The Federal Communications Commission is escalating an attempt to bring more regulatory oversight to mobile providers' data privacy practices.

Chairwoman Jessica Rosenworcel recently called for an investigation into carriers' compliance with FCC rules that require mobile providers to fully disclose to consumers how they are using and sharing customer geolocation data. The investigation followed the FCC's receipt of responses to a data privacy probe commissioned by Rosenworcel that found inconsistent data privacy practices across the industry.

Fifteen mobile providers — including AT&T Inc., T-Mobile US Inc., Verizon Communications Inc., Comcast Corp. and Charter Communications Inc. — detailed their data retention and privacy policies, revealing key differences in how long geolocation data is retained, with the data stored anywhere from one to five years depending on the carrier.

The FCC investigation is expected to lead to demands by regulators to standardize data-retention best practices. However, there is still the question of which regulator will retain key oversight of the matter. In addition to the FCC, the Federal Trade Commission also has an interest in this area.

"As users, which is now almost everyone, we want some sense that we can control who knows where we are, where we go and when we go there," said Barlow Keener, an attorney at Womble Bond Dickinson with a background in telecommunications proceedings.

Carrier responses

Each carrier has a different interpretation of best practices regarding geolocation data retention, according to company responses provided to the FCC.

Verizon, for instance, said it retains information on the cell site and the sector of the network a device connects to for up to one year, while other kinds of location data can be kept for shorter periods. However, for its vehicle monitoring app, Hum, location data is stored for up to five years.

Similarly, AT&T generally stores location data that identifies the current or past location of a specific individual's device for 13 months, but it then retains historical call detail records, which include cell site location information, for up to five years.

At T-Mobile, cell site location information is retained for up to 24 months.

Disparate best practices

Aside from the different interpretations, the companies also offered little explanation for their specific data retention periods, Keener said.

"The mobile carriers consistently and clearly stated their concern for their customers and their need to use the location data for law enforcement and emergency purposes," Keener said. "However, they generally limited discussion regarding the rationale for retaining location data for particular periods of time and did not indicate why they do not give consumers the choice regarding shortening those varying lengths of time for storing location data."

Public Knowledge Senior Vice President Harold Feld said the lack of uniformity among the responses from mobile carriers also highlighted the need to standardize industry best practices regarding data retention.

"Following the investigation, the FCC is likely to begin giving carriers more specific direction on what the best practices actually are," Feld said. "It's just too vague right now."

According to a "Voice of the Connected User Landscape: Connected Customer, Consumer Population Representative" survey fielded by 451 Research in April, while a majority of mobile customers are not opposed to location-based services and related offers, 24.5% of those surveyed found location-based offers annoying and 18.9% would consider shopping less with a company associated with such offers.

Regulatory power struggles

One reason for a lack of federal regulations in this area to date is an ongoing battle between the FCC, the FTC and Congress regarding which of the two agencies should be responsible for overseeing the use of geolocation data held by mobile companies.

Consumer privacy matters typically fall under the jurisdiction of the FTC. However, Section 222 of the 1996 Telecommunications Act requires the FCC to regulate telecommunications carriers' use of so-called "Customer Propriety Network Information." The information includes the technical configuration, type, destination, location and amount of use of a telecommunications service.

The FCC utilized its Section 222 authority to fine AT&T, T-Mobile, Verizon and Sprint more than $200 million in February 2020 after reports surfaced showing bounty hunters and others had bought access to mobile location data through third parties. The FCC claimed the carriers initially sold access to their customers' location information without taking reasonable measures to protect against unauthorized access.

More recently, the FTC in August filed a lawsuit against Kochava Inc., accusing the data broker of selling geolocation data from hundreds of millions of mobile devices. Kochava purchases the information and packages it into customized data feeds that are meant to assist clients in advertising and analyzing foot traffic at their stores and other locations. The FTC said Kochava fails to adequately protect its data from public exposure, and the data could be used to identify a person's home address, place of worship or health choices.

A bipartisan omnibus privacy bill, the American Data Privacy and Protection Act, would preempt the FCC's authority over customer network information, giving the authority to regulate privacy practices among mobile carriers to the FTC.

FCC Chairwoman Rosenworcel has said the communications regulator should gain some control of carrier geolocation and privacy issues. "This information and geolocation data is really sensitive. It's a record of where we've been and who we are. That's why the FCC is taking steps to ensure this data is protected," Rosenworcel said.

The spotlight on mobile location data should prompt carriers to revisit their practices, said attorney Keener.

"Regardless of which agency wins the battle, mobile carriers' practices and policies concerning the use, sale and sharing of their customers' geolocation data are under the spotlight of two agencies, each with years of experience in regulating privacy matters of companies falling under their respective jurisdiction," Keener said. "Mobile carriers should thus carefully reexamine their location-sharing practices to help insure against agency enforcement actions and also potential privacy-focused private actions."