The big four mobile carriers face fines of between $12 million and $91 million each for selling their customers' real-time location data to third-party data brokers without customer consent, Federal Communications Commission Chairman Ajit Pai's office announced today.

These are "proposed" fines, meaning the carriers can dispute them and try to get them reduced or eliminated. The proposed fines are $91 million for T-Mobile, $57 million for AT&T, $48 million for Verizon, and $12 million for Sprint. That's a total of $208 million.

The FCC announcement said the carriers' punishments are for "apparently selling access to their customers' location information without taking reasonable measures to protect against unauthorized access to that information." The FCC said it also "admonished these carriers for apparently disclosing their customers' location information, without their authorization, to a third party."

Pai said that the FCC has taken "strong enforcement action" with today's proposed fines. But the two Democrats on the Republican-majority commission said the fines are too low and criticized the Pai-led FCC for secrecy during the investigation.

"The FCC's investigation is a day late and a dollar short," Democratic Commissioner Jessica Rosenworcel said in a statement. "The FCC kept consumers in the dark for nearly two years after we learned that wireless carriers were selling our location information to shady middlemen."

Commissioner Geoffrey Starks, the FCC's other Democrat, said the FCC's investigation wasn't extensive enough:

I am concerned that the penalties proposed today are not properly proportioned to the consumer harms suffered because we did not conduct an adequate investigation of those harms. The Notices make clear that, after all these months of investigation, the Commission still has no idea how many consumers' data was mishandled by each of the carriers. I recognize that uncovering this data would have required gathering information from the third parties on which the carriers' relied. But we should have done that via subpoenas if necessary.

Fines are tiny portion of revenue

Relative to the carriers' collective revenue, the fines are "a slap on the wrist amounting to less than one one-thousandth of their annual take," consumer-advocacy group Free Press said. Revenue in calendar year 2019 was $181.2 billion for AT&T; $131.9 billion for Verizon; $45 billion for T-Mobile; and $32.5 billion for Sprint.

"The carriers have shown an egregious contempt for the law. The Communications Act plainly lists location data as the kind of private information that carriers have a duty to protect and are forbidden to sell without their customers' permission," Free Press Senior Policy Counsel Gaurav Laroia said. "Yet the companies showed complete disregard for the law and for our safety in pursuit of a few extra dollars."

The $208 million "represents little more than the cost of doing business for these carriers," House Commerce Committee Chairman Frank Pallone, Jr. (D-NJ) said today.

The FCC said the size of each fine was based on how long each carrier sold access to customer-location data without appropriate safeguards and on the number of entities each carrier sold data to.

According to Rosenworcel, the FCC is proposing "a $40,000 fine for the violation of our rules—but only on the first day. For every day after that, it reduces to $2,500 per violation. The FCC heavily discounts the fines the carriers potentially owe under the law and disregards the scope of the problem." Rosenworcel also said each carrier was given a "30-day pass," eliminating 30 days worth of fines.

"This 30-day 'get-out-of-jail-free' card is plucked from thin air," Rosenworcel said.

Location data leaked in 2018

The controversy over location-data sales ramped up in 2018 when a security problem leaked the real-time locations of US cell phone customers on all four major carriers. Verizon, AT&T, T-Mobile, and Sprint in June 2018 pledged to stop selling their mobile customers' location information to third-party data brokers, but carriers continued the sales until several months into 2019.

Starks said today's FCC action "has been too long delayed."

"From the beginning, it has been difficult to get the facts straight," Starks said. "The carriers repeatedly told the public that they were stopping their location-sharing program while hiding behind evasive language and contractual terms. For example, on June 15, 2018, Verizon told Senator Ron Wyden, '[w]e are initiating a process to terminate our existing agreements for the location aggregator program.' But Verizon didn't terminate its aggregator agreements until November 2018, and didn't end all of its location data sharing programs until April 2019."

The FCC said it began its investigation "following public reports that a Missouri Sheriff, Cory Hutcheson, used a 'location-finding service' operated by Securus, a provider of communications services to correctional facilities, to access the location information of the wireless carriers' customers without their consent between 2014 and 2017."

Carriers violated opt-in consent rule

The Communications Act requires carriers "to protect the confidentiality of certain customer data related to the provision of telecommunications service, including location information," and "take reasonable measures to discover and protect against attempts to gain unauthorized access to this data," the FCC said.

"The rules also require that carriers or those acting on their behalf generally must obtain affirmative, express consent from a customer before using, disclosing, or allowing access to this data," the FCC continued. "And carriers are liable for the actions of those acting on their behalf."

T-Mobile, AT&T, Verizon, and Sprint all "sold access to their customers' location information to 'aggregators,' who then resold access to such information to third-party location-based service providers (like Securus)," the FCC said. "Although their exact practices varied, each carrier relied heavily on contract-based assurances that the location-based services providers (acting on the carriers' behalf) would obtain consent from the wireless carrier's customer before accessing that customer's location information."

Hutcheson's access to customer-location information makes it clear that the carriers did not make adequate efforts to safeguard the data, the FCC said. "Yet all four carriers apparently continued to sell access to their customers' location information without putting in place reasonable safeguards to ensure that the dozens of location-based services providers acting on their behalf were actually obtaining consumer consent," the FCC said.

The fines were proposed in Notices of Apparent Liability for Forfeiture and Admonishment. They contain allegations that the carriers will be given an opportunity to respond to. The proposed fines set a ceiling—carriers could end up paying less, but the FCC "may not impose a greater monetary penalty in its final resolution," the announcement said.

The FCC has a poor track record on collecting proposed fines. In March 2019, a Wall Street Journal report found that the FCC had issued $208.4 million in fines against robocallers since 2015, but collected only $6,790 of that amount.