Inconsistent responses from the United States’ top 15 mobile carriers—in accordance with the Federal Communications Commission’s inquiry into the use of their consumers’ location data—show a need for the agency’s regulatory intervention, according to key public interest advocates.
“These letters show that, despite the constant invocation of carriers of ‘industry standards’ and ‘best practices,’ carrier geolocation data practices are all over the map. The only ‘industry standard’ appears to be that there is no standard at all for how long carriers retain data, how they protect it or how hard they make it for their customers to invoke their rights,” Harold Feld, senior vice president for the digital rights group Public Knowledge, said in reaction to the commission’s release of the companies’ responses Thursday.
Location information has become an especially crucial element in policy debates about data privacy since the Supreme Court’s recent action upending its landmark ruling on abortion. With states now free to enforce their own laws on the issue, federal regulators—including the Federal Trade Commission—have been on the lookout for online entities sharing location information that could incriminate or otherwise endanger patients seeking abortion services.
“Our mobile phones know a lot about us. That means carriers know who we are, who we call and where we are at any given moment. This information and geolocation data is really sensitive. It’s a record of where we’ve been and who we are. That’s why the FCC is taking steps to ensure this data is protected,” FCC Chairwoman Jessica Rosenworcel said, announcing the commission’s launch of a new investigation into whether the carriers are complying with the FCC’s current rules.
According to the FCC, the carriers—which include mobile network operators like AT&T, T-Mobile and Verizon, as well as mobile virtual network operators like Best Buy Health, H2O Wireless and Lyca Mobile—are required to follow the commission’s rules for customer proprietary network information, which includes the geolocation data in question. Many of the MVNOs abdicated responsibility for such data, saying they generally don’t collect it. But others said consumer data reports sent to them by interconnecting service providers may be shared for marketing purposes, if explicit permission to do so is granted.
The larger MNOs, some of which the FCC has previously fined over their governance of sensitive geolocation data, were generally careful to deny “selling” geolocation data to third parties, although they described contractual mechanisms that are employed to protect any data shared with such entities.
“Continued reliance on such attenuated consent mechanisms and ineffective monitoring tools apparently did not meet the reasonableness requirement,” the FCC said in February 2020 under the Trump administration while issuing fines to T-Mobile, AT&T and Verizon after media reports revealed massive potential data exposures.
At the time, Rosenworcel, who was in the political minority, said the fines—which totalled $200 million for four carriers—should have been much, much higher.
“The FCC engages in some seriously bureaucratic math to discount the violations of our privacy laws,” she wrote in a dissent. “The agency proposes a $40,000 fine for the violation of our rules—but only on the first day. For every day after that, it imposes only a $2,500 fine for the same violation. But it offers no acceptable justification for reducing the fine in this way. Plus, given the facts here—the sheer volume of those who could have had their privacy violated—I don’t think this discount is warranted.”
But Feld wants the agency to go beyond its ability to enforce the current rules and update expectations for industry.
“The FCC has a responsibility to make sure that carrier privacy protection practices continue to evolve with the technology,” he said. “The FCC has said it will continue to investigate whether carrier practices have broken any laws. But the FCC can and should do more. Right now, customers must negotiate a confusing maze of carrier practices and notifications. The FCC is more than an enforcer; it is a regulator [and] should set new rules of the road so that subscribers have the privacy we need and deserve.”