![Lerman Senter](https://www.lermansenter.com/wp-content/uploads/sites/530/2021/10/logo_1x.png)
The FCC has fined AT&T, Sprint, T-Mobile, and Verizon a combined nearly $200 million for failing to protect their voice customers’ data by selling access to customer location data to “aggregators” without obtaining customer consent. T-Mobile and Sprint, which merged since the FCC started its investigation into the violations, were fined more than $80 million and $12 million respectively. AT&T was fined over $57 million, and Verizon was fined close to $47 million.
Under federal law and the FCC’s rules, carriers are required to protect the confidentiality of certain customer information, such as location information, which is considered customer proprietary network information (CPNI). Carriers must take reasonable measures to protect CPNI, such as obtaining consumer consent prior to sharing their location information. Customers have a right to “opt-in” before their CPNI is shared with third parties.
In these cases, customers were not given an opportunity to “opt-in” before their location data was disclosed by the carriers. The FCC found the carriers relied on the recipients of the location data to obtain customer consent, which meant in many cases consent was never obtained. The FCC determined that the lack of customer awareness or consent to share CPNI with third parties violated Section 222 of the Communications Act.
The FCC calculated the forfeiture amounts based on factors such as the nature, circumstances, extent, and gravity of the violations; the degree of culpability of the carriers and any history of prior offenses; and the carriers’ ability to pay. The FCC found that the carriers’ ability to pay stemmed from the fact that they are the nation’s largest wireless carriers.
T-Mobile, Verizon, and AT&T say they will challenge the FCC’s decision.
If you have questions related to these fines, or about CPNI in general, contact an attorney in our Broadband, Spectrum, and Communications Infrastructure, or Privacy, Data Protection, and Cybersecurity practice groups.
© 2025 Lerman Senter
Legal Disclaimer | Privacy Policy
Website design by Beth Singer Design | Website development by The Modern Firm