The Federal Communications Commission (FCC) has announced that it has levied almost $200 million in fines against “the nation’s largest wireless carriers for illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure.”

The FCC’s allegations include that the carriers sold access to customers’ location information to aggregators, which then resold the data to third-party location-based service providers. The disclosure to the aggregators and the redisclosures to third parties did not include customer consent. The FCC alleged that “customers’ real-time location information, revealing where they go and who they are,” is some of the most sensitive data in carriers’ possession.”

The fines against the wireless carriers stem from a violation of § 222 of the Communications Act, which requires carriers to “take reasonable measures to protect certain customer information, including location information,” as well as maintain the confidentiality of the data and obtain “affirmative, express customer consent before using, disclosing, or allowing access to such information. The FCC maintains that these obligations apply when the carriers share customer information with third parties.

The FCC’s Privacy and Data Protection Task Force led the investigation, which started with customer complaints that a Missouri Sheriff was using a location-finding service to track the location of individuals.