FCC finally gets round to fining telcos for selling location data

The penalties add up to $196 million, which for telcos of this heft amounts to little more than a rounding error.

It might sting a bit for T-Mobile, which is on the hook for $92 million, $12 million of which is attributable to Sprint – which gives an idea as to how long this saga has been running. AT&T has been fined more than $57 million, while Verizon will have to fork over almost $47 million.

Given these operators were first made aware in March 2020 of the FCC's intention to fine them to the tune of $200 million, it is likely these penalties have long since been priced into their respective financial plans.

In reality then, this development offers very little by way of comfort and recompense for the customers whose privacy was casually violated by MNOs, who sold their location data to third parties – a practice that only ended when it came to light in a Motherboard article way back in January 2019.

The now financially-troubled media outlet revealed that operators were selling this data to location aggregators which then sold it downstream to other companies that weren't subject to much – if any – oversight, and certainly without end users' consent. This data would eventually wend its way into the hands of bounty hunters, car salesmen and the like, by which time the originator of that data – the telco – had no idea who had access to it and for what purpose.

Only after the issue came to light did operators make a concerted effort to cut ties with location-based service (LBS) providers.

"Geolocation data is especially sensitive. It is a reflection of who we are and where we go. In the wrong hands, it can provide those who wish to do us harm the ability to locate us with pinpoint accuracy," said a statement this week from FCC chairwoman Jessica Rosenworcel.

"That is exactly what happened when news reports revealed that the largest wireless carriers in the country were selling our real-time location information to data aggregators, allowing this highly sensitive data to wind up in the hands of bail-bond companies, bounty hunters, and other shady actors," she said. "This ugly practice violates the law – specifically Section 222 of the Communications Act, which protects the privacy of consumer data."

There was no explanation about why it has taken five years since these revelations emerged to investigate and penalise these breaches. The 2020 election, and the time it took to appoint a full complement of FCC commissioners following that election, may well have delayed what was already a long and laborious process.

This development throws into sharp relief the recent publicity received by new US service provider Cape.

The MVNO, which has just raised $61 million in venture capital funding, pitches itself as a 'privacy-first' mobile operator that promises to collect as little personal information as possible about its customers.

It's easy to dismiss services like Cape as being the preserve of paranoid conspiracy theorists. However, the FCC taking five years to give telcos a slap on the wrist for losing control over who has access to their customers' location data is an undeniably good advert for it.

UPDATE - 11:00 1 May 2024 - John Doyle, CEO of Cape, contacted us with the following statement: "Telcos are the original social networks. They connect people, and their business model is premised on monetizing the data they collect in the process. The buyers include third-party aggregators, advertisers, and governments without warrants.

"It’s a cliche to say about social media networks 'if you aren’t paying for the product, then you’re the product,' but it’s absurd to be monetized as a product when you’re paying a significant bill each month to your mobile carrier. At Cape, we reject the premise that you have to forfeit control of your personal data in order to be connected. We are bringing connection without compromise to the market.”