This enforcement action marks a series of firsts. It is the first CPNI enforcement action since the pre-2016 CPNI regulations were reinstated following the repeal of the broadband privacy rules by Congress in 2017. This is also the first large consumer protection enforcement action under Chairman Pai’s leadership—up to now, Chairman Pai has eschewed the principle-based enforcement of his predecessor in favor of more clear-cut rules violations. The action also generated criticism both for being too soft (and too late) and for potentially being beyond the Commission’s jurisdiction.

Section 222 of the Communications Act requires carriers to protect the confidentiality of CPNI, which consists of specific customer data carriers get from consumers simply by providing them telecommunications service—or in statutory terms, “solely by virtue of the carrier-customer relationship.” This includes location information that carriers receive from wireless phones almost constantly so that calls and data can be routed to a customer both when the customer is using the phone and when the phone is in standby mode. Except for certain defined uses, carriers can only use, disclose, or permit access to CPNI with customer approval. But the FCC has also found that approval requirements alone are not enough, so the CPNI rules specify that carriers must employ “reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI,” such as when a person pretends to be a particular customer or authorized person to obtain access to CPNI—a practice known as “pretexting.”

The FCC alleges that each of the four carriers failed to take reasonable measures to prevent unauthorized access to location information by third parties that improperly disclosed that information without customer approval. Specifically, each carrier sold access to location information to “aggregators,” who then resold access to third-party location-based service providers, who in turn allegedly sold or provided access to individualized location information to unauthorized parties. Each carrier relied on contracts that obligated aggregators to require third-party location-based service providers to obtain customer consent before accessing a customer’s location information from the aggregators. However, the carriers did not independently verify that consent was actually being obtained. In the FCC’s view, the contracts did not amount to reasonable measures to protect CPNI and held the carriers responsible for the failure to obtain customer consent on the basis that the third-party service providers were acting on the carriers’ behalf. The FCC was unconvinced by arguments that the information was primarily for non-common carrier data services, instead of telecommunications services, and that the location information obtained when the phone is on standby mode is materially different than information obtained when a customer is on a call.

Based on these apparent violations, the FCC proposed fines of $57 million for AT&T, $48 million for Verizon, $91 million for T-Mobile, and $12 million for Sprint. The FCC calculated these proposed fines based on four factors:

• First, the FCC determined the number of aggregators and third-party service providers that had access the information at any given time by looking at the contracts—the more entities that received the information, the greater the proposed fine.
• Second, the FCC relied on a continuing violation theory, concluding that each day the contracts were in place was an additional violation of the CPNI rules. As a result, the size of the fine increased for each successive day a carrier allegedly continued to allow third-party service providers to access customer location information without reasonable safeguards.
• Third, the FCC calculated the continuing violation from June 9, 2018—or 30 days after publication of a New York Times article that first brought the location sharing to light—on the basis that the article’s publication was the first time the carriers were put on notice about the inadequacy of their practices and because a carrier cannot be “expected to fully investigate and take remedial actions on the same day it learns that its safeguards are inadequate.” This approach also marks a departure from prior enforcement actions, which had not included a “cure” period previously.
• Fourth, the FCC upwardly adjusted the proposed fine by amounts ranging from 25-100 percent to reflect the apparent seriousness of the violations and the remediation efforts undertaken by each carrier.

The FCC’s actions are proposed fines. As the Commission customarily notes, neither the allegations nor the proposed sanctions in the Notices of Apparent Liability are final Commission actions. The parties will be given an opportunity to respond and the Commission will consider the carriers’ responses before taking any final action to resolve the matters.

Despite moving forward on the proposed fines, the FCC Commissioners appear split on the specifics of the enforcement approach. Commissioner O’Rielly expressed serious reservations even as he voted in support of the action, citing a concern that the FCC does not have all the relevant facts and expressing interest in the carriers’ argument that their practices are outside FCC jurisdiction. Conversely, Commissioner Rosenworcel dissented, not because she sides with the carriers, but because she believes the proposed fines should be higher. She particularly expressed disdain for the 30-day curing period and the reduction in the fine proposed for each successive day of continuing violation. Commissioner Starks supported the action overall, but dissented entirely on the forfeiture calculation approach, arguing the FCC should have based the fine on the number of consumers actually harmed and not on the number of contracts the carriers entered into.

Each carrier will have the opportunity to respond to the proposed fines in approximately 30 days. The responses typically are not made public but we will continue to monitor the proceedings for developments and will provide updates as they occur.

Having observed a growing number of websites that advertise and sell noncompliant radio accessories, specifically AV transmitters, intended for use with drones, the Bureau thought it was time to remind the public that advertising, selling, or otherwise marketing such devices if they are not certified under the FCC rules is generally illegal, as is using them. Only if AV transmitters operate exclusively within frequencies authorized for use only by amateur licensees may they be marketed without certification (although they must comply with all other relevant rules) and, if then, use is permitted only by licensed amateur operators. (Other operators of such devices that fall in the exception may be subject to penalties.) If AV transmitters operate on frequencies that fall outside the designated amateur frequency bands, even if they also operate within the amateur bands, they must first have a proper FCC certification before they can be advertised, sold, or operated within the United States. If they do not, then the Enforcement Bureau reminded the public that manufacturers, retailers, and operators may be exposed to substantial monetary penalties, citing recent cases ranging from $190,000 to $2,900,000 in forfeitures, and the regulatory limits of fines up to $19,639 per day of marketing violations and up to $147,290 for an ongoing violation.

The Advisory reminds the public that its equipment authorization-related requirements and potential penalties apply to all equipment, regardless of the country of origin, albeit the FCC regulations do not apply to equipment used by Federal government agencies, although the Department of Commerce (“DOC”) and its National Telecommunications and Information Administration (“NTIA”) may impose their own requirements for Federal agency use.

The Bureau reminds retailers and manufacturers to take the time to learn the FCC rules governing equipment authorization and comply with them. The Advisory recommends that drone operators, when buying accessories that either are electronic or have electronic components, should ensure that these devices or components are properly labeled as FCC-compliant. The Bureau also reminds individuals without amateur licenses that they may not use drone equipment, such as AV transmitters that operate only on amateur frequencies, that is designed solely for use by amateur licensees.