The Federal Communications Commission is set to propose about $200 million in fines against four major cellphone carriers for selling customers’ real-time location data, according to three people briefed on the discussions.
The penalties would be some of the largest the agency has imposed in decades and represent the first action it has taken on the issue, though privacy advocates and critics in Congress say even that response is inadequate. The amount is not final, and the companies — AT&T, Sprint, T-Mobile and Verizon — will have the opportunity to respond and argue against the fines.
The trade in location data has emerged as a sensitive privacy issue because it affects hundreds of millions of people and can reveal intimate details about their lives, including personal relationships and visits to doctors. “It puts the safety and privacy of every American with a wireless phone at risk,” Jessica Rosenworcel, a Democratic commissioner at the F.C.C., said in a statement last month about the agency’s investigation.
Sale of the data is widespread among app makers and other technology companies, but the telecommunications sector is subject to more stringent laws protecting customers’ confidentiality.
Ajit Pai, the F.C.C. chairman, said in a letter to the House Commerce Committee last month that the agency’s investigators had concluded that “one or more wireless carriers apparently violated federal law,” but it was unclear at that time what penalty the F.C.C. would suggest.
The F.C.C., scheduled to have a public meeting on Friday, has not yet made the proposal official but has the necessary votes, said the three people, who spoke on the condition of anonymity because they were not authorized to discuss the matter publicly.
Agency officials declined to comment until the final vote was announced. The Wall Street Journal reported earlier that the F.C.C. would be seeking fines in the case.
The investigation stemmed from articles in The New York Times and elsewhere about cellphone carriers’ provision of the data to companies called location aggregators. The Times in 2018 reported that the data was eventually making its way to law enforcement, including to an official who was charged with using it to track people without a warrant.
Location data from cellphone carriers proved valuable because it was consistently available and included almost every American with a mobile phone. Carriers sold access to it for marketing purposes and services like bank fraud protection, under contracts that required location companies to get customers’ consent, for example by responding to a text message or pressing a button on an app.
But the companies did not always obey those contracts and the carriers had little way of enforcing them, allowing troves of personal information to be used in ways consumers had never intended. The F.C.C. found that the cellphone companies had broken federal law by being negligent with the data.
After the 2018 article and questions from lawmakers, the carriers pledged publicly to limit sales of the data, saying they would wind down their existing contracts with location aggregators. But a report in 2019 showed the data was still available to bounty hunters and others.
Later that year, the companies said in response to questions from an F.C.C. commissioner that they had stopped the practice.
The continued sale of data was the impetus behind the penalties, which amount to tens of millions of dollars for each carrier, people familiar with the matter said. The F.C.C. is fining companies based on the number of days they allowed the data access to continue.
“I am committed to ensuring that all entities subject to our jurisdiction comply” with the law and the F.C.C.’s rules, Mr. Pai said in his letter to lawmakers.
But the time between the initial 2018 report and the proposed penalties, and the expected size of the fines, has raised the ire of privacy hawks. One Democratic commissioner, Geoffrey Starks, wrote an opinion piece in The Times last year complaining that “nearly a year after the news first broke, the commission has yet to issue an enforcement action or fine those responsible.”
Senator Ron Wyden, an Oregon Democrat who has repeatedly pressured the companies and the F.C.C. over the data sharing, said in a statement on Thursday that the chairman “only investigated after public pressure mounted,” adding that the fines were “comically inadequate” to deter future privacy violations.