Yesterday, the United States Court of Appeals for the Second Circuit issued a final decision in Verizon Commc’ns Inc. v. Fed. Commc’ns Comm’n, upholding a $46.9 million penalty against Verizon for mishandling customer location data. This ruling has significant implications for our members engaged in telemarketing and SMS text marketing.

The Court affirmed the Federal Communications Commission (FCC)’s finding that Verizon violated Section 222 of the Communications Act by failing to reasonably safeguard Customer Proprietary Network Information (CPNI). The Second Circuit explicitly concluded that device-location data qualifies as CPNI, triggering the privacy protections of the Communications Act. This directly rejected Verizon’s argument that CPNI only covered call-location data or that device-location data was not obtained “solely by virtue of the carrier-customer relationship”. The court stated that device-location data relates to the location of a telecommunications service because a wireless carrier must use a device’s location to enable customers to send and receive calls, even when not actively on a call.

The Second Circuit concluded that the FCC’s determination that Verizon failed to reasonably protect customer location data was neither arbitrary nor capricious. The FCC identified that Verizon relied heavily on contractual arrangements and an external auditor (Aegis Mobile, LLC) that compared lists of location requests and consent records provided by aggregators, a system that assumed legitimacy and could not detect fabricated consent. Verizon was also deemed to have inadequate safeguards even after news reports revealed Securus Technologies, Inc. was misusing the program to allow law enforcement access to location data without proper consent.

The $46.9 million penalty, which included a 50% upward adjustment for egregious conduct, was deemed to be within statutory limits. The FCC based the penalty on 63 continuing violations, one for each ongoing relationship with an aggregator or provider that retained access to customer data more than 30 days after the New York Times article broke the news of the breach. The court found this within the FCC’s discretion.

The Second Circuit also ruled that Verizon’s Seventh Amendment right to a jury trial was not violated by the procedures used by the Commission to impose the fines. The court explained that under the Communications Act, carriers have two options after an FCC forfeiture order: pay the penalty and seek direct appellate review (which Verizon chose), or decline payment and obtain a “trial de novo” in federal district court, which would allow a jury trial. The court views this de novo trial as allowing challenges to “all issues of fact and law”.  This view is consistent with the D.C. Circuit opinion in Sprint Corp. v. FCC, but differs from the Fifth Circuit’s decision regarding AT&T, which found the FCC’s in-house adjudication process unconstitutional, reasoning that the de novo trial only allowed challenges to factual bases, not legal validity.

This ruling reinforces the stringent privacy protections surrounding customer location data and highlights the challenges ecommerce businesses face in navigating complex federal and state regulations, especially in telemarketing and SMS communications, where some states are attempting to regulate text messages sent to mobile phones located in their state without recognizing that businesses have no way to consistently ascertain whether a call will reach a subscriber in their state before the messages are sent.  

In a case currently pending in the United States District Court for the Western District of Texas, EIA asserts that the absence of location-based data makes it impossible to know who the state’s telemarketing law applies, which warrants invalidating Texas SB 140.  As EIA has explained, ecommerce businesses using SMS text marketing face “practically impossible” compliance burdens with state-level telemarketing laws that impose “quiet hours” and other requirements based on a recipient’s location. Without access to real-time location data, accurately determining a mobile subscriber’s precise location for compliance is unfeasible. The use of area codes alone is deemed unreliable for this purpose.

Applying location-based restrictions to messages for which consumers have provided explicit consent, combined with the technical inability to verify real-time location, significantly increases the risk of “frivolous lawsuits against legitimate businesses”. This creates costly burdens for ecommerce brands attempting to engage legitimately with their consenting customers.

Join the EIA today to help strengthen and shape policies that affect all ecommerce businesses. Together, we can continue to create the future of ecommerce. Subscribe to EIA email updates to stay informed on key developments and their impact on your business.