Last week, in a major enforcement action, the FCC proposed $208 million in fines against the nation’s four largest wireless carriers—AT&T, Verizon, T-Mobile, and Sprint—for allegedly selling access to their customers’ location information without taking “reasonable measures” to protect the information against unauthorized disclosure. The FCC argued that such actions violated its rules regarding the protection of customer data known as customer proprietary network information (CPNI).
This enforcement action marks a series of firsts. It is the first CPNI enforcement action since the pre-2016 CPNI regulations were reinstated following the repeal of the broadband privacy rules by Congress in 2017. This is also the first large consumer protection enforcement action under Chairman Pai’s leadership—up to now, Chairman Pai has eschewed the principle-based enforcement of his predecessor in favor of more clear-cut rules violations. The action also generated criticism both for being too soft (and too late) and for potentially being beyond the Commission’s jurisdiction.
Section 222 of the Communications Act requires carriers to protect the confidentiality of CPNI, which consists of specific customer data carriers get from consumers simply by providing them telecommunications service—or in statutory terms, “solely by virtue of the carrier-customer relationship.” This includes location information that carriers receive from wireless phones almost constantly so that calls and data can be routed to a customer both when the customer is using the phone and when the phone is in standby mode. Except for certain defined uses, carriers can only use, disclose, or permit access to CPNI with customer approval. But the FCC has also found that approval requirements alone are not enough, so the CPNI rules specify that carriers must employ “reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI,” such as when a person pretends to be a particular customer or authorized person to obtain access to CPNI—a practice known as “pretexting.”
The FCC alleges that each of the four carriers failed to take reasonable measures to prevent unauthorized access to location information by third parties that improperly disclosed that information without customer approval. Specifically, each carrier sold access to location information to “aggregators,” who then resold access to third-party location-based service providers, who in turn allegedly sold or provided access to individualized location information to unauthorized parties. Each carrier relied on contracts that obligated aggregators to require third-party location-based service providers to obtain customer consent before accessing a customer’s location information from the aggregators. However, the carriers did not independently verify that consent was actually being obtained. In the FCC’s view, the contracts did not amount to reasonable measures to protect CPNI and held the carriers responsible for the failure to obtain customer consent on the basis that the third-party service providers were acting on the carriers’ behalf. The FCC was unconvinced by arguments that the information was primarily for non-common carrier data services, instead of telecommunications services, and that the location information obtained when the phone is on standby mode is materially different than information obtained when a customer is on a call.
Based on these apparent violations, the FCC proposed fines of $57 million for AT&T, $48 million for Verizon, $91 million for T-Mobile, and $12 million for Sprint. The FCC calculated these proposed fines based on four factors:
- First, the FCC determined the number of aggregators and third-party service providers that had access the information at any given time by looking at the contracts—the more entities that received the information, the greater the proposed fine.
- Second, the FCC relied on a continuing violation theory, concluding that each day the contracts were in place was an additional violation of the CPNI rules. As a result, the size of the fine increased for each successive day a carrier allegedly continued to allow third-party service providers to access customer location information without reasonable safeguards.
- Third, the FCC calculated the continuing violation from June 9, 2018—or 30 days after publication of a New York Times article that first brought the location sharing to light—on the basis that the article’s publication was the first time the carriers were put on notice about the inadequacy of their practices and because a carrier cannot be “expected to fully investigate and take remedial actions on the same day it learns that its safeguards are inadequate.” This approach also marks a departure from prior enforcement actions, which had not included a “cure” period previously.
- Fourth, the FCC upwardly adjusted the proposed fine by amounts ranging from 25-100 percent to reflect the apparent seriousness of the violations and the remediation efforts undertaken by each carrier.
The FCC’s actions are proposed fines. As the Commission customarily notes, neither the allegations nor the proposed sanctions in the Notices of Apparent Liability are final Commission actions. The parties will be given an opportunity to respond and the Commission will consider the carriers’ responses before taking any final action to resolve the matters.
Despite moving forward on the proposed fines, the FCC Commissioners appear split on the specifics of the enforcement approach. Commissioner O’Rielly expressed serious reservations even as he voted in support of the action, citing a concern that the FCC does not have all the relevant facts and expressing interest in the carriers’ argument that their practices are outside FCC jurisdiction. Conversely, Commissioner Rosenworcel dissented, not because she sides with the carriers, but because she believes the proposed fines should be higher. She particularly expressed disdain for the 30-day curing period and the reduction in the fine proposed for each successive day of continuing violation. Commissioner Starks supported the action overall, but dissented entirely on the forfeiture calculation approach, arguing the FCC should have based the fine on the number of consumers actually harmed and not on the number of contracts the carriers entered into.
Each carrier will have the opportunity to respond to the proposed fines in approximately 30 days. The responses typically are not made public but we will continue to monitor the proceedings for developments and will provide updates as they occur.