The Federal Communications Commission on Friday announced it has proposed fines against the four largest wireless carriers in the United States for allegedly selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information.

Among the fines that the FCC has proposed include:

  • $91 million proposed fine against T-Mobile;
  • $57 million proposed fine against AT&T;
  • $48 million proposed fine against Verizon; and
  • $12 million proposed fine against Sprint.

The FCC said the size of the proposed fines differ based on the length of time each carrier allegedly continued to sell access to its customer location information without reasonable safeguards and the number of entities to which each carrier continued to sell such access.

The FCC’s Enforcement Bureau said it opened the investigation following public reports that a Missouri sheriff used a “location-finding service” operated by Securus, a provider of communications services to correctional facilities, to access the location information of the wireless carriers’ customers without their consent between 2014 and 2017.

Under the Communications Act, telecommunications carriers are required to protect the confidentiality of certain customer data related to the provision of telecommunications service, including location information. The FCC’s rules make clear that carriers must take reasonable measures to discover and protect against attempts to gain unauthorized access to this data.

The rules also require that carriers or those acting on their behalf generally must obtain affirmative, express consent from a customer before using, disclosing, or allowing access to this data. Carriers are liable for the actions of those acting on their behalf.

All four carriers—T-Mobile, AT&T, Verizon, and Sprint—sold access to their customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers, like Securus, the FCC said. “Although their exact practices varied, each carrier relied heavily on contract-based assurances that the location-based services providers (acting on the carriers’ behalf) would obtain consent from the wireless carrier’s customer before accessing that customer’s location information,” the FCC said.

The agency added, that, although the carriers had several commonsense options to impose reasonable safeguards—such as verifying consent directly with customers via text message or app—the carriers failed to take the “reasonable steps needed to protect customers from unreasonable risk of unauthorized disclosure,” the FCC said.

The wireless carriers will now be given an opportunity to respond, at which time the FCC will consider the parties’ evidence and legal arguments before taking further action.