FCC Fines National Mobile Providers for Sharing Customer Location Information: What Are the Lessons and What to Expect in this New Era of FCC Mobile Data Privacy Oversight
Tuesday, May 7, 2024
Federal Communications Commission Wireless Customer Data Fine
Print Mail Download i

The Federal Communications Commission (FCC) recently issued four orders imposing $196 million in fines against the three largest national mobile services providers in the United States (i.e., AT&T, T-Mobile, and Verizon) and Sprint, who merged with T-Mobile in 2020 (the “Mobile Providers”).[1] The FCC fined them for sharing customer location information with third parties without prior customer consent and then failing to take reasonable measures to protect that information against unauthorized disclosure. Although AT&T, T-Mobile, and Verizon suspended in 2019 the specific programs that gave rise to the fines, the Forfeiture Orders stand as the definitive guidance from the FCC on the treatment of customer location information under Section 222 of the Communications Act and the FCC’s rules regulating access to “customer proprietary network information” or “CPNI.” They also provide a window into upcoming debates and possible additional FCC actions.

BACKGROUND

The controversy dates back to 2018 when the New York Times reported security breaches related to the Mobile Providers’ practice of selling access to customer location information to third-party aggregators. Under this model, mobile providers gave access to customer location information to aggregators, who then resold that information to companies offering location-based services. The New York Times article specifically mentioned that a law enforcement officer in Missouri had obtained access to location information through an aggregator without prior customer consent. Less than a year later, an article published in Motherboard claimed that bounty hunters accessed customer location information through aggregators without customer consent or a warrant.

The Mobile Providers subsequently announced they had terminated their arrangements with the aggregators and were no longer sharing customer location information in that manner. The FCC opened an investigation, which led to the release of Notices of Apparent Liability for Forfeiture and Admonishment in 2020 proposing fines against AT&T, T-Mobile, Verizon, and Sprint for allegedly selling customer location information to third parties without customer consent and without taking reasonable measures to protect against unauthorized access.[2] Below is a summary of the key FCC findings in the 2020 NALs:

  • The Mobile Providers obtained the customer location information at issue as part of their offering of services to the mobile device user. Specifically, the information derived from the registry of pings between individual mobile devices and wireless sites.
  • The arrangements were governed by contractual provisions that vested the Mobile Providers with oversight authority and shifted compliance responsibility to the aggregators and downstream users of the information. Specifically, the Mobile Providers entered into contracts with the aggregators, which then entered into their own contracts with location-based service (“LBS”) providers. The latter used customer location information to offer services ranging from roadside assistance and fraud mitigation to proximity marketing. In some cases, the aggregators sold the information to intermediary entities, who then resold the information to LBS providers, thus creating an additional layer between the Mobile Providers and the downstream LBS providers.
  • The agreements between the Mobile Providers and the aggregators required the latter (or their downstream LBS providers) to notify customers and obtain consent. The agreements also required the aggregators to impose specific security requirements and safeguards on downstream LBS providers.
  • While the Mobile Providers were receiving documentation from the aggregators, the FCC found that they were not verifying that consent had actually been granted for an approved use.

The FCC concluded that the customer location information sold to aggregators under these arrangements was CPNI under Section 222 of the Communications Act. The FCC reasoned that the information “relates” to the location of a telecommunications service because it is derived from the mobile services the Mobile Providers offered, and it was made available to the Mobile Providers because of the carrier-customer relationship embodied in their service agreements.

The FCC then found that the Mobile Providers had violated the requirement to obtain customer “opt-in” approval before disclosing location information to aggregators and LBS providers—and considered each instance of a disclosure a separate violation. With limited exceptions, telecommunications carriers need customer “opt-in” approval before disclosing that customer’s CPNI. The FCC also rejected the Mobile Providers’ argument that they were absolved from liability because their contractual arrangements shifted to aggregators and their downstream LBS providers the duty to provide notice and obtain customer consent.[3]

The FCC separately found that the Mobile Providers had not taken reasonable steps to safeguard the customer location information even after learning that downstream third parties accessed customer location information without consent. The FCC found that relying on unverified third-party assertions (whether from the aggregators or the downstream LBS providers) that they had obtained consent was insufficient. It also found that the measures taken to restrict access to specific pre-approved uses were insufficient, as were the steps taken to ensure that downstream LBS providers complied with the security requirements aggregators were supposed to impose.

