In August 2025, the U.S. Court of Appeals for the District of Columbia Circuit delivered a definitive ruling in a years-long legal battle over consumer privacy. A three-judge panel unanimously upheld a $92 million fine imposed by the Federal Communications Commission (FCC) against T-Mobile and its subsidiary, Sprint. The penalty serves as a consequence for the unauthorized sale of real-time customer location data to third-party aggregators, a practice that the court deemed a clear violation of federal telecommunications law.

The decision reinforces the legal obligation of wireless carriers to protect sensitive user information. While T-Mobile argued that the FCC had overstepped its regulatory bounds and misinterpreted historical statutes, the appellate court clarified that mobile devices, by their very nature, function as tracking tools that demand stringent privacy safeguards under the Communications Act.

The Origins of the Location Data Scandal

The path to this multi-million dollar fine began in 2018 when investigative reports revealed a systemic failure within the American wireless industry. It was discovered that major carriers, including T-Mobile, Sprint, AT&T, and Verizon, were selling access to the real-time geographic coordinates of their customers. This data was not being sold directly to marketers in most cases; instead, it flowed through a complex ecosystem of "location information aggregators" such as LocationSmart and Zumigo.

These aggregators acted as middlemen, reselling the location access to a vast array of downstream service providers. While some uses were ostensibly legitimate—such as roadside assistance or fraud prevention for banks—the lack of oversight led to catastrophic privacy breaches.

One of the most egregious examples involved a service operated by Securus Technologies. This company provided a "location-finding service" used by law enforcement. Evidence surfaced that a sheriff in Missouri had used the Securus portal to track the locations of numerous individuals without obtaining a warrant or any legal authorization. The ease with which sensitive data could be accessed by unauthorized parties highlighted a fundamental flaw in how T-Mobile and its peers managed Customer Proprietary Network Information (CPNI).

Technical Breakdown of How Carriers Tracked Users

To understand the severity of the violation, it is necessary to examine how mobile networks generate and store location data. Every cellular device must maintain a constant or periodic connection with the nearest cell tower to receive calls, texts, and data. This process creates a "ping" that records the device's proximity to specific network infrastructure.

Over time, these pings create a comprehensive history of a customer’s movements. As noted in the 2025 court ruling, this data provides an intimate window into a person's life, revealing their home address, workplace, medical visits, political affiliations, and social circles.

T-Mobile and Sprint shared this "real-time" location data via Application Programming Interfaces (APIs). When a third party requested the location of a specific phone number, the carrier's system would provide the coordinates based on the latest tower connection. The FCC investigation found that T-Mobile effectively offloaded the responsibility of obtaining customer consent to the third-party buyers. Instead of verifying that a customer had "opted-in" to the sharing, the carriers relied on contractual promises from aggregators—promises that were frequently ignored or bypassed.

The FCC Forfeiture Order of 2024

After years of investigation and a preliminary Notice of Apparent Liability (NAL) in 2020, the FCC finalized its enforcement action in April 2024. The commission levied nearly $200 million in total fines across the industry:

  • T-Mobile: Fined $80.1 million.
  • Sprint: Fined $12.2 million (Sprint merged with T-Mobile in 2020, making T-Mobile liable for both).
  • AT&T: Fined $57.3 million.
  • Verizon: Fined $46.9 million.

The FCC's logic was based on Section 222 of the Communications Act. This statute mandates that telecommunications carriers have a duty to protect the confidentiality of proprietary information. The commission determined that the carriers failed to take "reasonable measures" to prevent unauthorized access to CPNI. Even after the public outcry and the exposure of the Securus breach, the carriers reportedly continued to sell access to location data for several months before finally shutting down their aggregator programs in 2019.

Why T-Mobile Challenged the Fine in Court

Despite paying the fine, T-Mobile sought to overturn the decision in the U.S. Court of Appeals. The company’s legal strategy rested on three primary arguments:

The CPNI Definition Argument

T-Mobile contended that the device-location information generated by cell towers does not qualify as Customer Proprietary Network Information (CPNI) under the law. They argued that Section 222 was designed to protect information related to "telecommunications services," which they interpreted strictly as voice calls. According to T-Mobile’s legal team, the "location of use" mentioned in the statute should only apply when a customer is actively on a call. They claimed that passive pings to a tower while a phone is in a pocket do not meet this criteria.

