The telecommunications industry is currently navigating a complex legal landscape, with recent decisions from two different U.S. Courts of Appeals reaching conflicting decisions on critical questions surrounding customer data privacy, agency enforcement powers, and fundamental constitutional rights. The U.S. Court of Appeals for the District of Columbia Circuit has upheld a significant FCC forfeiture order regarding sharing location-based data against Sprint and T-Mobile, while the Fifth Circuit earlier vacated a similar order against AT&T. This clash of judicial opinion has profound implications, particularly for businesses striving to comply with increasingly stringent state telemarketing laws.

The D.C. Circuit’s Stance: Sprint and T-Mobile Must Protect Location Data

On August 15, 2025, the D.C. Circuit issued its opinion in Sprint Corp. v. FCC, upholding the FCC’s combined $92 million fine against Sprint and T-Mobile.  (Sprint was acquired by T-Mobile.)  The core of the case revolved around whether these carriers violated their “duty to protect the confidentiality” of customer location information (CLI), which the FCC classified as Customer Proprietary Network Information (CPNI).

The FCC found that Sprint and T-Mobile had sold CLI to third-party “location information aggregators” (LocationSmart and Zumigo), who then resold it to “service providers”. While the carriers theoretically required customer consent, in practice, they provided CLI without verifying compliance, leading to abuses by companies labeled as “bad actors” like LocateUrCell and Securus Technologies. Even after becoming aware of these breaches, the carriers continued selling CLI without adopting adequate new safeguards.

The D.C. Circuit affirmed the FCC’s findings, concluding that:

• CLI is CPNI: The court agreed that location information generated when cell phones connect to towers for telecommunications service (e.g., the ability to send and receive calls) falls “squarely within” the definition of CPNI. This holds true regardless of whether the device is actively on a call, or whether the carrier also provides data services.
  
• Fair Notice Provided: The court rejected the carriers’ argument that they lacked fair notice of this interpretation, stating that the FCC’s reading was the “most natural one” of the Communications Act.
  
• Inadequate Safeguards: The court found it reasonable that the carriers’ safeguards were insufficient, largely relying on an “honor system” with aggregators rather than taking steps to verify compliance or having mechanisms to distinguish legitimate from illegitimate requests. Their response to the Securus breach was also deemed inadequate because they continued to operate their LBS programs under “effectively the same system.”
  
• Waiver of Jury Trial: Crucially, the D.C. Circuit determined that Sprint and T-Mobile waived their Seventh Amendment right to a jury trial. The court explained that under the Communications Act, carriers have two options after an FCC Notice of Apparent Liability (NAL) is affirmed: pay the penalty and seek direct appellate review (which the carriers chose), or “do nothing at all” until sued by the Department of Justice, at which point they would be “entitled to a trial de novo in district court”. The D.C. Circuit views this de novo trial as allowing challenges to “all issues of fact and law,” thus satisfying any constitutional right to a jury trial.

The Fifth Circuit’s Rebuke: AT&T’s Constitutional Rights Violated

Just months earlier, on April 17, 2025, the U.S. Court of Appeals for the Fifth Circuit reached a dramatically different conclusion in AT&T, Inc. v. FCC. The Fifth Circuit vacated a $57 million forfeiture order against AT&T for similar CPNI mishandling, finding that the FCC’s in-house adjudication process violated AT&T’s Seventh Amendment right to a jury trial and its right to adjudication by an Article III court.

The Fifth Circuit’s reasoning hinged on two main points:

• “Suit at Common Law”: The court found the FCC’s enforcement proceeding to be a “suit at common law”. It emphasized that the civil penalties imposed are a “prototypical common law remedy” designed to “punish or deter,” a point it considered “all but dispositive.” Furthermore, the court concluded that an action to enforce Section 222 is analogous to common law negligence, as the FCC’s analysis centered on whether AT&T acted “reasonable” in protecting customer data.
  
• Public Rights Exception Rejected: The Fifth Circuit firmly rejected the FCC’s argument that its enforcement action fell under the “public rights” exception, which would allow Congress to assign certain matters to an agency instead of a court. The court argued that extending this narrow exception to common carriers would “blow a hole” in Article III and noted that negligence claims against common carriers have historically been adjudicated in courts.
  
• Section 504 Trial Insufficient: Most critically, the Fifth Circuit dismissed the FCC’s argument that a “back-end” trial de novo under Section 504(a) of the Act satisfied constitutional requirements. The court highlighted that the FCC had already “adjudged a carrier guilty” and levied fines before any such trial. Crucially, the Fifth Circuit stated that in a Section 504 trial, a carrier can only challenge the factual basis of the order, not its legal validity. This, in the Fifth Circuit’s view, placed carriers in a “Catch-22”: challenge legality via direct appellate review and forgo a jury trial, or refuse to pay and risk a Section 504 trial where legality cannot be challenged.

The Conflict and Its Broader Impact on Businesses

The D.C. Circuit’s Sprint decision and the Fifth Circuit’s AT&T ruling present a direct split among federal appeals courts regarding the sufficiency of the FCC’s enforcement mechanisms in upholding constitutional rights. The D.C. Circuit believes the option for a de novo jury trial that allows both factual and legal challenges is available and thus satisfies due process, provided the carrier chooses that path. In stark contrast, the Fifth Circuit asserts that the de novo trial is limited to factual defenses, rendering the overall process unconstitutional by forcing a choice between a jury trial and legal review. 

This judicial divergence has significant implications for all businesses that rely on customer data, particularly those engaging in telemarketing. The underlying issue in both cases—the strong privacy protections imposed by the FCC on Customer Location Information (CLI) as CPNI—directly impacts how companies can operate.

Here’s how:

• Inability to Access Real-Time Location Data: Due to federal privacy regulations and FCC enforcement actions like those against Sprint, T-Mobile, and AT&T, wireless carriers no longer share real-time location data with third parties.
  
• Challenge to “Quiet Hour” Compliance: Many state telemarketing laws impose “quiet hours” that restrict when calls or text messages can be sent based on the recipient’s location in the absence of prior consent. For businesses operating across state lines, complying with these state-specific quiet hours is “practically impossible” because they simply cannot know a mobile subscriber’s precise real-time location. Unless the statute provides a “safe harbor” allowing businesses to rely on the area code as a proxy for location, relying on the area code (which may be the only available data) is not certain to capture all mobile phones located in the state.  EIA has raised this issue with the FCC as part of its on-going efforts to stem the tide of frivolous quiet hour cases. 

As the FCC and the courts continue to grapple with agency authority and constitutional limits, businesses are left navigating a complex and sometimes contradictory set of federal and state regulations. The intensified privacy protections surrounding customer location data, while critical for consumer rights, inadvertently create significant challenges for legitimate businesses trying to ensure compliance with location-specific rules. The ultimate resolution of the D.C. and Fifth Circuits’ conflicting views on the FCC’s enforcement powers will undoubtedly shape future data privacy and telemarketing compliance strategies across the nation.

Join the EIA today to help strengthen and shape policies that affect all ecommerce businesses. Together, we can continue to create the future of ecommerce. Subscribe to EIA email updates to stay informed on key developments and their impact on your business.