Verizon disputed this not because the fine was in ANY way impactful, but because they wanted to push to see if they could legally do it without any repercussions. In their last quarter alone they made over 9k million USD, if I'm reading it right [0].
> Verizon chose to pay fine, giving up right to jury trial
40Million fine is a cost of doing business, but my question is if people's data was sold without consent, why is a class action not taken against them? Where is the right of the injured party here ?
When the punishment for the crime is a fine, it's just a subscription service that allows the wealthy to break rules, trust and expectations.
But, let's push that fine up to $40 billion US (with a b) and see what happens. If we need to go harder, let's add some enforceability, too. Maybe they have 1 year to pay it or lose the right to do business in the US (or whatever country) for 12 months? Get creative with the pain, but cause it none the less.
> Or a percentage of the global revenue. That's basically the EU's GDPR directive.
> Worked wonders.
Unfortunately the GDPR is mostly toothless considering that the fines against Meta and Amazon were basically nothing. Certainly nothing close to a "percentage of global revenue".
Honestly, the whole thing seems aimed at just shaking down American tech companies to try to collect some additional revenue to keep funding the EU bureaucracy.
> Honestly, the whole thing seems aimed at just shaking down American tech companies
Not if you follow the cases as they happen. You probably think of the USA companies (and even then only a subset) being fined because those are both the biggest offenders and the ones with the most money, in addition to being the most well known.
Well Meta was fined 1.2bn Euro in 2023 for violating GDPR guidelines, the latest being another 91m Euro in 2024 IIRC, making the total so far somewhere along 2.5 billion euros.
A quick Google-search tells me Meta's Europe Revenues in 2023 were 31.21bn USD, so the fine was ~3.5% of their Europe revenue at least (but yes, lesser on their global revenue).
Either way, the purpose of GDPR is not to earn money, but to reach compliance to the guidelines. The directive didn't fail if a company wasn't fined for not being compliant, it's the lever to reach compliance.
> Honestly, the whole thing seems aimed at just shaking down American tech companies to try to collect some additional revenue to keep funding the EU bureaucracy.
There's a world outside of US as well, even within Europe.
Companies whose main business is to deal with personal data are of course harder to transform, but it's hard to overstate the impact GDPR already had on the huge mass of companies who DON'T primarily deal with personal data.
Many People on here who worked in a larger company when GDPR became effective have seen the seismic impact it had on how PI/PII data is being handled. Suddenly companies asked themselves whether they REALLY need all this PII in all those different data silos across their operations.
GDPR isn't perfect, the EU isn't perfect, but with GDPR the EU made a leap forward in Private Data Protection.
> GDPR became effective have seen the seismic impact it had on how PI/PII data is being handled.
I think the only thing most people are seeing are the absolutely obnoxious cookie banners spewed across the entire world wide web. I think a lot of people truly believe that the EU single-handedly ruined the internet. And now they're attempting to impose even more misguided laws on themselves with chatcontrol nonsense.
I think it's fine to let them do it, as long as the mess stays in the EU.
Then those people are fools who would gladly let in the wolves just to stop them from banging on the front door. The correct response to cookie banners should be to ask why companies are so willing to ruin the user experience in order to be able to track data of even just those users who accept the banner (willingly or not).
> My thinking is that if a data protection office did not fine Meta or Bytedance in a given year, heads would roll. It's a revenue collection device
Not sure which field you work in, but this is already in contradiction with the fact that those companies aren't simply fined spontaneously.
The fine is the outcome of an investigation that started with an inquiry to the company, possibly based on a complaint.
In case of the 1.2bn EUR fine for Meta, the process took YEARS of investigation [0], and the company was fined because the GDPR-violating transfers were "systematic, repetitive and continuous"
Verizon is a telco, a regulated industry. They are protected by a tariff, you cannot sue them. So there cannot be a class action lawsuit against a company that can’t be sued.
Yeah. Showing concrete harm from e.g. collection of location data for marketing purposes is a huge challenge. Show even one instance of someone being harmed by specifically what Verizon did (it doesn't exist). We have all sorts of ad tech collecting huge profiles and yet where is the demonstrated harm?
This is coming from someone with a great interest in privacy, enough to know that advocates purposefully conflate privacy in the sense of limiting government overreach and privacy in the sense of limiting the spread of embarrassing information. I want the former and the latter, but neither really interacts with advertising, in an intellectual honest way. If only data were as valuable as people thought it was.
