The Federal Communications Commission is set to propose about $200 million in fines against four major cellphone carriers for selling customers’ real-time location data, according to three people briefed on the discussions.
The penalties would be some of the largest the agency has imposed in decades and represent the first action it has taken on the issue, though privacy advocates and critics in Congress say even that response is inadequate. The amount is not final, and the companies — AT&T, Sprint, T-Mobile and Verizon — will have the opportunity to respond and argue against the fines.
The trade in location data has emerged as a sensitive privacy issue because it affects hundreds of millions of people and can reveal intimate details about their lives, including personal relationships and visits to doctors. “It puts the safety and privacy of every American with a wireless phone at risk,” Jessica Rosenworcel, a Democratic commissioner at the FCC, said in a statement last month about the agency’s investigation.
Sale of the data is widespread among app makers and other technology companies, but the telecommunications sector is subject to more stringent laws protecting customers’ confidentiality.
Ajit Pai, the FCC chairman, said in a letter to the House Commerce Committee last month that the agency’s investigators had concluded that “one or more wireless carriers apparently violated federal law,” but it was unclear at that time what penalty the FCC would suggest.
The FCC, scheduled to have a public meeting Friday, has not yet made the proposal official but has the necessary votes, said the three people, who spoke on the condition of anonymity because they were not authorized to discuss the matter publicly.
Agency officials declined to comment until the final vote was announced. The Wall Street Journal reported earlier that the FCC would be seeking fines in the case.
The investigation began after articles in The New York Times and elsewhere showed how carriers’ deals with companies called location aggregators posed privacy risks. The Times in 2018 reported that the data was eventually making its way to law enforcement, including to an official who was charged with using it to track people without a warrant.
Location data from cellphone carriers proved valuable because it was consistently available and included almost every American with a mobile phone. Carriers sold access to it for marketing purposes and services like bank fraud protection, under contracts that required location companies to get customers’ consent, for example by responding to a text message or pressing a button on an app.
But the companies did not always obey those contracts and the carriers had little way of enforcing them, allowing troves of personal information to be used in ways consumers had never intended. The FCC found that the cellphone companies had broken federal law by being negligent with the data.
After the 2018 article and questions from lawmakers, the companies pledged publicly to limit sales of the data, saying they would wind down their existing contracts with location aggregators. But a report in 2019 showed that it was available to bounty hunters and others.
Later that year, the companies said in response to questions from an FCC commissioner that they had stopped the practice.
The continued sale of data was the impetus behind the penalties, which amount to tens of millions of dollars for each carrier, people familiar with the matter said. The FCC is fining companies depending on the number of days they allowed the data access to continue.
“I am committed to ensuring that all entities subject to our jurisdiction comply” with the law and the FCC’s rules, Pai said in his letter to lawmakers.
But the time between the initial 2018 report and the proposed penalties, and the expected size of the fines, has raised the ire of privacy hawks. One Democratic commissioner, Geoffrey Starks, wrote an opinion piece in The Times last year complaining that “nearly a year after the news first broke, the commission has yet to issue an enforcement action or fine those responsible.”
Sen. Ron Wyden, D-Ore., who first raised concerns about the data sharing and has repeatedly pressured the companies and the FCC over the issue, said in a statement Thursday that the chairman “only investigated after public pressure mounted.” He said the fines were “comically inadequate” to deter future privacy violations.