Customer proprietary network information
Customer proprietary network information (CPNI) refers to data generated and collected by United States telecommunications carriers through the provision of services to individual customers, including specifics on the quantity, technical configuration, type, destination, location, duration, and amount of telecommunications service usage, as well as billing details and subscribed optional features such as directory assistance or voicemail.[1] Enacted under Section 222 of the Telecommunications Act of 1996, CPNI protections impose a statutory duty on carriers to safeguard this information's confidentiality against unauthorized access or disclosure, distinguishing it from publicly available data like names and addresses while permitting limited internal use for service provision and billing.[2][3] Carriers may use CPNI without customer consent for purposes directly tied to the categories of service from which the data derives—such as local, long-distance, or wireless—but require affirmative opt-in approval for marketing unrelated services or sharing with third parties, with aggregate anonymized data exempt from these restrictions.[4][5] Federal Communications Commission (FCC) rules under 47 CFR Part 64 Subpart U further mandate reasonable data security measures, including breach notifications for inadvertent access to sensitive CPNI elements like geolocation or call records, reflecting ongoing adaptations to cybersecurity risks in telecom networks.[7] Defining characteristics of CPNI regulation emphasize causal linkages between carrier-customer relationships and data generation, prioritizing empirical privacy harms from misuse—such as targeted scams or competitive tracking—over broader surveillance concerns, though enforcement has involved fines for violations like unauthorized disclosures amid evolving digital threats.[1][4] These provisions apply to wireline, wireless, and interconnected VoIP providers, underscoring a framework that balances operational efficiencies for carriers with individual control over proprietary usage patterns.[8]Definition and Scope
Core Elements of CPNI
Customer Proprietary Network Information (CPNI) is statutorily defined in Section 222(h)(1) of the Communications Act of 1934, as amended, as information relating to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by a customer of a telecommunications carrier, as well as the types of services the customer has obtained.[1] This definition encompasses data generated through the carrier-customer relationship, such as call detail records including dialed numbers, call durations, and service usage patterns, but excludes publicly available information like basic subscriber lists (names, addresses, and telephone numbers) unless aggregated with CPNI elements.[1][9] The quantity element refers to the volume of telecommunications service usage, such as the number of calls made or data transferred over a given period.[1] Technical configuration includes details on the setup of the customer's service, like equipment types or network features enabled, such as caller ID blocking or call forwarding.[1] The type of service covers categories like voice, data, or interconnected VoIP, distinguishing between local, long-distance, or wireless offerings.[1][10] Destination pertains to the endpoints of communications, including phone numbers or IP addresses called or messaged.[1] Location data involves geolocation derived from network use, such as cell tower pings for mobile services, though not real-time tracking absent additional consent.[1] Amount of use measures specifics like total minutes, bytes, or sessions, often reflected in billing but protected beyond mere financial records.[1] Finally, types of services obtained aggregates subscribed features, such as voicemail or international calling plans, without including non-network proprietary details like payment history unless tied to usage.[1] Federal Communications Commission (FCC) rules in 47 CFR § 64.2003 incorporate this statutory definition verbatim, applying it to carriers' obligations to safeguard such information against unauthorized disclosure.[9] Carriers must derive CPNI solely from their provision of telecommunications services, excluding data from unrelated sources like credit checks.[9] This framework ensures CPNI protection focuses on network-derived insights that reveal customer behavior patterns, distinct from aggregate or anonymized analytics permissible under certain conditions.[10]Distinctions from Other Customer Data
