The FCC said T-Mobile, Sprint, AT&T and Verizon sold customers’ location data and outsourced user consent requirements.
The post FCC takes $200 million bite out of wireless carriers for sharing location data appeared first on CyberScoop.
The Federal Communications Commission levied nearly $200 million in fines against four telecommunications giants Monday following an agency investigation that concluded the companies had sold location data of customers without their consent.
The penalties include $80 million in fines for T-Mobile, $57 million for AT&T, $46 million for Verizon and $12 million for Sprint.
Monday’s fines against the carriers come as policymakers in Washington are increasingly grappling with how to rein in the collection and sale of Americans’ sensitive data by so-called data brokers. The telecommunications firms targeted by the FCC are not out and out data brokers, but their access to and decision to sell sensitive data is representative of how sensitive information has become yet another commodity to be bought and sold.
“These carriers failed to protect the information entrusted to them,” FCC Chairwoman Jessica Rosenworcel said in a statement. “Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are.”
The FCC is fining the companies for violating provisions of the Communications Act that require carriers to take “every reasonable precaution” to protect the confidentiality of customer network proprietary information, including location data.
Since 2007, federal regulations have required wireless carriers to get explicit consent of customers to opt-in to such data-sharing arrangements, but an FCC investigation found that in many cases, the four carriers had effectively outsourced that requirement to the companies who bought the data.
All four companies had programs in place until at least 2019 that sold access to the location data of customers to two data aggregators, LocationSmart and Zumigo. Those companies in turn sold that data to dozens of different third-party location-based service providers and other businesses.
Instead of seeking to gain direct consent from customers to opt-in to sharing their location, the carriers effectively outsourced the job to the companies they were selling the data to, passing that obligation down to location-based service providers through their own contracts. The FCC determined that this was insufficient to comply with federal requirements and that “contractual safeguards between a carrier and such a third party do not obviate the need for explicit customer consent.”
Internal audits of the customer data-sharing program by AT&T identified numerous cases where the aggregators who purchased data failed to follow the carrier’s information security requirements, as well as problems with record keeping and “completeness” of subscriber consent practices. The details of three additional audits were not shared with regulators.
Sprint claimed to have a similar auditing program in place to ensure that the aggregators that bought customer location data met security and privacy requirements, but the FCC stated there was no evidence that audits were actually conducted prior to 2018 — the same year a New York Times investigation revealed how a Missouri sheriff used data sold by the carriers to track the location of a judge and state law enforcement officers, spurring a broader inquiry by the FCC.
Requests for comment sent to T-Mobile, Verizon, Sprint and AT&T were not immediately returned.
The post FCC takes $200 million bite out of wireless carriers for sharing location data appeared first on CyberScoop.
Source: CyberScoop
Source Link: https://cyberscoop.com/fcc-fines-wireless-carriers-200-million/