This is a really unpopular opinion and I'm sure it will be downvoted so, you know, there's that. You've "won." If someone could figure out the harm maybe there would be a regulation. It's been a long time and there still isn't, so you can't just wave your hands around and say, corruption, because there are actually a huge number of laws, simply colossal, and I cannot believe that the position you believe in is so true but so corrupt as to have exactly zero consequences for substantive torts.
> We have all sorts of ad tech collecting huge profiles and yet where is the demonstrated harm?
It's simply down to lack of consent, other tech companies will do the same, after you agree to intentionally over complicated TOS'. And there are examples of collected analytical data being used for nefarious purposes, namely Cambridge Analytica comes to mind. This was collected without consent. Being manipulated and in cases outright lied to into something is being an injured party.
It is an unpopular opinion, but its because it should be. If verizon have a data breach and all that collected information about you is used without anyone even knowing. These things happen, correlating your banking information for example with your personal information happens all the time. A goldmine for social engineering.
Okay, I mean some medical studies collect data on millions of people, and those datasets too have the potential that, due to security arcana, can be data breached. Does that mean I should be able to sue all medical studies for collecting data on that potential? Of course I support some kind of penalties for data breaches, but you see that it something entirely different from, "data collection itself causes harm." You just can't show that...
Will this protection extend to automobile companies ? Mobile Apps ? Mobile OSs ? I have lost track of the number of leakage points for location data into the tarball of databrokers.
There are laws about what a contract can say. If you have no choice in the contract terms the laws are stronger.
You cannot agree to a contract that makes you a slave (at least not in most countries). A contract to kill someone is illegal. There are a lot of less obvious things that are not allowed in contracts. (see a lawyer for details)
Any US court will agree that living without a smartphone or car is not feasible for a normal person in this day and age, so not offering service unless on contract is coercion. As I have no choice but accept those terms and thus there is a high bar in what they can put in the terms since I have no choice but accept them.
Nope. The court is applying an old law that specifically applies to carriers providing "telecommunications services", no one else.
(Incidentally, even the term "telecommunications service" only encompasses voice call service, not mobile data or SMS. The FCC tried to reclassify Internet access as a telecommunications service during the Obama and Biden administrations, in order to get authority to impose net neutrality rules, but it was ultimately overturned in court.)
The thing is that VZW could win on appeal with that. They are title II of the telecommunications act not title I. Cell services have a huge carve out in II both for data and communication services. I was surprised by that. It was one of the justifications of them selling this data. The are legally considered basically an ISP not a phone service.
Basically
Title I = old POTS systems and radio. VZ does take it very seriously.
Title II = Cell/ISP rules. VZ is kinda playing fast and loose with it. Just like what all advertising, ISP companies, and web providers do.
Honestly the right way is to stop reinterpreting (thru the courts and regulations) the rules depending on who is in charge that day and have congress hammer out what is and is not allowed.
Close but the Obama 2015 reclassification was actually upheld. Law of the land from 2015 to 2018.
Ajit Pai undid it, a court said reverting was fine because DNS.
Biden FCC took forever to reclassify and then lost in a Trumpy circuit court. Advocates didn't appeal largely because the courts are so screwed now and don't want an awful Supreme Court ruling.
But it's very clear for the law that internet communications actually are telecom, and I suspect we'll see this revisited in the future
Given that in practice voice is now just data, it should be revised. But that's expecting the law to match technical reality, which may be overoptimistic...
> "telecommunications service" only encompasses voice call service
I wonder if those helpful text messages from some company can locate you?
I've heard that tow truck companies can find your location because it is somewhat like and emergency.
by the way, verizon is just plain evil.
I remember years ago when they would add identifying cookies to all web requests outgoing from your phone to identify your specific handset. (search "verizon supercookie")
The courts have decided that Verizon selling location data without consent is illegal but I'd be willing to bet that the courts haven't decided that it should be unprofitable.
I'd be surprised if Verizon and the other companies haven't made more than enough money by breaking the law back in 2018 to rake in a nice profit even after the fines they're trying to weasel out of paying now.
I have no doubt that they're still selling our data one way or another anyway. We know for a fact that they've never stopped selling data to to law enforcement, they just require a rubber stamped court order/subpoena to do it.
That was probably a sound legal strategy. Selling location data without consent is obviously unethical behavior that should be illegal. A jury is more likely to rule on the basis of that; with a judge maybe there's a chance that a technicality in the law leads to a ruling in their favor.
