The Federal Communications Commission fined the four largest U.S. wireless carriers a combined $196.5 million in April 2024 for selling customers’ real-time location data to third-party aggregators: the largest CPNI enforcement action in agency history. AT&T, T-Mobile, Verizon, and Sprint each received final forfeiture orders under 47 U.S.C. § 222, resolving an investigation that began after a 2019 Motherboard report revealed that precise subscriber location data had reached bail bondsmen and bounty hunters. The fines remain unpaid and are now before the U.S. Supreme Court on a constitutional challenge to the FCC’s penalty authority.
47 U.S.C. § 222 and the CPNI Enforcement Framework
Section 222 of the Communications Act requires telecommunications carriers to protect Customer Proprietary Network Information, which includes call records, service details, and real-time subscriber location data. The FCC’s implementing rules at 47 C.F.R. § 64.2010 prohibit carriers from selling CPNI to unrelated third parties without subscriber consent. The agency issued compliance warning letters to all four carriers in 2018 after early reports of location-data resale; when carriers failed to cease the practice, the FCC opened formal enforcement proceedings and issued Notices of Apparent Liability in 2020.
The April 2024 final forfeiture orders set individual fines as follows: T-Mobile, $80 million (the largest single CPNI fine in FCC history); AT&T, $57 million; Verizon, $46.9 million; and Sprint, which merged with T-Mobile in 2020, $12 million for pre-merger conduct. The FCC calculated these amounts under the forfeiture guidelines at 47 C.F.R. § 1.80, adjusting upward for duration, subscriber scale, and the carriers’ continued data sales after receiving the 2018 warning letters. The underlying conduct spanned at least 2015 through 2018 across all four carriers.
The Location Aggregator Chain
Carriers fed real-time subscriber location data to intermediary platforms, most prominently LocationSmart and Zumigo: under contracts nominally covering legitimate services such as roadside assistance. The aggregators then licensed API access to downstream clients including Securus Technologies, which sold location-lookup services to law enforcement agencies without requiring court orders or subscriber notification.
The mechanism became public in May 2018 when researcher Robert Xiao found that LocationSmart’s web portal allowed unauthenticated lookups on any participating subscriber. Motherboard’s January 2019 follow-up confirmed that a bail-bond company had accessed real-time location data through the Securus product, triggering congressional demands for FCC enforcement action. Senators including Ron Wyden wrote to FCC Chairman Ajit Pai within days of publication. All four carriers announced they would terminate aggregator arrangements, but the FCC’s enforcement record found that cessation was not immediate across all carrier-aggregator contracts.
The FCC found three specific compliance failures common to all four carriers: absence of contractual controls requiring aggregators to limit downstream use to disclosed purposes; failure to audit aggregator client lists after the 2018 warning letters; and continuation of location-API monetization after representing to the agency that wind-down was underway. The FCC did not charge LocationSmart or Zumigo directly, as Section 222’s obligations apply only to common carriers rather than data intermediaries.
Data Breach Notification Rules: WC Docket 22-21
On December 13, 2023, the FCC adopted the most significant revision to its breach reporting requirements since 2007. The rules under WC Docket 22-21 replaced a framework that required only FCC notification, with no customer notification obligation and no fixed timeline, with a three-track structure. Carriers must notify the FBI and Secret Service within seven business days of determining a breach has occurred, notify affected customers within 30 days, and file simultaneous notice with the FCC. The core customer-notification provisions of 47 C.F.R. § 64.2011 became effective March 13, 2024, with specific provisions requiring OMB approval under the Paperwork Reduction Act remaining on hold into 2025.
The rule expanded the definition of “breach” to include inadvertent access, use, or disclosure, covering misconfigured cloud storage and insider errors that fell outside the prior theft-focused standard. The Sixth Circuit upheld the rules in 2025 against an industry challenge, finding that the FCC’s authority to require “reasonable data security practices” under Section 222(a) encompasses notification as a component of a complete security program. The rules apply to telecommunications carriers, interconnected VoIP providers, and telecommunications relay service providers, and do not preempt state breach notification laws in jurisdictions such as California and New York that impose shorter timelines. For a broader overview of U.S. federal data protection law, see the U.S. Data Privacy Law and ADPPA guide.
Supreme Court Review of FCC Penalty Authority
No carrier has paid the April 2024 fines. AT&T, T-Mobile, and Verizon each sought appellate review, arguing the FCC’s administrative forfeiture procedure violated the Seventh Amendment right to a jury trial before a federal court. The resulting circuit split: the Second Circuit and D.C. Circuit upheld the FCC; the Fifth Circuit ruled for AT&T, prompted the Supreme Court to grant certiorari on January 9, 2026. Oral argument in the consolidated cases was scheduled for April 21, 2026.
The constitutional question is whether civil monetary penalties of this scale may be imposed through purely administrative proceedings, or whether the Seventh Amendment requires adjudication in federal district court with jury protections. A ruling against the FCC would not only void the $196.5 million in CPNI fines but could constrain the penalty authority of the SEC, FTC, CFTC, and EPA, all of which rely on similar in-house enforcement structures. The FCC has argued its forfeiture procedure falls within the “public rights” doctrine permitting administrative adjudication; carriers contend that fines exceeding $40 million are functionally civil judgments that have historically required courts. For context on the FCC’s regulatory authority and jurisdiction, see the FCC Spectrum Policy guide.
Forward Compliance Obligations
The enforcement cycle established concrete expectations that apply regardless of the Supreme Court’s ruling on penalty collection. Carriers must maintain contractual controls over any vendor receiving network-derived subscriber data, conduct regular audits of downstream use, and cease commercial data arrangements upon receiving agency warning. AT&T, T-Mobile, and Verizon have each terminated their direct agreements with LocationSmart and Zumigo and implemented enhanced third-party due-diligence programs.
The December 2023 notification rules add a separate compliance layer. Legal practitioners advising carriers have noted that the simultaneous FBI, Secret Service, and FCC notification requirement eliminates the discretion that previously allowed carriers to assess breach severity before deciding whether to report. T-Mobile’s 2023 breach, which exposed approximately 37 million account records through an API, is under separate FTC and FCC scrutiny and is not included in the April 2024 CPNI forfeiture orders, which addressed only the location-aggregator conduct predating the 2019 policy change.