Customer proprietary network information (CPNI) differs from other customer data collected by telecommunications carriers in its specific emphasis on proprietary details of network service usage, while excluding both the substantive content of communications and subscriber list information (SLI). Under Section 222(h)(1)(A) of the Communications Act of 1934, as amended by the Telecommunications Act of 1996, CPNI is defined as information relating to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by a customer, including data on customer premises equipment configurations made available to the carrier, and billing information tied to such service usage.[1] This excludes the actual content of telephone calls, text messages, or data transmissions, which receives independent safeguards against interception or disclosure under statutes like the Electronic Communications Privacy Act of 1986 and Title III of the Omnibus Crime Control and Safe Streets Act of 1968.[1] A primary distinction lies in the exclusion of SLI, defined in Section 222(h)(3) as any information contained in a directory or obtained in connection with the sale or provision of service, such as a customer's name, address, and telephone number.[1] Unlike CPNI, which carriers must generally protect from unauthorized use or disclosure without customer consent, SLI may be published in telephone directories or disclosed for directory assistance purposes, subject to opt-out rights for non-published listings, as carriers can treat it as presumptively public unless customers request otherwise.[1] This separation ensures that basic identifying details are not conflated with sensitive usage patterns that could reveal behavioral or locational insights, such as calling destinations or service volumes, which form the core of CPNI. CPNI also stands apart from non-network-related customer data, such as general account preferences or demographic information not derived from telecommunications service provision, which may fall under broader privacy frameworks like the Gramm-Leach-Bliley Act for financial institutions but lack the telecom-specific confidentiality duties imposed by Section 222(a).[1] For instance, while billing aggregates for non-usage elements (e.g., taxes unrelated to call volumes) might overlap with customer records, only usage-tied billing qualifies as CPNI, highlighting its causal link to network operations rather than mere transactional records. Federal Communications Commission interpretations in rulemaking proceedings, such as those implementing 47 CFR Part 64 Subpart U, reinforce that CPNI's protections apply narrowly to data enabling inference of service habits, distinguishing it from aggregate or anonymized customer metrics used for internal analytics without individual identifiability.[4]Historical Development
Early FCC Proceedings
The Federal Communications Commission's early efforts to address customer information privacy in telecommunications arose during its Computer Inquiries, which sought to foster competition by separating regulated basic telephone services from unregulated enhanced (data processing) services while preventing carriers from leveraging proprietary data for anticompetitive advantage.[11] In the Second Computer Inquiry (Docket No. 20828), concluded with a Final Decision on August 31, 1980, the FCC imposed structural separation requirements on dominant carriers like AT&T, mandating safeguards to protect confidential customer information obtained through basic services from misuse in enhanced services markets.[11] These safeguards prohibited carriers from using such data—encompassing details on service quantities, destinations, and technical configurations—to discriminate against competitors or cross-subsidize offerings, thereby laying the conceptual groundwork for what later became customer proprietary network information (CPNI).[11] Building on this, the Third Computer Inquiry, initiated in the late 1980s and advanced through phases in the early 1990s, extended similar protections to Bell Operating Companies (BOCs) following the AT&T divestiture.[11] Phase I, adopted June 15, 1989, refined nondiscrimination rules via Comparably Efficient Interconnection (CEI) arrangements, requiring BOCs to provide rivals access to network features without disclosing proprietary customer usage data that could reveal competitive intelligence.[11] Phase II, implemented through Open Network Architecture (ONA) requirements by 1992, explicitly incorporated customer proprietary network information safeguards, allowing customers to request withholding of their data from BOCs' enhanced service affiliates while mandating internal firewalls and audit mechanisms to prevent unauthorized access or sharing.[11] These rules applied primarily to AT&T, BOCs, and GTE, focusing on operational separations to ensure confidentiality of call records, billing patterns, and network usage details that carriers acquired solely through service provision.[11] Related proceedings, such as the GTE Open Network Architecture and BOC Customer Premises Equipment (CPE) Relief dockets in the early 1990s, further operationalized these protections by relaxing some structural separations but retaining strict limits on CPNI disclosure to affiliates or third parties without consent, emphasizing verifiable customer opt-outs and carrier accountability for breaches.[11] Collectively, these pre-1996 measures addressed causal risks of data misuse in a monopolistic environment transitioning to competition, prioritizing empirical concerns over carrier self-regulation by requiring documented approvals and periodic reporting, though coverage was limited to major incumbents rather than all providers.[11] This framework influenced congressional codification in Section 222 of the Communications Act, extending duties to a broader class of carriers amid deregulation.[11]Enactment in the Telecommunications Act of 1996
