Skip to main content
Find a Lawyer

Verizon's $47 Million Lesson in Location Data Gone Wrong

Vaidehi Mehta, Esq.

Article by: Vaidehi Mehta, Esq.

Attorney Writer

Reviewed by Joseph Fawbush, Esq. | Last updated on

How much is your phone’s location worth? For Verizon, the answer is nearly $47 million. In a recent legal battle, federal regulators slammed the telecom giant with that amount in fines after revelations that customers’ real-time whereabouts were quietly sold into the wrong hands. Let’s take a look at how the scandal unfolded.

Location Data Sales Go Rogue

For a long time, Verizon, like other major wireless carriers, ran a business selling its customers’ location information to outside companies. These companies, called “location aggregators,” would then resell that data to a range of third-party service providers. The idea was that these services (like roadside assistance or fraud prevention) could use location information for legitimate purposes. But the system relied heavily on the honor system and a complex web of contracts.

The cracks in this arrangement started to show in 2018, when the New York Times published a bombshell article. Securus Technologies was a company that was supposed to use Verizon’s data for a narrow, approved purpose: monitoring inmate calls in American jails and prisons. The service, marketed as a tool for law enforcement, can pinpoint nearly any cellphone in seconds, drawing on data streams typically reserved for marketers and major carriers like AT&T and Verizon. But as the NYT piece revealed, Securus was actually letting law enforcement officials track people’s phones in real time, sometimes without any legal authorization or the phone owner’s consent. The most egregious example involved Missouri sheriff Cory Hutcheson, who abused the system to track hundreds of people (including judges and police officers) by uploading fake documents and bypassing any real oversight.

Verizon's Sluggish Response

This news sent shockwaves through the public and caught the attention of the FCC. After the story broke, Verizon quickly cut off Securus and its partner companies from accessing customer location data. But the damage was done. The FCC’s Enforcement Bureau immediately opened an investigation, asking Verizon to hand over documents and explain how such a breach could happen.

As the investigation unfolded, it became clear that Verizon’s safeguards were not as strong as they should have been. Even after the Securus scandal, Verizon continued to allow other third parties to access customer location data for months, relying on the same flawed system. Throughout the rest of 2018 and into 2019, Verizon slowly wound down its location-sharing program, but only after repeated pressure and scrutiny. It took the company nearly a year to fully wind down its location aggregator program, during which time customers’ sensitive data remained exposed. The FCC’s investigation found that Verizon had failed to take reasonable steps to protect its customers’ sensitive information, even after being put on notice about the risks.

By February 2020, after months of gathering evidence, reviewing thousands of pages of documents, and observing Verizon’s actions (or lack thereof), the Commission had seen enough. It issued a Notice of Apparent Liability for Forfeiture (NAL) against Verizon with a proposed fine of over $46.9 million. The NAL detailed what Verizon had done wrong.

What Did the NAL Say?

Verizon had apparently violated federal law (specifically, Section 222 of the Communications Act) and the FCC’s own rules regarding the privacy of customer information. The NAL explained that under Section 222 and the FCC’s Customer Proprietary Network Information (CPNI) rules, carriers like Verizon are required to protect the confidentiality of sensitive customer data, including location information.

Carriers must obtain “opt-in approval” (affirmative, express consent) from customers before disclosing such data to third parties. The Commission made clear that federal law requires carriers not only to obtain affirmative customer consent before sharing location information but also to take “every reasonable precaution” to protect that data from unauthorized access.

The FCC found that Verizon’s practices fell short. Although Verizon claimed to require its aggregators and their clients to obtain customer consent, in practice, this process was unreliable and easily bypassed. The system relied heavily on contractual assurances and audits of records provided by the aggregators themselves rather than direct verification by Verizon.

The NAL also emphasized that Verizon failed to take reasonable measures to protect customer CPNI both before and after learning about these breaches. Instead of promptly suspending or overhauling its program, Verizon continued selling access to location data under essentially the same system for nearly a year after the NYT report. The FCC found this response insufficient given the risks involved.

Verizon’s response to the NAL was to throw a bunch of defensive spaghetti on the wall. Among other things, it denied liability under Section 222, defended its privacy safeguards as reasonable, claimed the breach was an isolated incident, and challenged both the legal standard applied and the calculation of the proposed fine. The FCC ultimately rejected these arguments in its Forfeiture Order, and Verizon appealed to the Second Circuit (which has jurisdiction to review an FCC order).

Court Rejects Verizon's Defenses

The Second Circuit reviewed Verizon’s challenge to the FCC’s forfeiture order. In court, Verizon argued that only call-location data is protected CPNI under Section 222. The court rejected this argument, reasoning that both statutory text and context support a broader interpretation that includes device-location information generated by a customer’s use of wireless voice services, even when not actively on a call.

The court also found that the FCC reasonably determined Verizon failed to take adequate steps to protect customer location data both before and after public revelations about unauthorized access. It noted that Verizon relied too heavily on contractual arrangements and unverified consent records from third parties, and failed to promptly overhaul its safeguards even after being put on notice by the Securus scandal.

Verizon argued the penalty should be capped at about $2 million for a single ongoing violation, not nearly $47 million for multiple ones. The court disagreed, ruling that the FCC could treat each business relationship with an aggregator or provider as a separate violation, since each posed its own risk. This, the court said, matched Congress’s intent to deter widespread privacy failures.

Finally, Verizon claimed it was denied a jury trial by paying the fine and appealing directly, instead of waiting for a government lawsuit in district court. The Second Circuit disagreed, ruling that Verizon could have withheld payment and gotten a jury trial in district court. By choosing to pay and appeal, Verizon waived its right to a jury trial.

A Future SCOTUS Showdown?

In sum, the Second Circuit upheld the FCC’s nearly-$47 million penalty against Verizon, finding that the company’s failure to reasonably protect customer location data violated federal privacy laws and that device-location data qualifies as protected under those laws.

What can we expect next? Well, the matter doesn’t seem to be settled quite yet, given there’s currently a circuit split. Last month, the D.C. Circuit upheld a $92 million fine against T-Mobile and Sprint for selling customer location data without consent. But earlier this year, the Fifth Circuit vacated a similar $57 million penalty against AT&T. With the lack of consensus among federal circuit courts, it looks like the case will probably be headed for SCOTUS at some point in the near future.

Was this helpful?

Copied to clipboard