New US Privacy Law May Give Telecoms Free Pass on $200 Million Fines

The American Data Privacy and Protection Act (ADPPA), a new federal privacy bill that has actually a chance of becoming law, is designed to introduce new privacy protections for Americans. But it may also have the side effect of wiping out $200 million worth of fines proposed against some of the country’s biggest telecommunications companies as part of a major location-data selling scandal in which the firms sold customer data that ended up in the hands of bounty hunters and other parties.

The issue centers around the ADPPA’s shift of enforcement for privacy related matters from the Federal Communications Commission (FCC), which proposed the fines, to the Federal Trade Commission (FTC). The news highlights the complex push and pulls when developing privacy legislation, and some of the pitfalls along the way.

“Congress’s ‘grand’ privacy bargain not only apparently lets the nation’s largest mobile carriers skip hundreds of millions in FCC fines for their egregious, illegal sharing of sensitive data on Americans; it completely strips the expert agency on telecom privacy of any power to protect our rights to our location data. That’s dangerous,” Ryan Singel, open internet fellow at Stanford’s Center for Internet and Society, told Motherboard.

Sara Collins, senior policy counsel at Public Knowledge, a group that works at the intersection of telecommunications, internet, and copyright law, added that “as the legislation is currently drafted, there is a risk of non-enforcement against the wireless carriers for selling location data to bounty hunters. We are hopeful that a change can be easily made to the legislation to ensure that any ongoing enforcement actions would be allowed to continue to completion.”

The FCC proposed the $200 million fines in February 2020. The fines came after Motherboard revealed that the carriers sold phone location data to a complex supply chain of companies which then provided it to hundreds of bounty hunters and other third parties, including someone that allowed Motherboard to track a phone for just $300. The fines also came after The New York Times and the office of Sen. Ron Wyden found that the carriers sold location data in a similar method to a company called Securus, which allowed law enforcement officials to track the location of phones without a warrant. A former sheriff abused the tool to spy on judges and other officials. 

Sign up for Motherboard’s daily newsletter for a regular dose of our original reporting, plus behind-the-scenes content about our biggest stories.

The offending telecoms—AT&T, T-Mobile, Sprint, Verizon—said they stopped the sale of location data at varying points in time in response to the investigations. The FCC then found that the carriers broke the law by selling such data. 

“Now that the Supreme Court obliterated the right to an abortion and police are using online data to prosecute women for their healthcare decisions, the FCC’s broad and well-established authority to enforce and create new privacy protections for our location data and communications is crucial,” Singel added.

FCC Press Secretary Paloma Perez told Motherboard in an emailed statement that “​​our real-time location information is some of the most sensitive data there is about us, and it deserves the highest level of privacy protection. That is why the FCC has proposed more than $200 million in fines against the nation's largest wireless carriers for selling their customers' location data. Through our continued oversight we have ensured that these carriers are no longer monetizing their consumers' real-time location in this way, and we are continuing our investigation into these practices and expect to reach a conclusion very soon.”

In July FCC Chairwoman Jessica Rosenworcel sent letters to a host of U.S. telecommunications, tech, and retail companies to ask about their use of location data.

Verizon and T-Mobile (which now owns Sprint) did not respond to a request for comment. AT&T acknowledged the request for comment but did not provide a response in time for publication.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.