FCC probe reveals mobile carriers’ data management practices ‘all over the place’

Inconsistent responses from the 15 largest U.S. mobile carriers — in line with the Federal Communications Commission’s investigation into the use of their users’ location data — indicate a need for regulatory intervention by the agency, according to key public interest advocates.

“These letters show that despite operators’ constant reference to ‘industry standards’ and ‘best practices’, operators’ practices for geolocation data are all over the map. The only ‘industry standard’ seems to be that there is no standard at all for how long carriers keep data, how they protect it, or how difficult they make it for customers to invoke their rights,” Harold Feld, senior vice president of digital rights group Public Knowledge, said in response to the commission’s announcement of the companies’ responses Thursday.

Location information has become a particularly important element in political debates over data privacy following the recent Supreme Court action overturning its landmark decision on abortion. Because states are now free to enforce their own laws on the matter, federal regulators — including the Federal Trade Commission — have been on the lookout for online entities sharing location information that could incriminate or otherwise endanger patients seeking services for abortion.

“Our mobile phones know a lot about us. This means carriers know who we are, who we call and where we are at all times. This information and geolocation data are really sensitive. It’s a record of where we’ve been and who we are. That’s why the FCC is taking steps to ensure that this data is protected,” said FCC Chair Jessica Rosenworsel, announcing the start of a new commission investigation into whether carriers are complying with current FCC rules.

According to the FCC, carriers, which include mobile network operators such as AT&T, T-Mobile and Verizon, as well as mobile virtual network operators such as Best Buy Health, H2O Wireless and Lyca Mobile, are required to follow the commission’s rules on ownership of customer network information that includes the geolocation data in question. Many of the MVNOs have abdicated responsibility for such data, saying they typically do not collect it. But others said user data reports sent to them by interconnected service providers could be shared for marketing purposes if explicit permission was given.

The larger MNOs, some of which The Federal Communications Commission (FCC) has already fined them for their handling of sensitive geolocation datawere generally careful to deny “selling” geolocation data to third parties, although they described contractual mechanisms that are used to protect any data shared with such entities.

“Continued reliance on such watered-down consent mechanisms and ineffective monitoring tools clearly fails the reasonableness requirement,” the FCC said in February 2020 under the Trump administration as it fined T-Mobile, AT&T and Verizon after media reports revealed huge potential data exposures.

At the time, Rosenworcel, who was in the political minority, said the fines — which totaled $200 million for four carriers — should have been much, much higher.

“The FCC is doing some serious bureaucratic math to dismiss violations of our privacy laws,” she wrote in dissent. “The agency is proposing a $40,000 fine for violating our rules, but only on the first day. For each day thereafter, it only imposes a $2,500 fine for the same violation. But it offers no acceptable justification for reducing the fine in this way. Plus, given the facts here – the sheer number of those whose personal data could have been breached – I don’t think that discount is warranted.

But Feld wants the agency to go beyond its ability to enforce current rules and update industry expectations.

“The FCC has a responsibility to ensure that carriers’ privacy practices continue to evolve with technology,” he said. “The FCC said it will continue to investigate whether the carriers’ practices violated any laws. But the FCC can and should do more. Currently, customers must negotiate a confusing maze of carrier practices and notices. The FCC is more than a law enforcement agency; it’s a regulator [and] must establish new traffic rules so that subscribers have the privacy we need and deserve.”