The Federal Communications Commission (FCC) has found that wireless carriers violated federal law in selling customer location data to third-parties.

FCC Chairman Ajit Pai has sent a letter to several lawmakers informing them of the results of the agency’s investigation. According to Engadget, in 2018 it first came to light that wireless carriers were selling “their customers’ real-time location data to aggregators, which then resold it to other companies or even gave it away.”

Senator Ron Wyden brought to Chairman Pai’s attention the case of prison phone company Securus Technologies. Securus was buying wireless location data and providing “that information, via a self-service web portal, to the government for nothing more than the legal equivalent of a pinky promise. This practice skirts wireless carrier’s legal obligation to be the sole conduit by which the government conducts surveillance of Americans’ phone records, and needless exposes million of Americans to potential abuse and surveillance by the government.”

Once the information came to light, Verizon was the first to promise to stop the practice, with the other three carriers following suit. Even so, the FCC launched an investigation to determine if federal laws were broken, and it appears they were.

In the letters, Chairman Pai said:

“Fulfilling the commitment I made in that letter, I wish to inform you that the FCC’s Enforcement Bureau has completed its extensive investigation and that it has concluded that one or more wireless carriers apparently violated federal law.

“I am committed to ensuring that all entities subject to our jurisdiction comply with the Communications Act and the FCC’s rules, including those that protect consumers’ sensitive information, such as real-time location data. Accordingly, in the coming days, I intend to circulate to my fellow Commissioners for their consideration one or more Notice(s) of Apparent Liability for Forfeiture in connection with the apparent violation(s).”

That last part, in particular, is an indication the FCC will take some form of action against the offending parties.

It’s one thing when companies offering a free service look for ways to profit off of their customers’ data—with the proper disclosures, of course. It’s quite another when companies that already charge for the service they offer then proceed to double-dip by selling their customers’ data, let alone doing it without properly disclosing it. It’s nice to see the FCC agrees such behavior is illegal, not to mention unethical.