THE FORFEITURE ORDERS

In the Forfeiture Orders, the FCC largely adopted the 2020 NALs, although it slightly reduced the fine imposed on Verizon and T-Mobile. In so doing, the FCC rejected the Mobile Providers’ argument that the customer location information was not CPNI. It also rejected the Mobile Providers’ argument that they had not received fair notice that their practices were subject to Section 222 of the Communications Act, noting that the FCC was not required “to comprehensively identify CPNI” before enforcement or conduct a rulemaking to declare “that LBS data, in particular, meets the definition of CPNI under section 222 of the Act or the Commission’s CPNI Rules before enforcing that statute and those rules with respect to such data.”[4] The FCC also emphasized that the measures taken by the Mobile Providers to safeguard customer location information had been unreasonable both before and after the publication of the New York Times article in 2018.

WHY IT MATTERS

The Forfeiture Orders imposed fines for events more than five years ago involving programs that the fined Mobile Providers have long suspended. In other words, they do not address an ongoing practice. Still, they provide valuable insights to anyone contemplating new models for using customer location information derived from wireless networks. They also provide a window into upcoming debates and possible additional FCC actions. Below are some key observations:

First, the Forfeiture Orders stand as the definite formal guidance from the FCC on the treatment of customer location information derived from wireless networks (as opposed to location information derived from applications collecting GPS data) under Section 222 and the CPNI rules. That means that any third-party use or access to this information must comply with the “opt-in” consent and data safeguarding requirements that apply to all CPNI. It also means that the provider collecting that information and sharing it with those parties will be hard-pressed to escape liability (at least before the FCC) for the actions of downstream users of the information. Finally, the Forfeiture Order reinforces principles that the FCC can be expected to apply to the handling of CPNI and proprietary and confidential information in general.

Second, the regulatory underpinnings to the Forfeiture Orders could be reversed in court on appeal—or by the FCC if Republicans reclaim the White House in the 2024 elections. The Mobile Providers have indicated they will challenge the Forfeiture Orders. And Commissioner Brendan Carr, a Republican, is on record stating that the Forfeiture Orders “rest on a newfound definition of [CPNI] that finds no support in the Communications Act or FCC precedent.”[5] The critical statutory interpretation debate will revolve around the definition of CPNI in Section 222(h)(1)(A). Commissioner Carr has endorsed the view that the definition can only apply to information related to “the location . . . of use of a telecommunications service.” He states in his dissenting statement that call location information (i.e., the customer’s location while making or receiving a call) is CPNI, but customer location information obtained when a mobile device merely pings a carrier’s cell site does not require a voice call and could be gathered even if the customer does not have a voice plan.[6] The current majority at the FCC views it differently, holding that the term “of use” only modifies the word “amount” in the definition of CPNI (i.e., “amount of use of a telecommunications service”), thus rendering irrelevant whether the customer location information was derived from actually using a telecommunications service. The majority also held that, in any event, the information could be considered “of use of a telecommunications service” because it is part of the information that devices and wireless networks regularly exchange for customers to send and receive calls.[7] That controversy likely will need to be resolved by the courts.

Third, The Forfeiture Orders are likely only the tip of the iceberg from the FCC on privacy issues and enforcement activity involving mobile services, at least under the leadership of Chairwoman Rosenworcel. When the FCC issued the 2020 NALs, then-Commissioner Rosenworcel filed a dissenting statement maintaining that the enforcement action was “inadequate” and the fines were “too small relative to the law and the population put at risk.”[8] Two years later, and now as Chairwoman, she shared the responses the FCC obtained from 15 mobile providers to a request for information about their data retention and data privacy policies and practices and instructed the FCC’s Enforcement Bureau to “launch a new investigation into mobile carriers’ compliance with FCC rules that require carriers to fully disclose to consumers how they are using and sharing geolocation data.” There will likely be more to come, particularly now that the Chairwoman has established a Privacy and Data Protection Task Force, mobile broadband internet access services have been classified as telecommunications services (thus giving the FCC jurisdiction over them), and location information has been consigned within a broad definition of CPNI.

Fourth, the Forfeiture Orders leave geolocation data from mobile devices subject to two regimes and regulatory agencies depending on the technology used. If the information is obtained from pings between devices and wireless antennas, it is considered CPNI and subject to regulation by the FCC. If it is obtained from GPS in mobile devices (and applications that have access to that information), it is arguably not CPNI, and it would be regulated by the Federal Trade Commission and Section 5(a) of the Federal Trade Commission Act.

