The FCC’s Big Fines Over Location Data Aren’t a Privacy Success Story

Is it a win for our privacy when the Federal Communications Commission (FCC) announces it has fined every major wireless carrier in the United States for a total of nearly $200 million for sharing customer location information without consent? The fines make great headlines, but this particular announcement strikes me as more of an indictment of our failed approach to policing corporate privacy violations.

Five years ago, the three major American wireless carriers were caught packaging and selling their customers’ real-time location data to hundreds of third parties. This made detailed location history easily accessible to bounty hunters, stalkers, and curious citizens. Despite insisting these programs were necessary for useful services like emergency roadside and medical assistance, the carriers ultimately announced they would stop selling location insights to third parties. There may be no greater example of data mismanagement and clear privacy harm than this – and for once, there appeared to be a clear regulatory path for redress at the FCC. It has been a half decade since privacy advocates first petitioned the FCC to do something to hold the carriers accountable for their lax privacy practices.

However, the fine isn’t the end of the story. All three carriers have pledged to appeal the fines, which are not terribly large to begin with. As longtime telco watchdog Karl Bode writes for Techdirt, “it’s very likely that after another few years of legal wrangling those penalties are reduced further, if not vacated entirely.” The dissenting statements of FCC Commissioners Nathan Simington and Brendan Carr provide a preview of what arguments we may expect from the carriers, but they also illustrate the continuing policy challenges around protecting location information, the complicated intricacies of telecommunications law, and the cavalier politics that hurt consumers.

The CPNI Question

The major thrust of Commissioner Carr’s dissent is that the FCC’s authority to fine the carriers rests on Section 222 of the Communications Act, which protects the privacy and confidentiality of customer proprietary network information or CPNI. CPNI includes “information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship” and generally cannot be shared without “express prior authorization.”

Commissioner Carr goes through a complicated statutory analysis to conclude that the location information involved here is not the same “call location information” that can be regulated by the FCC. This seems like a contorted reading to help the carriers escape liability on a technicality. I have long assumed any detailed location data that Verizon has about me comes only via my carrier-customer relationship with them, since I have no other reason to give Verizon my location. But assuming my assumption is incorrect, is the issue that the carriers were confused or that they took advantage of a potential gap?

Cobun Zweifel-Keegan of the International Association of Privacy Professionals echoes this line of argument, noting if the entire wireless carrier industry was engaged in “something illegal” that there must be “serious disagreement on the underlying rules” about CPNI. This seems like a maximally legal argument. Wireless carriers, earning billions of dollars each year, staffed with robust legal teams, were just as confused as the hapless startup app developer.

Even if we accept the legal hair-splitting of location data in this fashion, we’re still dealing with detailed and precise historical geolocation data. As Zweifel-Keegan acknowledges, precise location data is sensitive and should only be shared with serious safeguards in place. It is unclear why this needs to be reiterated. This is not a new idea.

The Federal Trade Commission (FTC) has been recommending that “real time location” data be subjected to affirmative express consent prior to collection and for materially inconsistent uses since its 2012 Staff Report. Since then, the FTC has repeatedly emphasized that the agency is particularly concerned about “the extent to which collecting location data can reveal where people live and work, where they worship, where their kids go to school, where they seek medical treatment, and other sensitive information collected without consumers understanding what’s going on behind their backs.”

The FTC of It All

The FTC’s role here is also worth examining – if only because this dispute highlights an underlying political tension. In 2021, the FTC published a detailed report about the privacy practices of US-based internet service providers (ISPs). Among the FTC’s conclusions were that ISPs “gather and use data in ways consumers do not expect and could cause them harm,” and that while many ISPs “purport to offer consumers choices, these choices are often illusory.”

While putting ISPs on blast for their practices around location data, FTC Chair Lina Khan also made clear that the FCC “has the clearest legal authority and expertise to fully oversee internet service providers.” The wireless carriers do not agree. For years, the wireless carriers have sought to shift privacy authority away from the FCC and toward the FTC. At the most recent House Energy & Commerce privacy hearing, the ISP-funded 21st Century Privacy Coalition criticized the FCC for its “lack of expertise” on privacy matters and called for a more consistent-approach centralized in the FTC. (CPNI rules have been on the books since the 1980s, far before the FTC began emphasizing privacy matters.)