The Seventh Amendment and Jury Trial Claim

In a move reflecting recent shifts in administrative law, T-Mobile argued that the FCC’s internal process for issuing fines violated their constitutional right to a jury trial. They cited the Supreme Court’s decision in SEC v. Jarkesy (2024), which held that when a federal agency seeks civil penalties for actions that resemble traditional common-law fraud, the defendant is entitled to a trial in an Article III court with a jury. T-Mobile argued that the FCC acted as judge, jury, and executioner.

The Fair Notice Argument

T-Mobile claimed they did not have "fair notice" that their practices were illegal. They argued that the FCC had never explicitly stated that sharing location data with aggregators was a violation of the CPNI rules until the enforcement action was already underway.

The Appellate Court’s Unanimous Rejection

The D.C. Circuit Court of Appeals was not persuaded by T-Mobile’s interpretations. In the ruling authored in August 2025, the judges systematically dismantled the carrier's defense.

Regarding the definition of CPNI, the court ruled that T-Mobile's interpretation was "strained." The judges noted that the Communications Act refers to the "location... of a telecommunications service," not just the location of a voice call. Since a smartphone connects to a network to enable both voice and data services at any moment, the customer is "using" the service whenever the device is connected to the carrier’s network. Therefore, the location of that connection is legally protected information.

On the issue of a jury trial, the court found that T-Mobile had essentially waived this right. The judges pointed out that under existing procedures, a carrier can choose to refuse payment of an FCC fine. If they do so, the government must then file a collection action in a federal district court, where a jury trial could potentially take place. By choosing to pay the fine and then seeking direct appellate review of the agency's order, T-Mobile opted into a different legal path and could not later claim they were denied a jury.

The court also dismissed the "fair notice" claim. The ruling emphasized that the duty to protect customer confidentiality is a broad and clear obligation under Section 222. The fact that the carriers were aware of specific abuses (like the Missouri sheriff incident) and yet failed to implement new safeguards for a significant period made their conduct "egregious."

Comparison with the AT&T and Verizon Cases

The T-Mobile ruling is particularly significant because it contrasts with the outcome of AT&T’s appeal. In a separate case handled by the Fifth Circuit Court of Appeals, AT&T successfully challenged its portion of the FCC fine. The Fifth Circuit reached a different conclusion regarding the FCC's procedures and the application of the law, creating a potential "circuit split."

A circuit split occurs when two different federal appeals courts interpret federal law in conflicting ways. This often paves the way for the Supreme Court to intervene to provide a final, nationwide resolution. Meanwhile, Verizon’s challenge is being heard in the Second Circuit, and a verdict there is still pending as of late 2025.

The discrepancy between the D.C. Circuit and the Fifth Circuit highlights the ongoing legal volatility surrounding digital privacy and the powers of administrative agencies. While T-Mobile remains on the hook for $92 million, the broader industry is watching closely to see if the Supreme Court will eventually weigh in on whether "location of use" covers the 24/7 tracking of mobile devices.

The Broader Impact on Consumer Privacy

The upholding of the T-Mobile fine marks a major victory for consumer advocacy groups and privacy watchdogs. For years, the "data broker" industry has operated in a legal gray area, with consumer information being passed through numerous hands with little to no transparency.

By affirming that carriers are legally responsible for the actions of their third-party partners, the court has set a high bar for data stewardship. Carriers can no longer shield themselves from liability by simply including "consent clauses" in their contracts with aggregators. They are now expected to take "reasonable steps" to verify that consent actually exists and to monitor how their data is being used.

Section 222 of the Communications Act, though originally written in an era of landline telephones, has been reaffirmed as a vital tool for the digital age. It serves as a rare federal privacy protection in a country that lacks a comprehensive national data privacy law.