Anyway, this practice should be criminalized with companies and their employees receiving criminal penalties like jail time.
Besides, one reason why they can be coerced is because these actions aren't clearly illegal. If they are, the employee can just report what they're being asked to do to the police. Workplace safety has been dramatically improved in western countries simply by making many unsafe practices illegal and creating entities to report illegal work to. While this did require criminal charges for some managers and employees, because safety has improved so much, they're really not that common.
I remember when I had workplace safety training as a poorly paid university lab monitor. They made clear that I had potential criminal legal liability if I allowed egregiously unsafe things to happen. So they didn't.
It doesn't legitimize all police brutality, only whatever amount of it is necessary to keep your job.
And legitimising this is appropriate. The only other position -- requiring people to behave in a way that doesn't meet their basic needs for survival -- would be inappropriate. It is the responsibility of those in power to prevent society from degrading to a point where police are forced to be violent in order to keep their jobs.
No brutality is legitimate. First of all, if police get this pass, then so do the street criminals they deal with. And then you just have a never-ending conflict since both sides get moral passes to put themselves above the greater good.
If you study game theory such as the prisoner's dilemma, you'll understand that these are perverse incentives where actors are certainly "rational" given their constraints, but the overall system is harmed. In a feedback loop such as society, this can have a runaway effect until eventual societal collapse.
> legitimising this is appropriate
For who? Who decides this?
> It is the responsibility of those in power to prevent society from degrading to a point where police are forced to be violent in order to keep their jobs.
Maybe you now understand why this is circular logic. If those in power are just doing what they "have to do" in order to keep their job and survive, and civilians do what they "have to do", and police do what they "have to do", the buck gets passed to no one. Every single culpable party gets to say it's not their fault or their responsibility to introduce structural change through personal sacrifice.
If a doctor fucks up is liable for bad practice.
If an architect fucks up is liable for bad practice.
CEOs, CTOs, etc. of organizations with the budged of small countries can be stupid, unknowledgeable and reckless and there are no consequences (unless it affects shareholders money). Executives should be held legally accountable of the damage that their companies do.
Accountability is required for a civilized society. When the people with the most power do not need to follow any rule we get into anarchy and chaos. Just watch the news to see that it is already happening.
What makes this more infuriating is that they always point to their additional responsibilities, when it comes to pay/salary. Oh yes, they need to manage sooo much responsibility! But when these things happen, no one seems to be taking the responsibility. Very strange. Almost as if some people only want the upsides of "responsibility".
Ha, yes! I was actually thinking about using that exact phrasing, but then wasn't 100% sure, whether that is basically the definition of that phrase. Thanks for confirming.
There are also various ways that big companies have to influence judges or increase the odds of getting favorable ones, not even mentioning outright corruption, where quickly and randomly selected jurors are harder to touch.
Too bad the US spent so much time prosecuting Google, which never sells personal tracking information, instead of Verizon Which sells everyone's data and is also a ISP monopoly in many places.
what are the ways you can poison or fake your location data, like if Verizon in response to this decides to offer a cheaper plan for sharing your location data?
Even better, the fine should be a percentage of the whole annual company revenue. So the action cannot be evaluated with an isolated break-even calculation.
Carriers have been selling this stuff forever. The only surprise is that they were arrogant enough to argue it was outright legal rather than hiding behind “user consent” fine print.
The bigger issue is that every telecom treats location data as an asset class. If you think a court ruling will make them suddenly respect privacy, I’ve got a bridge to sell you. They’ll just bury consent deeper in the UX until it looks indistinguishable from compliance.
As a fun but impractical thought-experiment, imagine the differences in a world with a rule like: "If you voluntarily share data about a customer which becomes instrumental in crime committed against that customer, the company is considered an accomplice to the crime."
It's not just telecom, the usage data of a product is naturally an asset of every company.
It's just a matter whether this data contains PI (=Personal Information) or (!) PII (=Personally Identifiable Information --> Information that can be combined with other data to create PI).
The EU GDPR (here mostly known for consent-popups on websites it seems) allows companies to keep this kind of data but requires very strict governance and user-consent if the data contains PI or PII.
And everyone who worked in a larger company at the time of enforcement saw the wonders it did. Suddenly whole departments reviewed the amount of data they collect, and found there was a huge portion of telemetry data that was actually NOT needed to preserve this asset-value (Names, Addresses, Serial numbers, etc...)