The Telecommunications Act of 1996, signed into law by President Bill Clinton on February 8, 1996, introduced the framework for protecting customer proprietary network information (CPNI) by amending the Communications Act of 1934 through the addition of Section 222.[2] This provision, enacted as Section 702 of the 1996 Act, established a federal duty for telecommunications carriers to safeguard the confidentiality of customer information, extending prior common carrier obligations to all such entities in a deregulatory environment aimed at promoting competition.[1] Section 222(a) imposed a general requirement on every telecommunications carrier to protect the confidentiality of proprietary information relating to other carriers, services, or customers, marking a shift from fragmented state-level protections to uniform national standards.[12] Under Section 222(c), carriers were permitted to use, disclose, or permit access to CPNI for purposes directly related to providing the subscribed service—such as billing, service quality assurance, or internal fraud prevention—without customer consent, but faced stricter limits on marketing uses.[1] For marketing communications to the same customer base, carriers could access CPNI on an opt-out basis, requiring affirmative notice to customers and a reasonable opportunity to object, while disclosures to third parties or affiliates for non-service purposes generally demanded affirmative consent.[2] The statute defined CPNI narrowly in Section 222(h)(1) as "(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service offered by the carrier," excluding subscriber list information like names and addresses unless linked to usage data.[13] This definition targeted sensitive call-detail records and usage patterns generated by telephone exchange or toll services, reflecting congressional intent to curb potential abuses in an era of emerging data-driven marketing amid local exchange competition.[14] The enactment responded to privacy concerns heightened by the Act's broader pro-competitive reforms, which dismantled silos between local, long-distance, and cable services, potentially increasing incentives for carriers to monetize customer data.[15] Unlike pre-1996 practices reliant on judicial interpretations of common carrier duties or voluntary industry codes, Section 222 codified explicit prohibitions on unauthorized disclosures and mandated safeguards against breaches, with exceptions for law enforcement under Section 222(d).[11] Carriers were also required to disclose CPNI to customers or their authorized agents upon written request, promoting transparency while balancing operational needs.[1] These rules applied solely to telecommunications services, not information services, a distinction that later influenced FCC interpretations but originated in the statutory text to prioritize voice telephony privacy.[12] The provision delegated authority to the Federal Communications Commission (FCC) to prescribe implementing regulations, leading to subsequent rulemakings that operationalized the statutory baseline without altering the core enactment.[16]Legal Framework and Regulations
Section 222 of the Communications Act
Section 222 of the Communications Act, codified at 47 U.S.C. § 222, imposes a general duty on every telecommunications carrier to protect the confidentiality of proprietary information belonging to or relating to other carriers, equipment manufacturers, and customers, extending protections beyond prior requirements that applied only to communications between carriers.[17] This provision, enacted via the Telecommunications Act of 1996 and effective immediately upon the Act's signing on February 8, 1996, aims to balance carrier access to customer data for legitimate operations with restrictions on unauthorized use or disclosure that could enable competitive harms or privacy invasions.[18] The statute defines "customer proprietary network information" (CPNI) as individually identifiable data revealing the quantity, technical configuration, type, destination, location, and amount of use of telecommunications services provided to a specific customer or household, including but not limited to telephone numbers dialed, call duration, and service usage patterns, while excluding subscriber list information and aggregate customer data.[19] Carriers are prohibited from using, disclosing, or permitting access to CPNI without customer approval or as required by law, with "approval" interpreted by the FCC to include opt-out mechanisms for certain internal uses but stricter opt-in for disclosures to third parties.