FCC Data Privacy Enforcement Surges in 2026 After Supreme Court Win

The Federal Communications Commission is moving aggressively on data privacy in 2026, and a landmark Supreme Court ruling on June 4, 2026 just gave it more room to act. The court upheld the FCC's system for fining telecom companies, clearing the way for the agency to pursue some of its biggest privacy cases in years. For carriers, VoIP providers, and privacy watchers, this is the moment FCC data privacy enforcement shifted from warnings to real financial risk.

The Supreme Court Decision That Changed Everything

The U.S. Supreme Court ruled 8-1 in favor of the FCC, supporting its method for imposing fines on telecommunications companies like AT&T and Verizon. Chief Justice John Roberts wrote that FCC forfeiture orders do not conclusively determine legal obligations, and that companies still get their day in court if the Department of Justice sues to collect.

At issue were nearly $200 million in fines tied to carriers unlawfully selling customer location data. AT&T and Verizon argued the in-house process violated their right to a jury trial. The Court disagreed, calling the FCC orders non-binding administrative findings. This preserves one of the FCC's key privacy enforcement tools under the Communications Act and ends a three-year legal fight that had frozen major cases.

Background: How the FCC Got Privacy Power

The FCC is not a general privacy agency, but Congress gave it specific authority under Section 222 of the Communications Act to protect Customer Proprietary Network Information. The Enforcement Bureau, led by Enforcement Bureau Chief Patrick Webre, lists Privacy, Data Protection, Cybersecurity, and Supply Chain Integrity as a core investigation area.

For years the FCC focused on robocalls and spectrum. That changed after investigations showed major wireless carriers were selling real-time location data to third-party aggregators, who then resold it to bounty hunters and bail bonds firms. The agency responded with its largest privacy fines ever, which led directly to the Supreme Court case.

2026 Enforcement Timeline

  • January 29: FCC mandates disclosure of foreign adversary interests in license holders
  • March 3: Annual CPNI certification deadline for all carriers and interconnected VoIP providers
  • April-May: Enforcement Bureau issues notices to approximately 600 providers for missing CPNI filings
  • June 4: Supreme Court upholds FCC fine process in 8-1 decision
  • June 8: Public comment closes on new robocall and numbering enforcement rules

Inside the Legal Fight: Why AT&T and Verizon Lost

The carriers relied on a 2024 Supreme Court decision limiting the SEC's in-house judges. They argued FCC administrative law judges similarly denied a jury trial. The FCC, backed by the Trump administration, made a narrower argument: its fines are not self-executing. A carrier does not pay until the DOJ files a collection suit in federal court, where a jury is available.

The Court accepted that distinction. It also noted Congress explicitly directed the FCC to enforce the Communications Act. FCC Chairman Brendan Carr called it a win for consumers, saying the agency can now hold carriers accountable without procedural delays.

The $196 Million Location-Data Case

The Supreme Court case grew out of the FCC's largest privacy action to date. The agency fined AT&T, T-Mobile, Verizon, and Sprint $196 million for sharing real-time customer location data with data aggregators without consent, violating Section 222.

The FCC found carriers continued to sell access even after promising to stop. The fines were calculated per violation per day, showing how the agency treats location data as highly sensitive CPNI. Carriers are appealing the underlying merits, but they must now fight in district court, not block the process upfront.

600 Carriers Hit in the CPNI Certification Sweep

While big carriers fought in court, the FCC targeted smaller providers. The Enforcement Bureau proposed $20,000 fines against approximately 600 telecom carriers and interconnected VoIP providers for failing to file annual CPNI compliance certifications.

It also issued about thirty individual orders for late or inadequate filings. The message is clear: even if you never sell data, you must document your privacy safeguards every year. Failure to file calls into question whether you protect customer data at all.

CPNI Explained: What Data Is Actually Protected

CPNI is broader than most companies realize. It includes call records, numbers dialed, call duration and frequency, location data when a device is in use, and billing details like voicemail and call waiting services. The FCC requires carriers to get opt-in consent before using CPNI for marketing, and opt-in or opt-out depending on the affiliate relationship.

For 2026 certifications, companies must attest they have policies to prevent unauthorized access, train employees annually, record any breaches, and take action against data brokers. A false certification can trigger criminal penalties under Title 18.

FCC vs FTC: Who Does What on Privacy

Many businesses confuse the two agencies. The FTC polices unfair and deceptive privacy practices across most industries. The FCC polices carriers and VoIP providers under the Communications Act. That means if you provide voice service, even over the internet, the FCC is your primary privacy regulator for CPNI.

In 2026 both agencies are coordinating more, especially on location data and AI-driven robocalls, but only the FCC can impose forfeitures for CPNI violations without first proving deception.

New 2026 Rules Expanding Enforcement

The FCC is not just fining, it is rewriting rules. It proposes updated breach reporting requirements for VoIP providers to match traditional carriers. It seeks to strengthen numbering policies to combat illegal robocalls, with comments due June 8, 2026. And the January foreign adversary rule adds national security screening to privacy enforcement.

Together these create a compliance web where privacy, cybersecurity, and supply chain integrity are enforced by the same bureau.

Detailed Compliance Checklist for 2026

If you operate in telecom or VoIP, act now:

  • File your 2026 CPNI certification by March 3, signed by an officer under penalty of perjury
  • Update your CPNI policy to cover location data, call detail records, and billing information
  • Implement opt-in consent flows before sharing CPNI with third parties or affiliates
  • Train all customer-facing staff annually and document the training
  • Maintain a breach log and report CPNI breaches to the FCC within required timelines
  • Audit all data broker contracts and terminate unauthorized location sharing
  • Prepare for potential fines up to $251,322 per violation per day, capped at $2,513,215

What Consumers Should Know

Consumers now have stronger leverage. You have the right to restrict how your carrier uses your CPNI for marketing. You must receive annual notice of those rights. If your location was shared without consent, the FCC's actions create a record you can cite in complaints. The Supreme Court win means enforcement will move faster, without years of procedural delays.

Outlook: What to Expect Next

With its process validated, expect the FCC to finalize VoIP breach rules by late 2026 and expand audits beyond the 600 carriers already flagged. Analysts expect new investigations into AI-powered call analytics and data sharing for advertising. The agency is also likely to coordinate with state attorneys general on location privacy.

For businesses, 2026 is the year FCC data privacy enforcement became operational, not theoretical. For consumers, it is the first time in a decade the agency has both the legal backing and the political will to impose major privacy penalties on telecom giants.