Funny that you say that, I just discovered this phone service called Cape - https://www.cape.co/
It was co-founded by John Doyle who led Palantir’s national security business before starting this company. I think this comment best describes why Cape was started in the first place:
"Cape is not disclosing valuation, but it’s notable that the funding is coming at a time when startups building military, defense, and security services are getting increased focus and priority at a time when geopolitics are shifting.
While many of those shifts are playing out at a much higher level involving wars, espionage against officers and officials, and major contacts between outsized industrial entities, Cape’s products and its growth are one of the rare examples of how some of that evolution is playing out at a consumer level"
Hi -- I'm Head of Product at Cape (previously led product at DuckDuckGo). We are indeed trying to provide an alternative to all the data collection and sharing major carriers do in the US. Happy to answer any questions people have about Cape.
This may be the wrong time to ask this, but does anyone know where I can buy some location data? I don't want to ask for consent because I want the data (and the analysis) to be as general as possible.
That being said, I have a significant amount of flexibility. The data can be completely anonymized by stripping out the names, addresses etc. The location can be blurred by some radius that's roughly the size of the local census blocks groups. In other words, the location should be random enough to mix together 500-3000 people. The time can also be blurred by a radius of about a week or so. Options like differential privacy are encouraged.
The goal is not to track individuals, just get a rough measure of where they spend their time.
First, does anyone think this is a bad or dangerous set of data?
Second, if not, can anyone point me to some data brokers?
No. It's not a joke. There are many good research projects that we can do that don't need to compromise people's privacy. So we need to find a way to do it in a way that generates useful insights without making someone feel like the target of a stalker.
Definitely not until after the current fashion of fascism is over.
The only way to be able to get something like that passed will be if we can repudiate the money-first, Christofascist, rule-by-fear ideologies and positions that currently hold sway over one of our two viable political parties.
The grass is always greener on the other side. I live in the EU and GDPR isn't much better. All it requires is "informed consent" (i.e a click or a tap on a button) from the "data subject" and people can evade privacy with impunity. The only side effect is that those of us on this side of the pond, get ugly cookie banners.
> All it requires is "informed consent" (i.e a click or a tap on a button) from the "data subject"
Correct. Clear, opt-in informed consent to use personal data is the fundamental principle of the GDPR. As it should be. I'm puzzled why you think this is a negative.
> and people can evade privacy with impunity.
Certainly not. The GDPR does not permit data trawling or allowing data controllers to do what they like with your personal data once they have it. It must only be used for the purpose it was requested for.
> ugly cookie banners
Once again, there is no requirement for 'cookie banners'. You are free to use whatever cookies you want to run your site. HOWEVER, if you are using those cookies to track me (advertisers take a bow) then you need my clear, opt-in informed consent to do so. And so you should!
I continue to be astounded at the ignorance some people have of such a vital privacy law; one that is fundamental to modern data use and respect for the customer.
> Certainly not. The GDPR does not permit data trawling or allowing data controllers to do what they like with your personal data once they have it. It must only be used for the purpose it was requested for.
You might want to read the privacy policies of some of the European fintech and ad-tech companies (nb: I've worked at some of them). They cast a wide blanket over all purposes.
At best, the GDPR only introduces a minor indirection, the problem of hoodwinking the "data subject" into clicking the accept button. At worst, it gives them false sense of privacy, where there isn't much.
> At best, the GDPR only introduces a minor indirection, the problem of hoodwinking the "data subject" into clicking the accept button
True. Some people are daft enough to opt-in and click the "accept cookies" and "give my personal and location data to strangers" buttons. These people don't care about privacy and are beyond help.
> At worst, it gives them false sense of privacy, where there isn't much.
Those of us who bother to understand and use privacy law have very good protection thankyouverymuch.
you have to constantly advertise your location to get cell service (by design, didn't have to be so)
stores scan your phone radio and also aggregate this data to map your store visit.
this was all done with credit cards in the 50s and then outlawed, hence: reward programs.
so, can't wait for Verizon to offer a cell coverage reward program that is nothing but a waiver to your data, just like reward programs from credit cards of yore.
> Verizon chose to pay fine, giving up right to jury trial
40Million fine is a cost of doing business, but my question is if people's data was sold without consent, why is a class action not taken against them? Where is the right of the injured party here ?
[0 ]https://www.verizon.com/about/investors/quarterly-reports/2q...
reply