Large US telco loses appeal against US$46.9m data privacy fine

Attempting to reinterpret what constitutes “location data” did not work; neither did the attempt to claim trial despite lacking legal standing.

On 10 Sep 2025, a US federal appeals court upheld a US$46.9m penalty against Verizon Communications for illegally selling customer location data without user consent, marking a significant precedent in digital privacy enforcement.

The Second Circuit Court of Appeals has ruled that Verizon violated federal law by failing to properly safeguard device-location information, classified under “customer proprietary network information” in the country’s Communications Act.

Verizon’s defense had argued that device location data was not protected by the Act, but the court has rejected the claim. The judges have affirmed that such data can only be accessed due to the carrier-customer relationship, and thus merits federal privacy protection.

The case centers on the firm’s outsourcing of customer consent responsibilities to more than 60 third-party service providers through contractual agreements, a method exposed as incomplete and flawed when breaches involving the prison telecom contractor Securus Technologies were brought to light. The latter firm had allowed law enforcement to access customer location data without proper authorization, sometimes even without legal procedures, by failing to scrutinize government requests.

Verizon had contended that the heavy fine was a violation of its Seventh Amendment right to a jury trial and exceeded statutory limits, but the court ruled that the company could have secured a jury trial by declining to pay the penalty and seeking “trial de novo” if the government attempted to collect, instead of immediately contesting the forfeiture in appellate court.

The decision comes after the country’s Federal Communications Commission levied nearly US$200m in combined fines on Verizon, AT&T, T-Mobile, and Sprint for mishandling location data.

The appeals-court ruling confirms that device-location data, when shared without clear and direct consent, is a violation of US federal privacy regulations, and subjects carriers to substantial financial penalties. Elsewhere in the world, data protection laws and legal and procedural differences vary, but generally follow GDPR principles that grant final legal discretion to regulators.