[20] Subsection (c) delineates permitted exceptions to the confidentiality mandate, allowing carriers to use CPNI without prior approval for communications related to the provision of telephone exchange or other services to the customer, such as billing, repairs, or emergency services, and for internal purposes like fraud prevention or network operations.[21] For marketing purposes, carriers may use CPNI to offer additional services from the same carrier or affiliates under an opt-out regime, but disclosures to unaffiliated third parties require affirmative opt-in consent, reflecting congressional intent to curb unsolicited marketing while permitting limited commercial reuse.[22] Local exchange carriers face additional restrictions, permitted to use aggregate CPNI for purposes beyond service provision only if it cannot be traced to individual customers, and must obtain opt-in for non-aggregate disclosures.[23] These exceptions underscore a statutory framework prioritizing customer service continuity over broad privacy absolutism, though subsequent FCC interpretations have clarified ambiguities, such as treating wireless carriers equivalently to wireline ones despite technological differences.[7] To enforce these obligations, subsection (d) mandates that carriers implement reasonable safeguards against unauthorized access, use, or disclosure of CPNI, proportionate to the nature of the information and risks involved, with the FCC empowered under subsection (e) to investigate violations, impose forfeitures up to $113,000 per violation (adjusted for inflation as of 2023), and seek injunctive relief.[24] Subsection (g) authorizes the FCC to promulgate implementing regulations, leading to rules in 47 CFR Part 64 Subpart U that operationalize consent processes, data retention limits (e.g., no longer than necessary for business purposes), and breach notification requirements.[25] The provision's scope applies to all telecommunications carriers as defined in Section 153, encompassing wireline, wireless, and interconnected VoIP providers, but excludes internet access services following the FCC's 2017 reclassification of broadband under Title I, which removed Section 222 applicability to those services.[26] Overall, Section 222 establishes CPNI as a protected category distinct from mere account details, requiring carriers to treat it as presumptively confidential unless explicitly excepted, thereby fostering accountability in an era of increasing data collection post-1996 deregulation.[19]FCC Rulemaking and 47 CFR Part 64 Subpart U
The Federal Communications Commission (FCC) implemented Section 222 of the Communications Act through rulemaking proceedings initiated under CC Docket No. 96-115 following the Telecommunications Act of 1996, adopting the initial rules for customer proprietary network information (CPNI) in the First Report and Order released on February 26, 1998.[27] These rules, codified in 47 CFR Part 64, Subpart U (§§ 64.2001–64.2009), establish a framework requiring telecommunications carriers to protect the confidentiality of CPNI, defined as information about the quantity, technical configuration, specific locations, and types of services a customer obtains from the carrier, excluding publicly available subscriber list information.[9] The subpart's basis and purpose, as stated in § 64.2001, directly enforce the statutory duty under 47 U.S.C. § 222 to safeguard proprietary information acquired through telecommunications services. Subsequent FCC orders refined these rules to address evolving practices and compliance challenges. In the Second Report and Order adopted August 15, 2002 (FCC 02-214), the Commission clarified permissible uses of CPNI for marketing by affiliates and joint ventures, requiring opt-out consent for internal sharing while prohibiting disclosure to unaffiliated third parties without affirmative approval, and mandated annual customer notifications detailing opt-out procedures.[28] Further amendments in 2007, via Memorandum Opinion and Order (FCC 07-22, released April 2, 2007), enhanced safeguards against pretexting—fraudulent impersonation to access CPNI—by requiring carriers to authenticate customers before disclosures based on phone or online contacts and to monitor for unauthorized access patterns.[29] These updates responded to documented pretexting incidents, such as the 2006 Hewlett-Packard scandal, emphasizing verifiable identity checks without relying on self-reported data alone.[30] Core provisions in Subpart U delineate strict confidentiality obligations under § 64.2002, permitting CPNI use without approval solely for service provision, billing, operations, fraud prevention, and legal compliance, but mandating customer approval—via opt-in for third-party disclosures or opt-out for intra-company marketing—for other purposes. § 64.2004 requires explicit consent for disclosures, with carriers prohibited from contracting away these protections, while § 64.2005 mandates clear, conspicuous annual notices to customers explaining CPNI rights and access denial methods.