Fifth, any future initiatives by mobile providers to share customer location information with third parties will require significantly different procedures and contractual arrangements. After the Forfeiture Orders, mobile providers may be wary of arrangements with third parties that involve access to customer location information. But that information is too valuable—and has many potential uses that benefit consumers—to think that new projects for their use will not be explored. For example, GSMA launched its Open Gateway Initiative in 2023 with an Application Programmable Interface that would confirm if a device is in the proximity of a given location, a tool that can be used for fraud prevention, drone traffic management, and retail marketing, among other uses. As mobile providers and LBS providers consider these scenarios, avoiding running afoul of the CPNI rules may force them to require establishing privity of contract between the mobile provider and the LBS provider, conduct thorough verification of consent forms obtained by LBS providers, use a consent form template approved by the mobile provider, and ensure meticulous recordkeeping. It may also counsel for reduced reliance on aggregators. Losing track of downstream users of customer location information comes with substantial peril. Even when they are known, the lack of contractual privity with these downstream users makes it hard to enforce requirements and safeguards.

[1] See AT&T, Inc., Forfeiture Order, File No. EB-TCD-18-00027704, NAL/Acct. No. 202032170004, FRN 00057193701 (rel. April 29, 2024); Sprint Cop., Forfeiture Order, File No.: EB-TCD-18-00027700, NAL/Acct. No.: 202032170005, FRN: 0003774593 (rel. Apr. 29, 2024); T-Mobile USA, Inc., Forfeiture Order, File No.: EB-TCD-18-00027702, NAL/Acct. No.: 202032170003, FRN: 0006945950 (rel. Apr. 29, 2024); Verizon Communications, Forfeiture Order, File No.: EB-TCD-18-00027698, NAL/Acct. No.: 202032170006, FRN: 000325709 (rel. Apr. 29, 2024) (“Verizon Forfeiture Order”). We refer to these four orders together as the “Forfeiture Orders.”

[2] See AT&T Inc., Notice of Apparent Liability for Forfeiture and Admonishment, 35 FCC Rcd. 1743 (2020) (proposing a fine of more than $57 million); Sprint Corp., Notice of Apparent Liability for Forfeiture and Admonishment,35 FCC Rcd. 1655 (2020) (proposing a fine of more than $12 million); T-Mobile USA, Inc., Notice of Apparent Liability for Forfeiture and Admonishment, 35 FCC Rcd. 1785 (2020) (proposing a fine of more than $91 million); Verizon Communications, Notice of Apparent Liability for Forfeiture and Admonishment, 35 FCC Rcd. 1698 (2020) (“Verizon NAL”) (proposing a fine of more than $48 million). We refer to these four documents together as the “2020 NALs.”

[3] See, e.g., Verizon NAL, 35 FCC Rcd. at 1716 (“[A] carrier cannot avoid its statutory obligations by assigning them to a third party.”)

[4] See, e.g.Verizon Forfeiture Order at 15-16 (¶ 38).

[5] See, e.g., id. at 44.

[6] Id.

[7] Id. at 11 (¶ 26).

[8] See, e.g., Verizon NAL, 35 FCC Rcd. at 1736.

© Copyright 2024 Squire Patton Boggs (US) LLP

Current Legal Analysis

More from Squire Patton Boggs (US) LLP

New 10-Year Statute of Limitations for U.S. Sanctions Violations
by: Kevin McCart , Richard J. Gibbon
Arbitration Provider JAMS Creates New Mass Arbitration Procedures
by: Kristin L. Bryan , James Brennan
Pensions Life Hacks − Alternative Options for Defined Benefit (DB) Risk Transfer
by: Victoria Jeacock
Sixth Circuit Grants P.G. Sittenfeld Release from Prison Pending Appeal
by: Trane J. Robinson
New York Requires Paid Lactation Breaks and Prenatal Leave (US)
by: Scott G. Held
Are You Ready for July 1? Florida, Oregon, and Texas on Deck
by: Elizabeth A. Spencer Berthiaume , Alan L. Friel
CMS Finalizes a New Rule to Require Extensive API Implementation and Quicker Turnaround for Prior Authorization Decisions: What Payers Should Know
by: Doug Anderson , Johnathan Abele
Fourth Circuit Holds Firm Against Expansion of Religion-Based Defenses to Discrimination (US)
by: Laura Lawless
Identifying a Single Biomolecule Means Single-molecule Detection Sensitivity
by: Todd A. Ostomel
Singapore Looks to Tighten Corporate Disclosures of Directors’ Personal Data
by: Charmian Aw

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins