It feels like a rare treat these days to be able to share positive updates related to our privacy and cybersecurity work. But we are happy to report that three different courts of appeals have issued favorable decisions this summer supporting strong protections for cell phone location data. Specifically, the courts held that the cell phone carriers (like AT&T, Verizon, and T-Mobile) are legally required to protect the privacy of the location data created when our mobile phones connect to their networks.

This conclusion may seem obvious to our readers here—if carriers have to protect the privacy of your communications data, why wouldn’t they be required to protect location data as well? But the journey to get to this point has been quite a saga, spanning well over five years.

In short:

• Congress in the 1996 Telecommunications Act created new legal protections for “Customer Proprietary Network Information” (CPNI) that limited the ability of phone carriers to use and disclose their customers’ information.
• The Federal Communications Commission (FCC) has issued and updated regulations defining and scoping legal obligations of carriers regarding CPNI, including location data generated during call origination and completion.
• Meanwhile, the scale of mobile location data collection expanded exponentially as software and hardware made it cheaper and easier for carriers to collect precise location data about user devices.
• In 2013, the FCC noted that call location data (e.g. location of a device at the time of a dialed or received call) was CPNI, but did not address the broader set of phone subscriber location data.
• By 2017, the FCC and T-Mobile (and perhaps other telecommunications carriers as well) were aware that bad actors were acquiring subscriber location information due to inadequate carrier oversight of location-based services programs.
• In 2018–19, Media outlets raised awareness of the issue; Congress attempted to pressure the FCC to take it seriously.
• In 2020, following a multi-year investigation, the FCC issued Notices of Liability against AT&T, Sprint, T-Mobile, and Verizon for violations of their CPNI privacy obligations in disclosing sensitive data to bad actors.
• In 2024, the FCC issued formal Forfeiture Orders against AT&T, Sprint/T-Mobile, and Verizon, for a total sum of nearly $200 million.
• Also in 2024, carriers filed challenged against the FCC orders in court.
• In 2025, Courts largely ruled in favor of subscriber location privacy, mirroring some of the arguments from EPIC’s amicus briefs.

Location data is generated by phone subscribers unavoidably—whether you are actively on a call or not, your device is regularly connecting to nearby cell towers to ensure you have service when a call comes through—and it is extremely sensitive information. As the Supreme Court described in 2012 in United States v. Jones, the sequence of a person’s movements can reveal

Congress and the FCC Respond (Kinda) to Media Reports about the Market for Consumer Phone Location Data

Beginning in 2018, articles like “Service Meant to Monitor Inmates’ Calls Could Track You, Too” and in 2019 “I Gave a Bounty Hunter $300. Then He Located Our Phone.” caught the attention of Congress. Multiple letters were sent to the FCC demanding answers, which the agency largely dodged.

There are reasons to believe that the FCC and at least one carrier was aware of these issues even earlier, in 2017.

In short: the carriers sold the location information of their subscribers to location aggregators, who then provided the information to other downstream businesses in the location ecosystem. In some instances, the data was used for specific services like roadside assistance applications but, in at least one instance, the subscriber location data was used for illicit tracking by bounty hunters and other bad actors (it was even used to surveil a judge).

The carriers failed to adequately oversee whether these aggregators were only disclosing location information where the phone subscriber had provided consent (to their location information being collected and used); they also failed to oversee whether law enforcement requests for subscriber location data were actually lawful. This inability to distinguish between authorized and unauthorized requests for subscriber location data–meaning unauthorized requests for data were granted–violated Section 222 of the Communications Act and the FCC’s CPNI rules.

In 2020, the agency finally published its Notices of Apparent Liability (NALs), which are a set of proposed fines that the then-four defendant carriers had an opportunity to respond to before the FCC finalized those fines through Forfeiture Orders.

In a blistering partial dissent that is well worth the read (for a peek behind the curtain at how a regulatory agency like the FCC can fall short in its mandate), Commissioner Geoffrey Starks articulated multiple problems with how the FCC handled its investigation. In short, he outlined how:

• the investigation took nearly two years (much more time than the agency took to approve the highly complex Sprint/T-Mobile merger during that same time period);
• carriers were permitted to hide behind evasive language and unopposed confidentiality assertions;
• the investigation only obtained a partial picture of the full harm to consumers;
• and relatedly, the investigation did not extend to all bad actors in the ecosystem who, even if they were beyond the regulatory authority of the FCC itself, could have been held to account if the FCC had handed off more useful information to other agencies for further investigation and enforcement.

As noted above, NALs are only proposed fines; the fines do not become final and enforceable until the FCC releases the corresponding Forfeiture Orders.

The agency was not able to issue the Forfeiture Orders for four years when it lacked a majority—it was only after Commissioner Anna Gomez was confirmed as the fifth Commissioner that the FCC issued the Forfeiture Orders. These amounted to hundreds of millions of dollars in fines (tens of millions for each of the now-three companies). The Orders were approved in a 3-2 vote along party lines.

A contributing factor to this four-year delay—from NALs in 2020 to Forfeiture Orders in 2024—was the inability of the Democrat-controlled Senate to confirm President Biden’s initial nomination for FCC Commissioner, Gigi Sohn, following political pushback in the Senate and some especially cruel and unwarranted personal attacks on Sohn. It was not until September 2023 that the FCC had a full roster of five Commissioners with Anna Gomez confirmed.

Carriers Take to the Courts, and Largely Lose

In May 2024, AT&T petitioned the Fifth Circuit for review of the FCC’s Forfeiture Order against it. In June, Verizon did the same in the Second Circuit; likewise Sprint/T-Mobile in the DC Circuit. While there were minor variations in the factual details and legal claims of each of the cases, the arguments of the carriers and their amici curiae supporters largely boiled down to two major points:

1) the consumer location data at issue was not protected under the Communications Act, and so the FCC exceeded its authority when it fined carriers for failing to prevent misuse of that data;

2) the structure of FCC enforcement authority is unconstitutional in light of the Supreme Court’s decision in SEC v. Jarkesy (Jarkesy held that the Securities and Exchange Commission cannot obtain civil penalties without a jury trial). The arguments underlying this second point basically amount to: a defendant company is entitled to a fair trial with a meaningful ability to appeal an agency decision. EPIC did not address this issue in its briefs.

There were other arguments, but they do not merit re-iterating here.

The carriers’ respective failures to safeguard subscriber location data are violations of Section 222 of the Communications Act, specifically the provisions related to CPNI. The statutory definition of CPNI explicitly requires common carriers to protect subscriber location data.

Carriers attempted to argue that the location data at issue in these enforcement actions was not CPNI. They claimed that only active call location data is CPNI—so location data generated while on a call was protected, but location data generated while connecting to a cell tower for service in the absence of an active call was not protected. They also claimed that because carriers provide different, often-bundled, services that allow them to obtain consumer location data, the definition of CPNI cannot include the location data at issue. This second point relates to the current classification distinction between (A) telecommunications and commercial mobile services, which are largely provided by common carriers, and (B) information services (such as texting and mobile data), which are not considered common carriage.

EPIC, joined by the Center for Democracy and Technology, Electronic Frontier Foundation, Privacy Rights Clearinghouse, and Public Knowledge, filed a civil society amicus brief in the DC Circuit and in the Second Circuit to rebut these arguments about the FCC’s privacy authority and the duties Congress created for telecommunications carriers.

Each of our two briefs argued that Congress intended for the FCC to have the authority to regulate carrier-collected subscriber location data as CPNI. The briefs explained how phone-generated location data is uniquely sensitive, pervasive, and non-voluntary, citing to the Supreme Court’s precedents regarding location data in cases like Jones, Riley, and Carpenter. It warned the court that letting carriers off the hook in this instance would exacerbate already-detrimental perverse financial incentives, thereby putting subscriber mobile location data at further risk. The amicus briefs specifically argued that any location data derived from a phone’s effort to connect to a carrier’s network is protected as CPNI, pointing to technological and factual realities, the plain text of the statute, the legislative history surrounding Section 222, and the FCC’s regulation of CPNI to date.

On April 17, 2025, the Fifth Circuit published its opinion in favor of AT&T on Jarkesy grounds (it later republished its opinion on August 22, removing references to case law abrogated by the Supreme Court in June 2025). On August 15, the DC Circuit unanimously found in favor of the FCC, and on September 10, the Second Circuit did as well.

The three Circuit Courts spoke resoundingly in favor of consumer privacy.

