Verizon, AT&T, and T-Mobile are challenging the Federal Communications Commission (FCC) over substantial fines imposed for allegedly mishandling user location data. The two companies have filed new court briefs, arguing that the FCC exceeded its legal authority and violated their constitutional rights. T-Mobile is also contesting the fines, although it has not yet submitted a legal brief.
The Issue: Selling User Location Data
The legal battle stems from a 2018 revelation that major telecom carriers sold real-time location data to third-party companies, including those providing location-based services. This data was often resold to “aggregators,” which then made it available to various service providers. It was revealed that this data was being shared without customer consent, with reports showing that law enforcement used it, among others, to track individuals. In 2020, the FCC proposed penalties totaling over $196 million, which were finalized in April 2024.
The fines were distributed as follows: $80.1 million for T-Mobile, $57.3 million for AT&T, $46.9 million for Verizon, and $12.2 million for Sprint. Although the penalties were initially proposed during a Republican-led FCC, the current Democratic commission upheld the fines. Some Republican members of the FCC, including Commissioner Brendan Carr, have voiced opposition, arguing that such privacy issues should be regulated by the Federal Trade Commission (FTC) instead.
Verizon and AT&T Argue Overreach by FCC
Both Verizon and AT&T argue that the FCC exceeded its authority. Verizon’s legal filing from November 4 claims the FCC violated the Communications Act and the Constitution, asserting that the agency did not have sufficient legal grounds for the penalties. The company emphasized that the fines do not benefit consumers, which was the FCC’s stated purpose in enforcing them.
Moreover, Verizon and AT&T contend that the fines violate their Seventh Amendment rights to a jury trial. They argue that location data should not fall under the FCC’s jurisdiction, specifically under Section 222 of the Communications Act, which deals with customer proprietary network information (CPNI).
In support of their case, the carriers cite the June 2024 U.S. Supreme Court ruling in Securities and Exchange Commission v. Jarkesy. This decision affirmed that defendants facing civil penalties in regulatory matters have a right to a jury trial. Although this ruling came after the FCC finalized its fines, Verizon argues that it applies to the FCC as well, emphasizing that civil penalties like those imposed by the agency should be handled in federal court.
Location Data Not Considered CPNI, Say Carriers
A core issue in the case is whether the location data in question qualifies as CPNI. The FCC argues that location data is sensitive information, which justifies its regulatory control. The agency’s stance is that CPNI includes data related to telecommunications services, such as location data.
However, Verizon and AT&T disagree, claiming that location data does not meet the CPNI definition. AT&T’s brief argues that Section 222 applies only to data obtained through voice services, but the data in question was gathered through both voice and data services. Verizon also argues that its location-based services (LBS) program, which was operational for nearly a decade before being shut down in 2019, provided location data even to customers who did not use voice services, further distancing the data from CPNI.
FCC Penalized for Incidents Outside the Statute of Limitations
Both Verizon and AT&T argue that the FCC should not have used the Securus incident to justify its penalties, as the actions related to Securus occurred outside the statute of limitations. Verizon claims that the unauthorized data requests involved by Securus and a Missouri sheriff are not within the time frame that the FCC could use to impose fines. Instead, Verizon argues, the penalties are based on the company’s failure to shut down its LBS program quickly enough after learning of the misuse.
AT&T echoes this argument, claiming that the breaches were minimal, with only 0.2% of total LBS requests allegedly violating Securus’ contractual obligations.
Carriers Criticize the FCC’s Strict Liability Approach
Both Verizon and AT&T contend that the FCC imposed a strict liability standard, penalizing them even though they had safeguards in place to prevent unauthorized data access. The carriers argue that the FCC did not provide proper notice of its expectations, and that the agency’s standards for data protection were unclear. Verizon emphasizes that if the FCC thought additional measures were needed, it should have communicated these before issuing fines.