	Federal Communications Commission	FCC 24-41
DISSENTING STATEMENT OF
COMMISSIONER BRENDAN CARR

Re:	In the Matter of Verizon Communications, Forfeiture Order, File No.:  EB-TCD-18-00027698 (April 17, 2024)

For more than a decade, location-based service (LBS) providers have offered valuable services to consumers, like emergency medical response and roadside assistance.  Up until the initiation of the above-captioned enforcement actions, LBS providers did so by obtaining access to certain location information from mobile wireless carriers like AT&T, Verizon, and T-Mobile.  Then, in 2018, a news report revealed that a local sheriff had misused access to an LBS provider’s services.  That sheriff was rightly prosecuted for his unlawful actions and served jail time.  Subsequently, all of the participating carriers ended their LBS programs.  So our decision today does not address any ongoing practice. 
This is not to say that LBS providers have ended their operations.  They have simply shifted to obtaining this same type of location information from other types of entities.  That is why I encouraged my FCC colleagues to examine ways that we could use these proceedings to address that ongoing practice.  But my view did not prevail.
That brings us to the final Forfeiture Orders that the FCC approves today.  Back in 2020, after the mobile wireless carriers exited the LBS line of business, the FCC unanimously voted to approve Notices of Apparent Liability (NALs) against the carriers.  Even then, it was clear that at least one LBS provider had acted improperly.  So I voted for the NALs so we could investigate the facts and determine whether or not the carriers had violated any provisions of the Communications Act.
Now that the investigations are complete, I cannot support today’s Orders.  This is not to say that the carriers’ past conduct should escape scrutiny by a federal agency.  Rather, given the nature of the services at issue, the Federal Trade Commission, not the FCC, would have been the right entity to take a final enforcement action, to the extent the FTC determined that one was warranted.  
Here’s why.  Unlike the FTC, Congress has provided the FCC with both limited and circumscribed authority over privacy.  Congress delineated the narrow contours of our authority in section 222 of the Communications Act.  The services at issue in these cases plainly fall outside the scope of the FCC’s section 222 authority.  Indeed, today’s FCC Orders rest on a newfound definition of customer proprietary network information (CPNI) that finds no support in the Communications Act or FCC precedent.  And without providing advance notice of the new legal duties expected of carriers (to the extent we could adopt those new duties at all), the FCC retroactively announces eye-popping forfeitures totaling nearly $200,000,000.  These actions are inconsistent with the law and basic fairness.  The FCC has reached beyond its authority in these cases. 
According to the Orders, our CPNI rules now apply whenever a carrier handles a customer’s location information—whether or not it relates to the customer’s use of a “telecommunications service” under Title II of the Communications Act.  Here, the location information was unrelated to a Title II service.  The customer did not need to make a call to convey his or her location.  In fact, the carrier could have obtained the customer’s location even if the customer had a data-only plan for tablets.  Yet the Order concludes that the carriers mishandled CPNI.      
That cannot be right.  Start with the definition of CPNI, which section 222 of the Communications Act defines as:  
information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship. 47 U.S.C. § 222(h)(1)(A).
 
That definition has two key limitations.  First, the information must be of a specific type.  As relevant here, CPNI must “relate to” the “location … of use of a telecommunications service.”  Second, the information must have been obtained in a specific way.  The customer must have made his or her location “available to carrier” and “solely by virtue of the carrier-customer relationship.”  
Take the first limitation.  By requiring that the location “relate” to the “use of a telecommunications service,” the statute covers a particular type of data known as “call location information”—namely, the customer’s location while making or receiving a voice call.  Section 222 confirms this commonsense reading elsewhere when it expressly refers to “call location information.” 47 U.S.C. § 222(f)(1) (ordinarily requiring “express prior authorization of the customer” for carrier disclosure of “call location information”); 47 U.S.C. § 222(d)(4) (allowing, however, carrier disclosure of “call location information” in certain emergency situations). 
  These statutory references to “call location information” would make no sense if Congress intended for CPNI to cover all location information collected by a carrier, irrespective of particular calls.  
The FCC confirmed that “straightforward” interpretation in a 2013 Declaratory Ruling. Telecommunications Carriers’ Use of Customer Proprietary Network Information and Other Customer Information, Declaratory Ruling, 28 FCC Rcd 9609, para. 22 (2013).  
  The definition of CPNI, this agency held, encompassed “telephone numbers of calls dialed and received and the location of the device at the time of the calls.” Id. at para. 22.  
  The FCC also clarified that CPNI included “the location, date, and time a handset experiences a network event, such as a dialed or received telephone call [or] a dropped call.” Id. at para. 25.  
  
Although the Orders claim CPNI was at play, they do not contend that “call location information” was disclosed.  Nor could they.  As the Orders concede, the carriers obtained their customers’ location whenever a customer’s device pinged the carrier’s cell site, even when the device was otherwise idle.  No voice call was necessary for the carrier to obtain the customer’s location.  In fact, the carrier could gather the customer’s location even if the customer did not have a voice plan.  So, the “location” did not “relate to” the “use” of a “telecommunications service” in any meaningful sense.
Turning to the second limitation, it seems implausible to conclude that the carrier obtained the customer’s location “solely by virtue of the carrier-customer relationship,” as section 222 requires.  True, many of these customers might have had voice plans, thereby creating a “carrier-customer relationship.”  But any Title II relationship was, at most, coincidental.  The carrier could have obtained the customer’s location even in the absence of a call, and even in the absence of a voice plan.  
The massive forfeitures imposed in these Orders offend basic principles of fair notice.  The FCC has never held that location information other than “call location information” constitutes CPNI.  Nor has the FCC stated that a carrier might be liable under our CPNI rules for location information unrelated to a Title II service and collected outside the Title II relationship.  So, even if we could proscribe the conduct at issue here through a rulemaking (and I am dubious that we could), it would be inappropriate and unlawful to impose the retroactive liability that these Orders do.
In the end, these matters should have been handled by the FTC.  Our CPNI rules are narrow and do not cover every piece of data collected by an FCC-regulated entity.  Besides, as the Communications Act makes clear, carriers are regulated under Title II only when they are engaged in offering Title II services. 47 U.S.C. § 153(51) (“A telecommunications carrier shall be treated as a common carrier under this chapter only to the extent that it is engaged in providing telecommunications services …”); see also FTC v. AT&T Mobility LLC, 883 F. 3d 848, 863-64 (9th Cir. 2018) (holding that the FTC’s “common carrier” exemption to Section 5 of the FTC Act “bars the FTC from regulating ‘common carriers’ only to the extent that they engage in common-carriage activity”).
  In situations where an FCC-regulated entity offers a Title I service, such as mobile broadband, the FTC is the proper agency to enforce privacy and data security practices under generally applicable rules of the road.  I respectfully dissent.