By: Andy Regitsky
On July 19, 2022, FCC Chairwoman Jessica Rosenworcel sent a letter to the top 15 mobile providers requesting information about their data retention and data privacy policies and general practices. In the letters of inquiry, she questions their policies regarding geolocation data, such as how long geolocation data is retained and why and what the current safeguards are to protect this sensitive information. In addition, the letters question the carriers about their processes for sharing subscriber geolocation data with law enforcement and other third parties’ data sharing agreements. Finally, the letters ask whether and how consumers are notified when their geolocation information is shared with third parties.
This is not the first time the Commission has investigated the privacy policies of mobile providers. In February 2020, AT&T, T-Mobile and Sprint were fined $200 million for selling real time cell phone customer location data to at least one unauthorized company, and that company resold this information to anyone, including companies not authorized to possess this data.
Specifically, the carriers sold access to their customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers. Although their exact practices varied, each carrier relied heavily on contract-based assurances that the location-based services providers (acting on the carriers’ behalf) would obtain consent from the wireless carrier’s customer before accessing that customer’s location information.
In response to the Commission’s concerns at that time, the mobile providers vowed to eliminate all location aggregation practices. However, the new letters from Rosenworcel suggest the agency is not completely satisfied. She notes that a report by the Federal Trade Commission that studied ISPs with a 98 percent share of the mobile internet market observed that ISPs collect more data than is necessary to provide services and more data than consumers expect. That being the case the wireless providers were asked to respond to the following questions regarding their consumer data retention policies for geolocation data and their policies regarding sharing of that data with third parties. Responses are due on August 3, 2022.
Data Retention
Please describe in detail the geolocation data that your company collects and/or retains current and/or former subscribers. How is that data collected?
Please explain the reasons geolocation data is retained for both current and former subscribers.
How long is geolocation data retained for both current and former subscribers?
Please provide a description of what safeguards you use to protect current and former subscriber geolocation data.
In what country (or countries) is geolocation data stored?
Please share whether and how you disclose your data retention policies to subscribers.
What is your data deletion policy for current or former subscribers, and how do you dispose of subscriber geolocation data?
Do your subscribers have any opportunity to opt-out of your data retention policies and if not, why not?
Data Sharing
Please provide your process and policies for sharing subscriber geolocation data with law enforcement.
Describe the arrangements, agreements, and circumstances in which you share subscriber geolocation data with third parties that are not law enforcement.
Describe in detail the process by which a subscriber may opt out of the sharing of their geolocation data. Under this opt-out process is subscriber data still shared with third parties? Does the opt-out process allow a subscriber to opt out of the sharing of their geolocation data with all third parties that are not law enforcement?
Are subscribers notified of the sharing of their geolocation information with third parties that are not law enforcement? And if so, how are they notified?