FCC proposes big fines for AT&T, Sprint, T-Mobile, Verizon over privacy violations

(CNN) — The Federal Communications Commission wants America’s biggest wireless carriers to pay tens of millions of dollars to resolve accusations the companies failed to protect the privacy of US cellphone users.

The proposed fines for AT&T, Sprint, T-Mobile and Verizon follow years of reports that the companies improperly shared customers’ real-time geolocation information to third parties, including prison officials. (AT&T owns WarnerMedia, CNN’s parent company.)

During a press conference Friday, FCC Chairman Ajit Pai said the total potential penalties would add up to more than $200 million.

“The FCC has long had clear rules on the books requiring all phone companies to protect their customers’ personal information,” Pai said in an accompanying release. “And since 2007, these companies have been on notice that they must take reasonable precautions to safeguard this data and that the FCC will take strong enforcement action if they don’t. Today, we do just that.”

Under the proposed fines, Pai said, T-Mobile could pay more than $91 million; AT&T more than $57 million; Verizon more than $48 million; and Sprint more than $12 million.

Multiple investigations, including by major media outlets, have found that wireless companies once sold real-time geolocation information to middlemen known as “location aggregators,” who would then make that data available to third parties.

In 2018, a probe by Sen. Ron Wyden found that this information had found its way to Securus, a provider of prison phone services. In the hands of prison officials, the data could be abused to spy on virtually all Americans. Following Wyden’s report, all four of the nation’s major wireless carriers quickly promised to terminate their contracts with the carrier aggregators that were involved.

But last year, Vice reported that location information was still being shared through other outlets, and ending up with bounty hunters. Soon, the carriers announced they would suspend all location aggregation contracts, not just those with the problematic companies Wyden identified.

The FCC later launched an investigation into the matter, culminating in Friday’s proposed fines. Under the FCC’s rules, the commission may seek fines from violators for each day that a violation continues.

But on Friday, critics within the FCC accused Pai of failing to swiftly bring its probe to a close — and for letting the carriers off with little more than a slap on the wrist.

In this case, the FCC starts by seeking a base fine of $40,000 per day, said Jessica Rosenworcel, a Democratic commissioner. But the FCC proposal sharply reduces the liability for each carrier after the first day — to a daily fine of $2,500, she said. And the number of days for which the carriers may be held liable has been arbitrarily reduced, as well.

“Our real-time location information is some of the most sensitive data there is about us,” said Rosenworcel in a statement, “and it deserves the highest level of privacy protection. It did not get that here—not from our nationwide wireless carriers and not from the Federal Communications Commission.”

Meanwhile, the FCC’s other Democrat, Geoffrey Starks, said as part of its investigation the agency should also have subpoenaed the location aggregators that obtained the data from the carriers in the first place.

“That information would have enriched our investigation,” he said, adding that it could have been shared with other law enforcement agencies with jurisdiction over the location aggregators.

In a statement on Thursday responding to press reports anticipating the FCC’s announcement, Wyden called Pai’s proposal weak.

“He only investigated after public pressure mounted,” Wyden said. “And now his response is a set of comically inadequate fines that won’t stop phone companies from abusing Americans’ privacy the next time they can make a quick buck.”

Verizon didn’t immediately respond to a request for comment. AT&T said it would decline comment until the company has had a chance to review the FCC’s allegations.

Sprint said it was reviewing the FCC’s accusations, and that it is committed to protecting consumer privacy.

T-Mobile said it would fight the FCC.

“When we learned that our location aggregator program was being abused by bad actor third parties, we took quick action. We were the first wireless provider to commit to ending the program and terminated it in February 2019,” it said. “While we strongly support the FCC’s commitment to consumer protection, we fully intend to dispute the conclusions of this [notice of apparent liability] and the associated fine.”