Historical Context: From Pai to Rosenworcel

The T-Mobile case spanned two different leadership eras at the FCC. The investigation began and the initial fines were proposed under Chairman Ajit Pai, a Republican appointee. However, the final Forfeiture Orders and the defense of those orders in court occurred under Chairwoman Jessica Rosenworcel, a Democrat.

This bipartisan continuity in pursuing the location data case underscores the severity of the violations. While Republican commissioners Brendan Carr and Nathan Simington dissented on the final 2024 vote (primarily over the calculation of the fines and procedural concerns), the underlying consensus remains that the unauthorized sale of real-time location data crossed a line of public trust.

Summary of the Current Legal Status

As it stands in late 2025:

  1. T-Mobile and Sprint: Must pay the $92 million fine as the D.C. Circuit has upheld the FCC's order. T-Mobile has the option to request an en banc review by the full court or appeal to the Supreme Court.
  2. AT&T: Has successfully vacated its fine in the Fifth Circuit, though the FCC may still appeal this.
  3. Verizon: Still awaiting a decision from the Second Circuit Court of Appeals regarding its $46.9 million penalty.
  4. Industry Practice: All major carriers claim to have ceased the sale of real-time location data to aggregators as of 2019.

What is CPNI?

Customer Proprietary Network Information (CPNI) refers to the data collected by telecommunications companies about their subscribers. This includes the time, date, duration, and destination of calls, as well as the type of services used and the geographic location of the device. Under federal law, carriers are prohibited from sharing this information with third parties without the explicit "opt-in" consent of the customer, except for specific purposes like billing or emergency services.

How to Protect Your Location Data

While carriers have stopped selling real-time data to aggregators, many smartphone apps still collect and sell location information. Consumers should:

  • Review App Permissions: Periodically check which apps have "Always On" access to location services.
  • Use Privacy Settings: Utilize features like "Precise Location" toggles to limit the accuracy of data shared with non-essential apps.
  • Opt-Out of Carrier Programs: Check your T-Mobile, AT&T, or Verizon account settings to ensure you have opted out of any "Marketing Insights" or "Relevant Advertising" programs that involve data sharing.

Conclusion

The $92 million fine against T-Mobile is more than just a financial penalty; it is a landmark enforcement of digital privacy rights. The D.C. Circuit’s ruling sends a clear message to the telecommunications industry: the convenience of modern connectivity does not grant companies the right to commoditize the movements of their users. As the legal battles continue in other circuits and potentially reach the Supreme Court, the T-Mobile case stands as a foundational precedent for the principle that in the age of the smartphone, location is one of the most private pieces of information a person owns.

FAQ

Why was T-Mobile fined by the FCC?

T-Mobile was fined for illegally sharing and selling access to customers' real-time location data to third-party aggregators without obtaining valid customer consent. This data was subsequently used by unauthorized individuals, including a bounty hunter and a sheriff, to track people without warrants.

Exactly how much is the T-Mobile fine?

The total fine upheld by the court in August 2025 is approximately $92 million. This includes an $80.1 million penalty for T-Mobile USA and a $12.2 million penalty for its subsidiary, Sprint.

Is it legal for T-Mobile to sell my location data now?

Following the initiation of FCC investigations and public backlash in 2018-2019, T-Mobile and other major carriers stated they have terminated their programs that sold location data to third-party aggregators. However, they may still use data for internal purposes or with explicit user consent for specific services.

Did other carriers like AT&T and Verizon get fined?

Yes. AT&T was fined $57.3 million and Verizon was fined $46.9 million for similar violations. However, AT&T successfully challenged its fine in the Fifth Circuit Court of Appeals, while Verizon’s legal challenge is still pending.

What was the "Securus" breach mentioned in the case?

Securus was a provider that operated a "location-finding service" for law enforcement. It gained access to carrier data through aggregators. The breach occurred when it was discovered that unauthorized users were using the Securus portal to track individuals' cell phones across the country without any legal oversight or warrants.

How did the court define "Location of Use"?

The D.C. Circuit Court of Appeals ruled that "location of use" refers to any time a mobile device connects to a cell tower to be able to send or receive calls and data. This rejected T-Mobile’s argument that the term only applied to the duration of an active voice call.