New legislative proposals on data privacy would transfer the regulation of privacy in the telecoms sector to the FTC but bring the US closer in alignment to its peers 

The FCC has concluded a six-year investigation into the US’s largest mobile operators, issuing nearly $200m in fines

On 29 April 2024, the US Federal Communications Commission (FCC) issued almost $200m (£160m) in privacy fines to the country’s largest mobile operators. AT&T, Verizon, T-Mobile and Sprint (the latter two now a merged entity) have been issued fines of up to $57m (£46m) for illegally sharing access to consumers’ location data without consent and without protecting that data from further unauthorised disclosure. These fines were over six years in the making, after an investigation was first launched by the regulator in 2018, and a Notice of Apparent Liability (NAL) was issued to each operator in 2020 outlining many of the allegations and sanctions now finalised. In its announcement, the FCC noted that the size of the fine issued to each operator was based on both the length of time the firm was found to be illegally sharing data access, as well as the number of third parties with which the operator was sharing the data.

The violations all relate to the failure of operators to obtain consumer consent for the the sharing of their location data

According to the FCC, the primary violation of each operator stems from their commercial agreements with “aggregators”, or third parties that packaged and resold consumer location data to location-based service providers. Under the Communications Act, operators are required to obtain the express consent of consumers before allowing third party access to sensitive information, including location data. However, all of the operators were found to be offloading this obligation to obtain consent either to the downstream aggregators or location-based service providers, which frequently failed to notify and gain consent from consumers. The FCC also found evidence that operators continued to provide access to consumer data even after becoming aware that the third parties had failed to gain consumer approval, suggesting the illegal behaviour was willful. According to the FCC’s earlier NALs, this conduct was first discovered when a law enforcement official in the state of Missouri was improperly granted access to location data through a location based service provider as early as 2014.

The proposed American Privacy Rights Act would transfer privacy enforcement in the telecoms sector to the FTC, drawing criticism from the FCC

While the US continues to lack a comprehensive and national data protection framework, some sector specific privacy protections exist, including those related to communications data, as well as health and education data. However, in April 2024, the bipartisan American Privacy Rights Act (APRA) was introduced as the latest and perhaps most promising legislative effort yet in the long-running pursuit of a federal privacy framework. The law would assign the privacy enforcement to the Federal Trade Commission (FTC) under its jurisdiction over unfair or deceptive business practices, and strip the FCC of its data protection responsibilities in the communications sector. There have been calls for the regulator to remain involved in regulating privacy in the sector, including from FCC Chairwoman Jessica Rosenworcel, who noted the FCC’s expert role and experience in enforcing privacy in telecoms and its establishment of a Privacy and Data Protection Task Force to coordinate these efforts in 2023. Though the APRA faces increasingly difficult odds of passage as the legislative year progresses, the success of the bill would mark a generational shift in American law and bring the US closer in alignment with its peers as it seeks to improve its global standing on policymaking in the digital economy.