The Federal Communications Commission (FCC) fined telecommunications giants T-Mobile, Sprint, AT&T, and Verizon a total of approximately $196 million for allegedly selling customers’ location data to third parties without consent.

T-Mobile and AT&T immediately responded that they would fight the fines.

The details: The cases for the penalties, pending since 2020, began with an investigation into reports the carriers were disclosing customer location data to a Missouri sheriff through a third-party location-finding service operated by Securus, which specialized in providing communication services to prisons. Securus was tracking specific people using the data provided by the carriers, the FCC said.

The carriers were told their customer location data was being improperly used by Securus but didn’t act to stop it, the FCC said in a press release Monday.

The companies violated the Communications Act by sharing access to customers’ geolocation data without their consent and by not taking reasonable steps to safeguard the data against unauthorized disclosures, the FCC said. Where people have been is considered confidential information; for carriers to use, disclose, or allow access to that information, they must obtain clear, affirmative consent.

Compliance considerations: T-Mobile was assessed the heftiest fine at about $80 million, followed by AT&T at about $57 million and Verizon at about $47 million. Sprint, which became part of T-Mobile after the investigation began, was fined about $12 million.

The penalty totals were calculated based on the length of time and number of alleged violations occurred at each carrier.

Foreign adversaries and cybercriminals have “prioritized getting their hands on this information,” said Loyaan Egal, chief of the FCC Enforcement Bureau and chair of the agency’s Privacy and Data Protection Task Force, in the release.

“Our communications providers have access to some of the most sensitive information about us,” said FCC Chairwoman Jessica Rosenworcel. “These carriers failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are.”

Company responses: “This industry-wide, third-party aggregator, location-based services program was discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection, and emergency response would not be disrupted,” T-Mobile said in an emailed statement. “We take our responsibility to keep customer data secure very seriously and have always supported the FCC’s commitment to protecting consumers, but this decision is wrong and the fine is excessive. We intend to challenge it.”

“The FCC order lacks both legal and factual merit,” said an AT&T spokesperson in an emailed statement. “It unfairly holds us responsible for another company’s violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company’s failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged. We expect to appeal the order after conducting a legal review.”

Verizon did not reply to a request for comment.