109 million people–nearly a third of Americans–suffered a massive data breach in April 2024 that exposed their AT&T communication logs. The incident was yet another reminder of how frequently breaches occur. AT&T lost sensitive information including phone numbers, call and text counts, call durations, and location data from May to October 2022, and January 2023—meaning the data was approximately two years old at the time of the breach, impacting both current and former customers.

This incident begs the question—how long are telcos retaining your sensitive data, and why?

Getting a clear answer is not easy.

If you examine the privacy policies of AT&T, Verizon, and T-Mobile—the three largest mobile carriers—you’ll find standard legal language like, “we keep your information as long as we need it for business, tax, or legal purposes.” These vague statements maximize wiggle room and tell us little about how long data is actually stored.

Perhaps the wiggle room is required because these carriers often share this data with third-party aggregators, who may then sell it to other entities. This practice dramatically increases the risk of data exposure, raising serious concerns about how long your personal and sensitive information is stored and who ultimately has access to it.

Let’s take a look at one of the most sensitive kinds of data— your location—and how it is handled by the major carriers.

The mishandling of location data by telcos has been a persistent issue—here’s a timeline of key events:

• May 2018: Major U.S. telcos were exposed for selling location data to aggregators and location-finding services. A notable case involved a Missouri sheriff using such a service to track individuals without consent from 2014 to 2017.
• February 2020: In response, the Federal Communications Commission (FCC) proposed nearly $200 million in fines against the carriers for selling access to their customers’ location information without taking reasonable measures to prevent unauthorized access.
• October 2021: The Federal Trade Commission published a report highlighting the vast amounts of personal data—including location information—that Internet Service Providers (ISPs), including telcos, access and retain.
• July 2022: FCC Chairwoman Jessica Rosenworcel requested that the U.S.’s 15 largest carriers disclose their data retention and privacy policies, specifically regarding geolocation data. The responses, made public in August 2022, revealed stark differences in data retention periods:
  
  T-Mobile: Retains granular latitude and longitude coordinates for up to 90 days and less granular cell-site location data for up to two years.
  Verizon: Retains cell-site data for up to one year.
  AT&T: May retain cell-site data for up to five years
• April 2024: Six years after U.S. carriers’ location data practices were exposed, and nearly ten years after the Missouri sheriff first abused his access to location services and data, the FCC finally issued fines to the major telcos.

AT&T, Verizon, and T-Mobile have pledged to appeal these fines, citing flaws in legal and factual claims.

Are these telcos legally obligated to collect and store our location data? The short answer: No

Telcos often cite legal obligations as the reason for data collection and retention but the situation is more nuanced. There are several different regulations and requirements in place regarding the handling of location data:

• Public Safety Requirements (E911): Telcos are required by the FCC to collect and transmit accurate location data when customers make emergency 911 calls to ensure that emergency responders can quickly locate callers in distress.
• CALEA: Under the Communications Assistance for Law Enforcement Act (CALEA), telcos are required to have the capability to intercept communications and access relevant data, including location information, for law enforcement purposes, provided there is proper legal authorization.
• Regulatory Compliance and Audits: Various federal and state regulations may require telcos to retain certain data for compliance and auditing purposes,

However, none of these laws or regulations require telcos to retain customer location data for any specified amount of time. Telco data retention policies are set based on their own discretion, often meaning they store sensitive data for far longer than necessary. In fact, telcos use the personal data they collect and store to create highly-granular profiles about your habits and preferences in order to better serve you ads.

We know this because we’re building our own telco—and we actively seek to minimize how long we store your data.

Cape is building a privacy-first mobile carrier that challenges the status quo. Our approach is simple: we collect only what’s necessary and delete it as soon as it’s served its purpose. This is privacy by design.

While detecting and collecting your location is essential for providing cell phone service and meeting certain legal requirements, we don’t store it for longer than necessary. And we want you to know exactly how long we keep sensitive information about you, which is why we clearly outline our data retention periods in our Privacy Policy.

The ongoing data retention practices of major telcos, especially for location data, remain shrouded in manufactured complexity and legal justifications that do not hold up under scrutiny. The 2022 FCC probe shined a momentary light on this opaque practice, but now that information is over two years old, and clear, up-to-date information about telcos’ data retention policies feels nearly impossible to find.

At Cape, we are dedicated to breaking this cycle by prioritizing your privacy and ensuring that your data is handled with care. With Cape, you can have the peace of mind that your connection to the world isn’t at the expense of your information being compromised.

We’re not just another telco—we’re building a service with security and privacy at its core. Join us in the movement for connection without compromise, and switch your cellular service to Cape today.