Verizon, AT&T tell courts: FCC can’t punish us for selling user location data

Verizon, AT&T, and T-Mobile are continuing their fight against fines for selling user location data, with two of the big three carriers submitting new court briefs arguing that the Federal Communications Commission can't punish them. A Verizon brief filed on November 4 and an AT&T brief on November 1 contest the legal basis for the FCC fines issued in April 2024. T-Mobile also sued the FCC, but briefs haven't been filed yet in that case. "Verizon's petition for review stems from the multiple and significant errors that the FCC, in purporting to enforce statutory consumer data privacy provisions, made in overstepping its authority," Verizon wrote. "The FCC's Forfeiture Order violated both the Communications Act and the Constitution, while failing to benefit the consumers it purported to protect." Verizon and AT&T both said the fines violate their Seventh Amendment right to a jury trial, and that the location data doesn't fall under the law cited by the FCC. Verizon appealed to the US Court of Appeals for the 2nd Circuit, while AT&T appealed in the 5th Circuit and T-Mobile appealed in the DC Circuit. The fines are $80.1 million for T-Mobile, $57.3 million for AT&T, $46.9 million for Verizon, and $12.2 million for T-Mobile subsidiary Sprint. The penalties relate to the 2018 revelation of real-time location data being shared. The FCC proposed the fines in 2020, when the commission had a Republican majority, and the fines were finalized under the current Democratic majority.

Trump’s likely FCC chair opposed fines

Even though the penalties were first proposed by Republican Ajit Pai in his last year as FCC chair, the FCC's two current Republicans opposed the final fine orders in 2024. Brendan Carr, who is likely to become chair after President-elect Donald Trump takes office, said in his dissent that the FCC has only "limited and circumscribed authority over privacy" and that the matter should be handled by the Federal Trade Commission instead. The FCC said in April that "each carrier sold access to its customers' location information to 'aggregators,' who then resold access to such information to third-party location-based service providers. In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained." The problem came to light with reports of customer location data "being disclosed by the largest American wireless carriers without customer consent or other legal authorization to a Missouri Sheriff through a 'location-finding service' operated by Securus, a provider of communications services to correctional facilities, to track the location of numerous individuals," the FCC said. Even "after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access," the FCC said. Verizon's court brief defended the company's LBS (location-based service) program, saying it "completed hundreds of millions of successful, express requests from consumers to provide location information to service providers." The program ran for about a decade before being shut down amid the data scandal. Verizon claimed the FCC over-reached in its fine, since the Securus incident happened outside the statute of limitations:

The FCC, however, did not punish Verizon for Securus's or the sheriff's actions—which were the only unauthorized requests for or misuse of customer device information by any service provider participating in Verizon's LBS program. The FCC acknowledged that those actions occurred outside the statute of limitations, so they could not support a forfeiture penalty. And, by the time of the NAL [Notice of Apparent Liability], Verizon had shut down its LBS program nearly one year earlier, eliminating any potential current or going-forward liability. The FCC, therefore, adopted a novel approach to generate an eye-popping penalty amount. The FCC punished Verizon for not terminating every other service provider from the LBS program on a faster timeline.

AT&T's brief similarly chided the FCC for "mak[ing] Securus the centerpiece of its argument" despite the statute of limitations on potential Securus violations having expired.

Supreme Court ruling could hurt FCC case

Both AT&T and Verizon cite the Supreme Court's June 2024 ruling in Securities and Exchange Commission v. Jarkesy, which held that "when the SEC seeks civil penalties against a defendant for securities fraud, the Seventh Amendment entitles the defendant to a jury trial." The Supreme Court ruling, which affirmed a 5th Circuit order, had not been issued yet when the FCC finalized its fines. The FCC disputed the 5th Circuit ruling, saying among other things that Supreme Court precedent made clear that "Congress can assign matters involving public rights to adjudication by an administrative agency 'even if the Seventh Amendment would have required a jury where the adjudication of those rights is assigned to a federal court of law instead.'" Of course, the FCC will have a tougher time disputing the Jarkesy ruling now that the Supreme Court affirmed the 5th Circuit. Verizon pointed out that in the high court's Jarkesy decision, "Justice Sotomayor, in dissent, recognized that Jarkesy was not limited to the SEC, identifying many agencies, including the FCC, whose practice of 'impos[ing] civil penalties in administrative proceedings' would be 'upend[ed].'" Verizon further argued: "As in Jarkesy, the fact that the FCC seeks 'civil penalties... designed to punish' is 'all but dispositive' of Verizon's entitlement to an Article III court and a jury, rather than an agency prosecutor and adjudicator."

Carriers: We didn’t get fair notice

Both carriers said the FCC did not provide "fair notice" that its section 222 authority over customer proprietary network information (CPNI) would apply to the data in question. When it issued the fines, the FCC said carriers had fair notice. "CPNI is defined by statute, in relevant part, to include 'information that relates to... the location... of a telecommunications service,'" the FCC said. The FCC also pointed to a previous statement that "implicit in section 222 is a rebuttable presumption that information that fits the definition of CPNI contained in section 222([h])(1) is in fact CPNI." While the FCC did not comprehensively identify types of CPNI, "including in the case of location information, the Commission emphasized that 'location information in particular can be very sensitive customer information,'" the FCC said. The carriers argue the location data is not CPNI. AT&T claims that "section 222 of the Communications Act does not cover the location information in question because the information was not obtained 'solely by virtue of' AT&T's provision of voice services." AT&T collected the location information to provide both voice and data service, not voice only, the company said. The relevant law says that CPNI is data related to telecommunications service "that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship." The FCC said it is "not persuaded that AT&T's inclusion of multiple services in a bundle—which includes one or more telecommunications services—takes the resulting relationship outside the scope of the 'carrier-customer' relationship for the specific purposes of the CPNI definition."