On Friday, February 28, 2020, the Commission released the four Notices of Apparent Liability for Forfeiture and Admonishment (“NALs”) issued against T-Mobile, AT&T, Verizon, and Sprint for selling access to their customers’ location data without reasonable protections against unauthorized access. The Commission proposes fines of more than $91 million for T-Mobile, more than $57 million for AT&T, more than $48 million for Verizon, and more than $12 million for Sprint, totaling over $200 million in proposed fines.
The Commission finds that each carrier apparently violated Section 222 of the Communications Act and the Commission’s regulations governing the privacy of customer information. Each NAL details the allegations of each carriers’ violations, specifically that each carrier apparently disclosed their customers’ location information, without their consent, to a third party who was not authorized to receive it. The Commission’s rules provide that carriers have a duty to protect their customers’ proprietary information and provide specific privacy requirements for customer proprietary network information (“CPNI”), which includes information related to location. Carriers are further required to obtain consent from customers regarding the use, sharing, or disclosure of their CPNI, and to discover and protect against unauthorized access to CPNI.
The NALs outline each of the four carriers’ location-based service models and contracts with companies known as “location information aggregators” (“Aggregators”), who then resold such access to information third-party location-based service providers or in some cases to “sub-aggregators,” or intermediary companies who then re-sold access to such information to location-based service providers. Each Aggregator also had arrangements with numerous location-based service providers. Each carrier apparently sold access to its customers’ location information, directly or indirectly, to over 75 third parties, or an otherwise undisclosed number of third parties, including the Aggregators. The NALs detail each carrier’s actions following the publication of reports of this unauthorized access and use of customer location information, and the subsequent Enforcement Bureau investigation seeking additional information and documents from the carriers. Based on these fact patterns, the Commission concludes that all four carriers willfully and repeatedly violated Section 222 and the accompanying CPNI rules by improperly disclosing customer information without approval and by failing to protect the confidentiality of this information.
In calculating the forfeiture penalties, Section 503(b)(2)(B) of the Commission’s rules authorize a forfeiture of up to $204,892 for each day of a continuing violation, up to a maximum of $2,048,915 for a single act or failure to act. The Commission may also adjust a forfeiture upward for violations that are egregious, intentional, or repeated, or that cause substantial harm or generate a substantial economic gain for the violator. The NALs detail each carrier’s calculated forfeiture based on a number of days of continuing violations, set at a base forfeiture of $40,000 for the first day of the violation with $2,500 for each successive day, as well as the significant upward adjustments above the base forfeiture, ranging from a 25% upward adjustment for AT&T, 50% for Verizon, 75% for T-Mobile, to a 100% upward adjustment for Sprint.
Carriers have 30 days from the release of the NALs to either pay the full amount of the proposed forfeiture or file a written statement seeking reduction or cancellation of the proposed forfeiture.
Please Contact Us if you have any questions.