Even the Fifth Circuit, despite finding in favor of AT&T on Jarkesy issues, noted that:

The DC Circuit and Second Circuit said largely the same thing. The DC Circuit held that:

The Second Circuit phrased their holding as:

Some other highlights from the DC Circuit’s opinion include:

• “The fact that Sprint and T-Mobile also provided information service to customers did not “take[] the resulting relationship outside the scope of the ‘carrier-customer’ relationship.” In other words, the Carriers did not stop being carriers because they were also information-service providers.” (internal citations omitted)
• “The Carriers also lacked any mechanism for distinguishing between authorized and unauthorized information requests….Although Sprint had implemented some new procedures, the Commission found “little evidence that Sprint actually followed through with these policies in a way that had any meaningful impact.” On appeal, Sprint offers no reason to doubt that finding…. Indeed, the Carriers failed to promptly take such measures even after they became aware of serious abuses.” (internal citations omitted)

Some other highlights from the Second Circuit’s opinion include:

• [Verizon suggests that] “to generate the location information that Verizon sold through its location-based services program, the company had to “specially ping” a customer’s wireless device, “separately from the normal course network communications” with that device. But nothing about this special pinging takes the device-location information at issue here outside the purview of the statute. Verizon’s program collected the same data, using the same technological infrastructure, as that used to approximate the location of a customer’s device to enable voice services, rendering it “related to” the location of a telecommunications service.  Plus, it would be perverse to grant greater statutory privacy protection to device-location data collected only for use by Verizon than to the same data collected for disclosure to third parties.” (internal citations omitted)
• “The core problem with Verizon’s argument is that it assumes that the scope of the “carrier-customer relationship” in § 222(h)(1)(A) is limited to its common-carrier services. Not so….  Instead, by its terms, it asks whether the carrier obtained the information through “the carrier-customer relationship.” That relationship may encompass multiple services, such as information services. Indeed, where carriers sell voice and data services as part of a bundle, all those services are fairly encompassed within the carrier-customer relationship.” (internal citations omitted)
• “…Verizon relied on a chain of contractual arrangements to satisfy its statutory and regulatory obligations, rather than satisfying those obligations directly itself. It insufficiently validated customer consent records and did not have a system in place that could detect a lack of customer consent. And it took few additional measures after the Securus/ Hutcheson breach to remedy the shortcomings in its data protection systems.” (internal citations omitted)

While these court opinions are good for protecting consumer privacy, it is important to note that they do not extend to software applications (apps) you may have installed on your phone—merely to the voice service your device receives by connecting to a cell tower.

It is also possible that these cases will be overturned by the Supreme Court.

To the Supreme Court of the United States (SCOTUS)?

The Second and DC Circuits spoke unanimously and unambiguously, saying that device location data “plainly” qualifies as CPNI. Although the Fifth Circuit’s statement about sensitive customer data in AT&T is arguably dicta (i.e. comments in a court’s opinion that fall outside the scope of the reasoning of that opinion), the language the court used makes it hard to pretend that the Fifth Circuit would have ruled otherwise.

While it is still possible that either the FCC or one of the carriers will appeal this case to the Supreme Court, it’s unclear whether SCOTUS would take up the case. The Fifth Circuit did disagree with the Second and DC Circuits on the Jarkesy issue, creating a circuit split, which could provide a basis for the Supreme Court to review. But even though the Court has shown a recent appetite for curtailing the administrative state, it is not clear that this case would be an especially good vehicle for that issue.

Until that happens though, the privacy of subscriber location data is the law of the land—at least in the Second and DC Circuits. As of September 19, 2025, there were no indications that any petitions for cert had yet been filed; parties have 90 days to appeal to SCOTUS, and can request an extension of an additional 60 days. 

EPIC’s Takeaways

These three Circuit Court opinions represent a significant reinforcement of consumer location data privacy and data security, confirming that the plain text of Section 222 imposes an explicit duty on carriers to protect subscriber location data. This obligation applies even if a consumer is not actively engaged in a phone call, and regardless of whether a carrier provides a consumer with information services (e.g. texting, data) in addition to telecommunications services. These obligations also apply to misconduct perpetrated by a third party using the carrier’s data, where the telecommunications carrier did not take reasonable measures to prevent that misconduct.

Not only do these court rulings sustain the deterrent impact of these specific (and long-overdue) FCC enforcement actions, but going forward these court holdings also force carriers to more seriously consider investing in adequate oversight of the data privacy and data security practices of the entities with whom they share subscriber location data, or any other data that qualifies as CPNI.

It remains to be seen to what extent these holdings may impact law enforcement contexts, as Section 222 permits carriers to share CPNI “as required by law.” Additionally, with policymakers and judges increasingly coming to understand that “notice and choice” (e.g. a privacy policy no one reads) does not constitute meaningful consent, Section 222’s “approval of the customer” provision may also become a more hotly litigated issue.