[31] § 64.2006 outlines approval mechanisms, including "total service opt-out" where failure to object after notice implies consent for service-related uses but not marketing, and § 64.2007 addresses status changes like mergers, requiring prompt customer notifications. Safeguards and enforcement rules in §§ 64.2008–64.2009 compel carriers to maintain auditable systems for tracking CPNI approval status, implement reasonable data security measures, and report breaches or unauthorized uses, with the FCC retaining authority for investigations and penalties up to $130,000 per violation as of adjustments in 2015.[32] These requirements apply to wireline and commercial mobile radio service (CMRS) providers but exclude interconnected VoIP initially, though later proceedings extended similar principles. The rulemaking emphasized empirical evidence from carrier practices and privacy complaints, rejecting broader opt-out defaults for marketing to balance commercial interests against statutory privacy mandates, without deference to industry self-regulation claims lacking verifiable efficacy.[28]Permitted Uses by Telecommunications Carriers
Service Provision and Internal Operations
Telecommunications carriers may use, disclose, or permit access to customer proprietary network information (CPNI) without customer approval to initiate, render, bill, and collect for telecommunications services.[1] This exception, outlined in Section 222(d)(1) of the Communications Act, encompasses core activities necessary for service delivery, such as routing calls, maintaining network connectivity, and processing usage data in real time to ensure uninterrupted telecommunications functionality.[1] [31] Carriers rely on CPNI derived from these operations—such as the quantity, technical configuration, and type of services provided—to fulfill contractual obligations without triggering consent requirements, as such uses are inherent to the carrier-customer relationship established at subscription.[31] Internal operations permitted under these rules include protecting the carrier's rights or property and safeguarding users from fraudulent, abusive, or unlawful service use, as specified in Section 222(d)(2).[1] This authorizes activities like fraud detection algorithms that analyze calling patterns, anomaly monitoring for network security, and internal audits to prevent unauthorized access or billing disputes, all without prior customer opt-in or opt-out mechanisms.[1] [31] FCC regulations in 47 CFR § 64.2005 further implement these statutory exceptions by allowing CPNI use for inside wiring installation, maintenance, and repair—services integral to sustaining telecommunications infrastructure—thereby extending protections to operational necessities beyond mere billing.[31] These provisions balance privacy safeguards with the practical demands of reliable service provision, ensuring carriers can respond to operational risks without undue regulatory hurdles. While marketing uses within subscribed service categories (e.g., local or wireless) require opt-out approval under 47 CFR § 64.2005(a), pure service provision and protective internal functions remain exempt to avoid impeding essential telecommunications infrastructure.[31] For instance, carriers may disclose CPNI to affiliates solely for delivering subscribed services across categories, such as coordinating billing across wireline and commercial mobile radio services (CMRS), provided it aligns with these exceptions.[31] Violations of these boundaries, however, can lead to enforcement, as the rules prohibit leveraging service-derived CPNI for unrelated competitive tracking.[31]Marketing and Disclosure with Consent
Telecommunications carriers may use customer proprietary network information (CPNI) derived from providing telephone exchange service or commercial mobile service to market telecommunications service offerings within the same service category to the originating customer, subject to opt-out approval mechanisms.[4] This opt-out process requires carriers to provide clear notice to customers of their intent to use CPNI for such marketing, including an opportunity to prohibit or limit the use, typically via a 30-day waiting period after notice before assuming approval unless the customer objects.[33] For example, a carrier providing local exchange service may leverage call detail records to market additional local calling plans to that customer without affirmative consent, provided opt-out notice has been given and no prohibition is received.[31] Disclosure of CPNI to affiliates for marketing purposes follows similar opt-out consent rules, but only for affiliates offering telecommunications products or services within the carrier's corporate family.[34] Carriers must notify customers annually of their rights regarding CPNI use and affiliate sharing, and maintain records verifying compliance with opt-out requests.