Editor's take: Few things are more satisfying than watching giant corporations squirm under the weight of stiff fines for screwing over their customers. What makes it even sweeter is when those same companies try to wriggle out of accountability in court, only to get smacked down by judges. Beyond the schadenfreude, these rulings matter: they reinforce that carriers can't quietly sell off sensitive location data and then shrug when caught.
A federal appeals court has rejected T-Mobile's attempt to overturn $92 million in fines for selling customer location data to third-party firms without consent. The unanimous decision by a three-judge panel at the US Court of Appeals for the District of Columbia Circuit (CADC) marks the first key ruling in a broader challenge by major carriers - including T-Mobile, AT&T, and Verizon - to nearly $200 million in FCC penalties.
The fines, finalized last year, stem from the illegal sharing of customers' real-time location data first exposed in 2018. T-Mobile was hit with $80.1 million in penalties, while its subsidiary Sprint faced $12.2 million following the 2020 merger.
"Every cell phone is a tracking device," the court ruling begins, explaining how carriers accumulate detailed records of customer movements through routine tower connections. "To receive service, a cell phone must periodically connect with the nearest tower in a wireless carrier's network. Each time it does, it sends the carrier a record of the phone's location and, by extension, the location of the customer who owns it."
The court found that T-Mobile and Sprint sold customer location data to aggregators LocationSmart and Zumigo through 2019 without confirming whether buyers had obtained consent. Several bad actors exploited these programs to access data without customers' knowledge, and the carriers continued selling information even after learning of the abuses.
Rather than disputing the allegations, the "Uncarrier" argued that the FCC lacked the authority to impose the fines. The telecom also contended it was entitled to a jury trial under the Seventh Amendment, citing a recent Supreme Court ruling in an SEC case.
Appeal: Sprint v FCC via Scribd
The judges rejected both arguments. The appeals panel ruled that the T-Mobile and Sprint had voluntarily waived their right to jury trials by paying the fines and pursuing direct court review instead of waiting for government collection actions.
"The Carriers may not now complain that they were denied a right they voluntarily surrendered," the court wrote.
T-Mobile and Sprint also challenged whether device location data counts as protected Customer Proprietary Network Information under telecom law. They argued the statute covers only call location data, not the passive location pings generated when devices connect to cell towers.
The court dismissed these "strained interpretations" of the law. Judges explained that because customers use telecom services whenever their devices connect to carrier networks, all location data falls under privacy protections.
The carriers also argued the fines were steep, noting that the FCC typically imposes such penalties only for fraud or intentional consumer deception. However, judges upheld the fines, ruling that the FCC reasonably deemed the conduct "egregious" because both companies continued selling location data even after security breaches exposed weak safeguards.
T-Mobile told Ars Technica it is "currently reviewing the court's action" but declined to comment further. The company could seek an en banc review with all appeals court justices or petition the Supreme Court.
Meanwhile, AT&T faces $57.3 million in fines and is contesting its penalties in the Fifth Circuit Court of Appeals. Verizon, hit with $46.9 million in fines, has appealed to the Second Circuit. Both cases remain pending as carriers across the industry seek to overturn the landmark privacy penalties.
Judges reject T-Mobile's claim that selling location data is lawful
