FCC Releases Wireless Provider Letters on Data Privacy Practices
The FCC published wireless carrier responses to July letters asking about their data retention and data privacy policies. Privacy advocates said this week they hope the letters lead to a renewed focus by the FCC on data privacy issues (see 2208220054).
FCC Chairwoman Jessica Rosenworcel said she also asked the Enforcement Bureau to investigate wireless carrier compliance with agency rules that they “fully disclose to consumers how they are using and sharing geolocation data.” Data retention policies vary widely among the companies, based on the letters.
“Our mobile phones know a lot about us,” Rosenworcel said: “That means carriers know who we are, who we call, and where we are at any given moment. This information and geolocation data is really sensitive. It’s a record of where we’ve been and who we are. That’s why the FCC is taking steps to ensure this data is protected.” Rosenworcel said consumers can now also file a complaint with the agency about how their data is handled.
"This confirms that this FCC will expand its reach into the cyber/data/privacy realm and that some enforcement proceedings are in the offing,” emailed Cooley’s Robert McDowell, a former commissioner: “The backdrop for this is the pending privacy legislation before Congress, the new California and Virginia laws and the 2017 CRA action against the Wheeler-era privacy order." In 2017, Congress rejected ISP privacy rules approved under former Chairman Tom Wheeler, through a Congressional Review Act resolution (see 1704040059).
Verizon Wireless, the largest U.S. provider, said it collects cellsite and sector data “as a necessary part of operating a high performance network.” Verizon also said it collects data through “a small number of Verizon-branded applications for consumer mobile devices” but obtains “express customer permission” to do so. The amount of time data is stored varies, the carrier said. “Unless required by law or for legal purposes or in responding to a complaint, network information regarding cell site and sector is retained for up to one year, while other kinds of location data can be kept for shorter periods.”
T-Mobile said it collects cellsite data needed to operate its network, including for “network monitoring and maintenance, various aspects of billing, and routing emergency calls or text messages.” The provider also collects “timing advance” information, which “identifies the historical location of a handset in the format of longitude and latitude coordinates, as corrected for certain measurement and transmission errors.” The third set of data is on the location of handsets that make calls or send texts to 911. T-Mobile said it retains most device location data “for a transitory, brief period.” Timing advance data is saved for up to 90 days and cellsite and emergency call data for up to 24 months.
AT&T said it collects similar cellsite data and additional data through IQI software, which is developed and owned by AT&T and embedded in the firmware of Android devices on its network, which it uses “to improve network performance and for customer service purposes.” AT&T’s letter closes by slamming a 2021 FTC report that found wireless providers collect more data than is necessary to provide services, and more data than consumers expect, referenced in Rosenworcel’s July letter, and the 2020 notices of apparent liability against national wireless carriers for failing to safeguard data on their customers' real-time locations (see 2002280065).
“Our commitment to customers’ privacy and the security of their personal information -- including location information -- is unwavering,” AT&T said: “We accordingly note our strong disagreement with the unfair characterizations made” in the FTC staff report and “vigorously contest the factually and legally flawed -- and, as yet, unresolved -- determinations made in the Notice of Apparent Liability regarding location-based services.”
Dish Network said it collects geolocation data of Project Genesis customers, on its new 5G network “alongside other device telemetry data, to improve our … network performance (i.e. for internal network and customer experience optimization).” Tower-location data is “collected for specific devices at both the network and device-based application levels in the normal course of Project Genesis’ network operations, as location information is required to identify and route calls and other traffic,” Dish said.
Project Genesis plans to retain data “for as long as a person remains a customer and for at least one year after service is discontinued as proof of compliance and in case a commercial relationship is re-established after, for example, termination for non-payment,” Dish said.
UScellular systems “regularly purge subscriber geolocation data on a specified schedule,” the carrier said: “Unless otherwise required by law or court order, the longest this information is stored is 18 months.” C Spire said it retains cellsite location data “for approximately eighteen months, after which it is purged on a rolling basis.”
“The wireless industry takes privacy seriously and is at the forefront of protecting consumers,” a CTIA spokesperson emailed.