[33] In contrast, any disclosure of individually identifiable CPNI to non-affiliated third parties for marketing—whether the carrier's own non-telecommunications services or others' offerings—requires affirmative opt-in approval from the customer, such as explicit written or electronic consent.[4] This stricter standard, rooted in Section 222(d) of the Communications Act, aims to prevent unauthorized external commercialization of sensitive network usage data.[1] Consent mechanisms must be separate from billing statements or service terms to avoid bundling, ensuring customers can easily grant or revoke approval without affecting service provision.[35] Revocation of opt-out consent remains available at any time, with carriers required to implement reasonable procedures to honor such requests promptly.[36] These rules, implemented via 47 CFR § 64.2000 et seq., balance carriers' commercial interests in targeted marketing against privacy protections, though enforcement has highlighted inconsistencies in notice clarity and consent tracking.[4]Protections and Compliance Obligations
Carrier Responsibilities for Safeguarding CPNI
Under Section 222(a) of the Communications Act of 1934, as amended, every telecommunications carrier bears a statutory duty to protect the confidentiality of proprietary information relating to its customers, including customer proprietary network information (CPNI), which encompasses details such as the quantity, technical configuration, type, destination, location, and amount of use of a communications service subscribed to by the customer.[1] This duty requires carriers to implement safeguards against unauthorized use, disclosure, or access, except as expressly permitted under Section 222(c), such as for providing the customer's own service or with customer approval.[1] The Federal Communications Commission's rules in 47 CFR Part 64, Subpart U, operationalize this duty through specific safeguarding requirements. Carriers must take reasonable measures to detect and prevent unauthorized access to CPNI, including by monitoring for suspicious activity and employing security protocols comparable to those used for their own proprietary information.[37] These measures extend to contractors, agents, or affiliates granted access, whom carriers must obligate via contract to maintain equivalent protections and limit use to authorized purposes. Personnel handling CPNI receive mandatory training on confidentiality obligations, verification procedures, and detection of unauthorized access attempts, with carriers required to maintain records demonstrating compliance.[37] Before disclosing CPNI—even to the customer—carriers must authenticate the requestor's identity using methods such as knowledge-based questions derived from account records, password prompts, or public information not readily available online, ensuring separation of CPNI from non-proprietary data to prevent inadvertent exposure.[36] Non-compliance risks enforcement actions, as evidenced by the FCC's annual certification mandate under 47 CFR § 64.2011, where carriers affirm adherence to these protections or detail remedial steps for any lapses.Customer Notification and Consent Mechanisms
Telecommunications carriers must provide customers with clear and conspicuous notice regarding the use and disclosure of their customer proprietary network information (CPNI) at the inception of service and on an annual basis thereafter. This notification informs customers of their right to approve or disapprove the carrier's use of, disclosure of, or access to CPNI by the carrier or its affiliates for marketing purposes related to communications services.[33] The notice must specify the types of entities that may access CPNI, the purposes for such access, and the precise steps a customer must take to grant or deny permission, emphasizing that the default position is denial unless explicitly approved.[33] Consent mechanisms under 47 CFR Part 64 Subpart U distinguish between opt-out and opt-in approvals to balance carrier operational needs with customer privacy. Opt-out approval allows carriers to use, disclose, or permit access to CPNI for marketing the carrier's or its affiliates' communications-related services to the customer unless the customer affirmatively objects after receiving notice and a reasonable opportunity to respond, typically via electronic or written methods but not solely oral communication.[4] In contrast, opt-in approval requires affirmative customer consent—such as through a specific request—for disclosures to third parties outside the carrier's affiliates or for non-communications-related marketing, ensuring stricter controls on sensitive data sharing. Carriers must authenticate customer identity through reasonable means, such as verifying account details during phone or online interactions, before acting on any consent or disclosure request involving CPNI.[37] These mechanisms stem from Section 222(c) of the Communications Act, which permits CPNI use for service provision without consent but mandates approval for other purposes, with FCC rules operationalizing this through notification and approval processes to prevent unauthorized access.[38] Carriers are required to maintain records of opt-out or opt-in statuses and any disclosures, facilitating compliance verification during FCC audits or enforcement.[39] Failure to implement effective notification can result in deemed lack of approval, prohibiting certain CPNI uses until proper consent is obtained.[35]Enforcement, Controversies, and Criticisms
