Last week, in a major enforcement action, the FCC proposed $208 million in fines against the nation’s four largest wireless carriers—AT&T, Verizon, T-Mobile, and Sprint—for allegedly selling access to their customers’ location information without taking “reasonable measures” to protect the information against unauthorized disclosure. The FCC argued that such actions violated its rules regarding the protection of customer data known as customer proprietary network information (CPNI).
This enforcement action marks a series of firsts. It is the first CPNI enforcement action since the pre-2016 CPNI regulations were reinstated following the repeal of the broadband privacy rules by Congress in 2017. This is also the first large consumer protection enforcement action under Chairman Pai’s leadership—up to now, Chairman Pai has eschewed the principle-based enforcement of his predecessor in favor of more clear-cut rules violations. The action also generated criticism both for being too soft (and too late) and for potentially being beyond the Commission’s jurisdiction.