AT&T Won, Verizon Lost: Is Privacy a Coin Toss?

Two wireless giants were similarly accused — of selling customer location data without consent, which they probably should have had in the first place. AT&T beat the fine. Verizon didn’t. T-Mobile lost, too. If that makes it sound like your privacy relies on the luck of the venue draw, you’re not entirely wrong.

The opposing decisions lay bare a messy truth: Courts are coming to different conclusions about whether your phone’s location should be protected under federal telecom privacy rules. Here’s what is really at stake, and why it matters.

What the location data enforcement cases are about

The Federal Communications Commission fined three of the four largest wireless carriers tens of millions of dollars after an investigation indicated they were selling users’ geographical location data with intermediaries. The data flows from carriers to aggregators like LocationSmart and Zumigo, and then on to a roster of downstream customers — typically, though not exclusively, marketers — according to earlier reporting by Mr. Orekoya and others that served as the basis for his article. Reporters from Motherboard and subsequently 404 Media detailed how this access operated in practice.

Regulators contended that a phone’s location is “Customer Proprietary Network Information” (CPNI) under the Communications Act Section 222 – which covers call records – and that carriers are responsible for guarding it from unauthorized access or use.

The carriers argued that Section 222 is narrower: in their interpretation, only call-related information counts, not current or historical geolocation derived from the network. And it’s that legal distinction that is now the fulcrum of the court fights.

The fines levied by the F.C.C. were hefty: about $91 million for T‑Mobile, $57 million for AT&T, $48 million for Verizon and $12 million for Sprint, a calculation based on varying amounts of data sharing and more instances of compliance lapses identified by the agency.

Why AT&T walked and Verizon didn’t face the same fines

In one business-friendly circuit, judges took the carriers’ cramped reading of Section 222 and scuttled the fine against AT&T. In other federal circuits, panels sided with the FCC that location generated by the network cannot be divorced from a carrier‑customer relationship and is entitled to have protections under the statute. Ars Technica tells us that a different panel has now upheld the penalty against Verizon; before it was T‑Mobile’s turn.

Same facts, same statute, different umpires. That gap is how a “coin toss” feeling seeps in — and why the fate of a privacy case can depend on which courthouse door you walk through.

The stakes for consumers and future F.C.C. enforcement

If location data is not classified as CPNI, carriers can profit from it under less strict consent models, shoving consent into murky opt‑out flows and product “enhancements.” If it is CPNI, carriers would face tough obligations: clear notice, opt‑in controls, audit rights and real penalties if data slips downstream.

History demonstrates that the risks are not theoretical. And at other resellers, investigators found that real-time phone location leaked through the chain to unauthorized entities without a legitimate business need. FCC enforcement was designed to close that door and send a chilling signal throughout the ad‑tech and data‑broker ecosystem.

Split rulings blunt that signal. They chill future privacy cases the F.C.C. may wish to announce, especially in light of courts’ reduced deference toward agencies’ interpretations of ambiguous statutes. The bottom line: more oxygen for data brokers, less certainty for consumers.

Could the Supreme Court resolve the privacy dispute?

A clear circuit split makes the high court’s involvement more likely.

If it accepts the issue, two questions will be in play: whether Section 222 applies to geolocation and, when there is no clear law, how much deference should an expert agency have. Because the Court has been skeptical of broad powers held by agencies, privacy advocates who work on Hailstorm at groups like EFF and EPIC aren’t confident.

A ruling limiting Section 222 could have ramifications that extend well past location brokering. It would limit the F.C.C.’s ability to police their use of metadata for advertising and analytics — and empower data markets that prosper through this murky ambiguity about consent.

What you can do to reduce carrier location tracking

• Log in to your carrier’s account and disable ad personalization programs. Names differ — you might find “Relevant Advertising,” “Custom Experience” or “Analytics & Insights.” Apply settings on every line.
• Trim app access: Turn off precise location for apps that don’t need it, limit which apps can access your location in the background and consult your phone’s privacy dashboard to see what other signals you might be giving and how frequently.
• Access state privacy rights, when available, that allow you to opt out of “sale” or “sharing” of personal data. That’s because carriers and data brokers will have to comply with the former anyway, irrespective of what happens in the federal case.

The bigger pattern in data sales and surveillance

This isn’t an isolated tug‑of‑war. Countless police departments have purchased personal data from brokers to avoid restrictions on asking for such information under longstanding privacy laws and the Fourth Amendment except during an active investigation, said those familiar with the work. This is among many ways in which our system of mass surveillance has grown up outside the framework of laws, with poor oversight, particularly in policing. It is a powerful example: far too much spying unmoored from its legal constraints. And the Government Accountability Office has also studied federal purchases of commercial geolocation data, underscoring how easily sensitive information flows once it is out of the original collector’s hands.

The fact of whether or not a carrier pays a settlement shouldn’t determine whether your movements are treated as commodities. Until such time as that law is sorted out across the country, assume your privacy protections are only as strong as the courtroom in which it lands — and operate accordingly.