The Federal Communications Commission today proposed fines against the nation’s four largest wireless carriers for apparently selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information.

As a result, T-Mobile faces a proposed fine of more than $91 million; AT&T faces a proposed fine of more than $57 million; Verizon faces a proposed fine of more than $48 million; and Sprint faces a proposed fine of more than $12 million. The FCC also admonished these carriers for apparently disclosing their customers’ location information, without their authorization, to a third party.

The FCC opened this investigation following public reports that a Missouri Sheriff, Cory Hutcheson, used a “location-finding service” operated by Securus, a provider of communications services to correctional facilities, to access the location information of the wireless carriers’ customers without their consent between 2014 and 2017. In some cases, Hutcheson provided Securus with irrelevant documents like his health insurance policy, his auto insurance policy, and pages from Sheriff training manuals as evidence of his authorization to access wireless customer location data.

“American consumers take their wireless phones with them wherever they go. And information about a wireless customer’s location is highly personal and sensitive. The FCC has long had clear rules on the books requiring all phone companies to protect their customers’ personal information. And since 2007, these companies have been on notice that they must take reasonable precautions to safeguard this data and that the FCC will take strong enforcement action if they don’t. Today, we do just that,” said FCC Chairman Ajit Pai. “This FCC will not tolerate phone companies putting Americans’ privacy at risk.”

All four carriers mentioned above sold access to their customers’ location information to “aggregators,” who then resold access to such information to third-party location-based service providers (like Securus). Although their exact practices varied, each carrier relied heavily on contract-based assurances that the location-based services providers (acting on the carriers’ behalf) would obtain consent from the wireless carrier’s customer before accessing that customer’s location information.

The size of the proposed fines for the four wireless carriers differs based on the length of time each carrier apparently continued to sell access to its customer location information without reasonable safeguards and the number of entities to which each carrier continued to sell such access.

The proposed actions, formally called Notices of Apparent Liability for Forfeiture and Admonishment, or NALs, contain allegations that advise the parties on how they have apparently violated the law and set forth a proposed monetary penalty. Neither the allegations nor the proposed sanctions in the NALs are final Commission actions. The parties will be given an opportunity to respond and the FCC will consider the parties’ evidence and legal arguments before taking further action to resolve these matters.