Executive Summary

The U.S. Supreme Court will review consolidated cases that challenge the fundamental authority of the Federal Communications Commission (FCC) to enforce consumer privacy protections against wireless carriers. The cases, FCC v. Verizon and AT&T v. FCC, originated from penalties the FCC levied in 2020 against four major carriers for selling access to customer location data without adequate safeguards. A coalition of consumer groups and former FCC Chairs has filed an amicus brief supporting the FCC's position, warning that a ruling in favor of the carriers could dismantle the agency's ability to police privacy violations. The outcome of this case will be a landmark decision for the future of data privacy regulation and corporate accountability in the U.S. telecommunications sector.

Regulatory Details

The core of the legal dispute is whether the Federal Communications Commission (FCC) has the statutory authority to issue financial penalties (known as forfeitures) against carriers for failing to protect customer proprietary network information (CPNI), which includes sensitive location data.

The case originates from a 2020 FCC enforcement action where the agency fined four major wireless carriers. An FCC investigation concluded that these carriers had violated Section 222 of the Communications Act by selling access to their customers' real-time location data to third-party data aggregators without taking reasonable measures to protect that information from unauthorized disclosure. This practice made the location data of tens of millions of customers vulnerable to misuse.

The carriers are arguing that the FCC's process for imposing these fines was unlawful and that the agency lacks the authority to enforce privacy rules in this manner. If the Supreme Court sides with the carriers, it could severely curtail or eliminate the FCC's role as a primary enforcer of privacy for telecommunications customers.

Affected Organizations

• Primary Parties: Federal Communications Commission (FCC), Verizon, AT&T, and other wireless carriers involved in the original 2020 action.
• Consumers: Tens of millions of U.S. wireless customers whose data privacy rights are at the center of the case.
• Industry: The entire U.S. telecommunications industry, as the ruling will define the regulatory landscape for data handling.

Compliance Requirements

The case revolves around the enforcement of existing compliance requirements under the Communications Act, specifically the duty of carriers to protect customer data. The amicus brief filed by former FCC Chairs Reed Hundt and Tom Wheeler, along with consumer groups, emphasizes several key points:

• Statutory Duty: Carriers have a legal obligation to protect their customers' sensitive information.
• Reasonable Safeguards: The FCC's position is that carriers failed to implement "reasonable measures" to prevent unauthorized access to the location data they were selling.
• Due Process: The brief argues that the carriers were given ample opportunity to respond to the FCC's findings and contest them before a jury but chose not to, undermining their current procedural complaints.

Impact Assessment

A ruling against the FCC would have a profound impact on U.S. data privacy:

• Erosion of Enforcement: It would strip the FCC of one of its most powerful tools for holding carriers accountable, potentially leaving a significant gap in federal privacy oversight.
• Consumer Harm: Without a strong federal regulator able to issue penalties, consumers might have no effective recourse when their sensitive data, such as real-time location, is misused or sold irresponsibly.
• Precedent for Other Agencies: The decision could set a precedent that affects the enforcement authority of other federal agencies in their respective domains.
• Shift to State-Level Regulation: A weakening of federal authority could accelerate the trend of states enacting their own, often conflicting, privacy laws, creating a more complex compliance environment for businesses.

Enforcement & Penalties

The very subject of the case is the FCC's power to levy penalties. The 2020 action involved significant fines intended to deter carriers from lax data security practices. The carriers' legal challenge seeks to invalidate these penalties and prevent the FCC from issuing similar ones in the future. The Supreme Court's decision will either affirm this critical enforcement mechanism or declare it invalid, fundamentally altering the balance of power between the regulator and the regulated industry.

Compliance Guidance

Regardless of the outcome, this case highlights the increasing legal and regulatory risks associated with handling sensitive customer data. To prepare for a future of heightened scrutiny, wireless carriers and other data-handling organizations should:

1. Adopt Data Minimization: Collect and retain only the customer data that is strictly necessary for providing the service.
2. Strengthen Vendor Risk Management: Rigorously vet any third-party data aggregators or partners who will be given access to customer data. Contracts must include strong data protection clauses and audit rights.
3. Enhance Consent Mechanisms: Ensure that customer consent for data sharing is clear, explicit, and easily revocable. The practice of burying consent in lengthy terms of service is no longer defensible.
4. Implement Robust Security Safeguards: Go beyond minimum compliance and implement strong technical measures, such as encryption and access controls, to protect sensitive data like location information.
5. Prepare for a Patchwork of Laws: Assume that even if federal oversight is weakened, state-level privacy laws (like the CCPA/CPRA in California) will continue to impose strict requirements.