The regulator wants to toughen data protection rules for telcos, but potential federal legislation could reduce its authority in this area

The FCC wants answers to three main questions: On 19 July 2022, FCC Chairwoman Jessica Rosenworcel wrote to the largest 15 mobile providers in the US to request information about their data retention and data privacy policies, as well as their “general practices”. In these letters, Rosenworcel pursued three separate lines of enquiry. Firstly, the letters asked operators about their policies around geolocation data, including how long such data is retained and why and what the current safeguards are to protect this information. Secondly, the letters requested details from carriers about their processes for sharing subscriber geolocation data with law enforcement agencies and for other third-party data sharing agreements. In addition, the letters asked whether and how operators notify consumers when their geolocation information is shared with third parties. The FCC gave mobile providers until 3 August to outline their response.

Sensitivity of information sparked the enquiry: According to the regulator, mobile operators are “uniquely situated” to capture a wealth of information about their customers, including their identity and personal characteristics, geolocation data, app usage and web browsing data and habits. The FCC considers that the highly sensitive nature of this data and the ways in which it is stored and shared with third parties is of utmost importance to consumer safety and privacy. This is especially the case when location data (i.e. a record of where someone is and where they have been) is combined with other types of personal information to provide an accurate picture of a person’s activities. US broadband providers have also been under the spotlight when it comes to privacy, with a recent Federal Trade Commission (FTC) study finding that they share “far more data” than consumers may expect, including access to their internet traffic and real-time location data.

A future federal privacy law could supersede potential FCC rules: This latest FCC investigation builds on previous efforts to protect sensitive consumer data. In February 2020, the regulator proposed fining AT&T, Sprint, T-Mobile and Verizon a combined $208m for selling access to their customers’ location data to “aggregators” without taking reasonable measures to prevent unauthorised access to that information. The FCC’s letters to operators also follow a January 2022 Notice of Proposed Rulemaking (NPRM), which was designed to start the process of enhancing requirements for notifying customers and federal law enforcement of breaches of customer proprietary network information (CPNI), e.g. time, length and location of calls. These actions reflect the FCC’s appetite to strengthen privacy rules, although a national privacy law – namely, the American Data Privacy and Protection Act – could put paid to this ambition by handing almost all responsibility for data privacy oversight to the FTC.

Source: https://www.fcc.gov/document/rosenworcel-probes-mobile-carriers-data-privacy-practices