FCC Enforcement Actions and Penalties
The Federal Communications Commission (FCC) enforces CPNI protections primarily through Section 222 of the Communications Act, which authorizes civil forfeitures for violations, with base amounts adjusted for severity, history, and ability to pay, up to $234,107 per violation as of 2024. Enforcement actions have included notices of apparent liability (NALs), forfeiture orders, and consent decrees, often addressing unauthorized disclosure, inadequate safeguarding, or misuse of CPNI such as call records, usage data, and location information. Early cases typically involved smaller penalties for compliance failures, while recent actions have targeted systemic data security lapses and location data sharing by major carriers, resulting in multimillion-dollar fines.[40] Notable enforcement prior to 2020 included consent decrees for CPNI misuse and security shortcomings. In April 2015, AT&T agreed to a $25 million settlement for failing to protect CPNI from unauthorized access by third parties.[41] Cox Communications settled for $595,000 in October 2015 over inadequate controls allowing employee access to CPNI without business justification.[42] Verizon Wireless entered a $1.35 million consent decree in March 2016 for deploying "supercookies" that uniquely identified customers and facilitated CPNI tracking without consent.[43] These actions emphasized carrier obligations to limit internal access and prevent unauthorized disclosures.[44] In 2020, the FCC issued NALs proposing substantial penalties for data breaches exposing CPNI, including location data, which carriers failed to reasonably safeguard. AT&T faced a proposed $57.27 million forfeiture for breaches from 2015–2019 that compromised millions of customers' location information.[45] Similar NALs targeted Verizon ($48.3 million proposed), T-Mobile ($91.63 million proposed), and Sprint ($12.24 million proposed) for comparable failures in protecting geolocation data shared with aggregators.[46][47][48] These stemmed from practices enabling third-party access to precise customer locations without opt-in consent, violating Section 222's privacy requirements.[49] By April 2024, the FCC finalized these as forfeiture orders, with some reductions: AT&T at $57.27 million, Verizon at $46.9 million, T-Mobile at $80.08 million, and Sprint at $12.24 million, totaling nearly $200 million across the four largest carriers.[49][50] The orders cited carriers' knowing sale or provision of location data to third parties, inadequate oversight of vendors, and failure to implement reasonable security measures despite awareness of risks.[51] Subsequent court challenges emerged; in April 2025, the Fifth Circuit vacated the AT&T forfeiture, ruling FCC in-house adjudication violated Seventh Amendment jury trial rights under SEC v. Jarkesy, though the FCC sought rehearing en banc.[52] Other recent settlements addressed breach aftermaths and compliance gaps. TracFone Wireless agreed to a $16 million consent decree in July 2024 for three data breaches from 2020–2021 exposing CPNI of over 50 million customers due to poor cybersecurity practices. AT&T settled for $13 million in September 2024 over a 2023 vendor cloud breach that leaked call records, committing to enhanced privacy measures.[53] These actions underscore escalating penalties for location tracking and breach prevention failures, with the FCC prioritizing carrier accountability amid rising data misuse concerns.[40]| Carrier/Entity | Date | Action Type | Penalty Amount | Key Violation |
|---|---|---|---|---|
| AT&T | April 2015 | Consent Decree | $25 million | Unauthorized third-party CPNI access[41] |
| Cox Communications | October 2015 | Consent Decree | $595,000 | Inadequate employee access controls[42] |
| Verizon Wireless | March 2016 | Consent Decree | $1.35 million | Supercookie tracking without consent[43] |
| AT&T | April 2024 | Forfeiture Order | $57.27 million | Location data breaches and sharing[49] |
| Verizon | April 2024 | Forfeiture Order | $46.9 million | Location data protection failures[50] |
| T-Mobile | April 2024 | Forfeiture Order | $80.08 million | Location data breaches and vendor oversight lapses[54] |
| Sprint | April 2024 | Forfeiture Order | $12.24 million | Location data security shortcomings[55] |
| TracFone Wireless | July 2024 | Consent Decree | $16 million | Multiple CPNI-exposed data breaches |