Both dissenting FCC commissioners echo their own agency’s lack of privacy experience. Commissioner Carr outright suggests that the FTC would be better positioned to address the carrier's actions. However, challenges to the FTC’s broad authority under Section 5 also seems to invite legal chicanery, and further, the FTC would not be immediately empowered to issue any fines for bad behavior like this. Rather than a fine, however, Commissioner Simington suggests that a better approach would have been to “issue consent decrees to promote best practices to develop further safeguards around location-based and aggregation services.”

This has been the FTC’s long-standing modus operandi, but without relitigating the merits of FTC consent decrees to protect privacy, the idea that the major wireless carriers need only get up to speed on basic best practices around geolocation is patronizing at best and insulting at worst. What the wireless carriers were caught doing in 2019 are privacy advocates’ worst nightmare. Location data in the hands of bounty hunters and domestic abusers is not some hypothetical privacy horrible, and even if the carriers privacy lawyers were confused about the legal status of this information, they certainly were on notice about the privacy risks involved.

Numerous civil society organizations, including the ACLU, Center for Democracy & Technology, Electronic Privacy Information Center, and Public Knowledge, warned about the “significant privacy-related concerns” around commercial location services in a joint filing in 2014. The Electronic Frontier Foundation stated bluntly that location tracking via our mobile devices is the “deepest privacy threat” and “often completely invisible.” We are past the point where companies need only think more deeply about best practices.

The Race to the Bottom

While echoing Commissioner Carr’s arguments, Commissioner Simington goes further into what I feel forced to describe as privacy nihilism. Accepting that CPNI may have been illegally shared, Simington reminds us “that, at every moment, any of thousands of unregulated apps may pull GPS location information, Wi-Fi and Bluetooth signal strength, and other fragments of data indicating location from customer handsets at every moment the device is on. Indeed, this can be, and routinely is, accomplished even without consumer permission.” He is not wrong, but isn’t this an indictment of the entire digital ecosystem?

Even so, many of these unregulated apps and location collection practices have been rightly excoriated by the FTC, and there is a key distinction between the universe of location-collecting flashlight apps and our wireless carriers. It boils down to choice. There is neither a pop-up when I turn on my phone that tells me my location is about to be sent to a wireless carrier nor any sort of usable location setting on my phone to deny location data to my wireless carrier (nor would you want such an option, as carriers require your location to provide you cell phone service). As Chair Khan described the situation, this is another example that highlights “the deficiencies of the ‘notice-and-consent’ framework for privacy, especially in markets where users face highly limited choices among service providers.”

Commissioner Simington does pull back from arguing that just because everyone else is doing something bad that our wireless carriers should be able to. Instead, he argues that the FCC has “effectively choked off one of the only ways that valid and legal users of consent-based location data services had to access location data for which legal safeguards and oversight actually exist.” But if legal safeguards and oversight actually exist, that begs the question of how the location data collected by wireless carriers could end up in the hands of bad actors.

The Lawyers Are Outrunning the Law

What we ultimately have here is what I consider a conservative approach to “notice” and an expansive view of what “consent” permits. This is not only about the fact that average people cannot and do not read privacy policies; this is about the fact that companies hide the ball about what they may do with data but then interpret user permissions broadly to allow such gamesmanship.

A perfect example of this is the recent reporting about cars spying on their drivers. Despite committing to a set of industry best practices that emphasized transparency, General Motors told the New York Times that car owners consented to sharing driving data with insurers by agreeing to a privacy policy that talks about third-party business relationships with satellite radio. It should not take devastating headlines to end these practices.

Instead, imagine if the wireless carriers had emulated the approach to location notifications that has existed since iOS 13 in 2019. Upon setting up your mobile device, your carrier would have to tell you that it needs location information to provide service; that the carrier would share that location information with law enforcement upon request; and that you need to provide consent to have your location information shared with bail bondsmen, car salesmen, and roadside assistance providers. You might think twice – and the carriers may have reconsidered their business plans.

The solution is stronger – and clearer – privacy laws. With respect to the wireless carriers, it is not clear whether the American Privacy Rights Act (APRA) is that law, as it would remove the FCC from having any authority over data privacy matters involving carriers. Telecommunication providers have a long history of being cavalier with their customer’s privacy, and regulating them seems akin to passing along a hot potato.

That said, this episode does highlight the advantage of APRA’s approach to data minimization when it comes to our location data. Companies of all shapes and sizes have simply proven themselves to be incapable of processing location data responsibly. The repeated misuse of location data has proven a boon for discrimination, harassment, and surveillance, and government advisories, consent agreements, and FCC fines have done little to ensure location data will not continue to present a tantalizing business opportunity that puts all our privacy at risk.