Sprint Maureen Cooney Head of Privacy Office of Privacy. Government Affairs Sprint Corporation 900 7th Street NW. Suite 700 Washington. DC 20001 charles.w.mckee@sprint.com February 15, 2019 The Honorable Ron Wyden United States Senate 221 Dirksen Senate Of?ce Building Washington, DC. 20510 Dear Senator Wyden: Thank you for your January 17, 2019 letter to Michel Combes, Chief Executive Of?cer of Sprint Corporation (?Sprint?), regarding Sprint?s location based services Sprint is pleased to provide information regarding its LBS practices in addition to the answers provided in its June 15, 2018 reply to your prior letter of May 8, 2018. 1. Please identify the third parties with which your company shares or has shared customer information, including location data, at any time during the past five years. For each third party with which you share information directly, please also include a list of the ultimate end users of that information, as well as all intermediaries. Sprint has shared location data with two location aggregators, LocationSmart and Zumigo, pursuant to contracts during the past ?ve years. Questions regarding LocationSmait?s and Zumigo?s sub-aggregators and customers are best directed to LocationSmart and Zumigo in light of contractual provisions in our agreements regarding aggregators? con?dential information. Otherwise, please see Sprint?s response to Question 1 in its June 15, 2018 reply to your May 8, 2018 letter regarding Sprint?s LBS practices. The Honorable Ron Wyder February 15, 2019 Page 2 2. For each of the third parties identified in response to question one, please detail the types of customer information provided to them and the number of customers whose information was shared. For each of these, please detail whether the third party provided proof of customer consent, and if so, how the third party demonstrated that they had obtained customer consent. Sprint will only supply location information in response to a request if the location aggregator adequately represents that it has (1) the end-user?s consent and (2) a valid telephone number for that request. Depending on the contractual relationship and approved use case, Sprint may provide one or a combination of the following elements: 0 Latitude and longitude; 0 Estimated accuracy of the location information or estimated distance of the device in meters from speci?ed latitude, longitude; 0 While infrequent, if speci?cally requested, altitude, direction of movement, and speed. For additional information, please see Sprint?s response to Question 2 in its June 15, 2018 reply to your May 8, 2018 letter regarding Sprint?s LBS practices. 3. Please describe in full your process, if any, for determining that each third party identi?ed in response to question one has obtained appropriate customer consent before your company shared that customer's information with them. Specifically, please describe what criteria and processes your company uses to review claims and evidence that a third party has obtained consent. Application developers and location aggregators, like Zumigo, are contractually obligated to incorporate conspicuous and stand-alone notice as part of the registration process for each LBS application that explains how location information will be accessed, used, stored, disclosed or collected. The end user must expressly and af?rmatively accept the notice before continuing. For applications where only the end user will see their own location information, the notice must be provided to, and consent must be obtained from, the end user. For applications or services where an end user interacts with an interactive voice response or live agent, and the end user?s mobile location is used speci?cally for the purposes of enhancing the service or improving the call handling, the notice must be provided to the end user by prompting the end user through a spoken announcement on an IVR and consent must be obtained through the IVR, recorded and stored for a minimum of 3 years. In cases The Honorable Ron Wyden February 15, 2019 Page 3 where there is no subscription or registration process in advance, this notice and consent must be provided each time the end user is to be located. For applications where a business account holder will have the ability to see location information regarding devices under its own account, the notice must be provided to, and consent must be obtained from, the account holder. End users of the devices under the account holder?s account also must be noti?ed in a clear and conspicuous manner that they may be located using the application. For all other types of applications, Sprint?s contracts require that the notice must be provided to, and consent must be obtained from, the end user who is registering for the application. A notice must be provided to the account holder that the registrant has subscribed to a service that will locate the registrant?s device. The developer must send an SMS message to the registrant?s device after registering to con?rm the registration, and then send random periodic SMS messages to the registrant?s device to remind the user that their device may be located. Aggregators and developers must clearly and completely document the presentation of the above-referenced notices and any corresponding consent. Their records must include: an identi?er linking the end user to the record; (ii) a time and date stamp of the end user?s acknowledgment; a reference to the version of the notice that was presented; and (iv) a developer application identi?er. Sprint receives consent for its Safe Found application and Mobile Advertising Program directly or through its vendor. For other applications, aggregators and developers must make the records described above available to Sprint upon request in a format speci?ed by Sprint. For each network- initiated application, the aggregator is contractually obligated to provide the notice record to Sprint before Sprint provides location information to the aggregator. For self-service LBS applications where the end user?s location information is accessible by someone other than the end user the developer, a tow truck company), the developer must maintain veri?able records (data log or voice log) of each instance of the end user?s request to use the service. The log must be made available to Sprint upon request in a format speci?ed by Sprint. Sprint?s contracts maintain the right to audit performance of the obligations described above, which includes seeking reports, full and complete access to relevant facilities, books, records, procedures, and information to assess compliance. Sprint maintains the contractual right to immediately suspend or terminate access to location information for reasons that include a breach of these obligations. The Honorable Ron Wyden February 15, 2019 Page 4 4. Please describe any incidents known to your company, or uncovered during your responses to the above, in which a third party with which your company shared customer data misrepresented that they had customer consent. Sprint remains cautious with respect to alleging any intentional misrepresentation by third parties, but to protect its customers Sprint will continue to maintain its contractual rights and remedies to ensure third party LBS providers ful?ll their obligations as previously described. Sprint is, however, not aware of any incidents in the last two years responsive to this request. Thank you for the opportunity to address your questions. Sincerely, ?wd Maureen Cooney, Head of Privacy Of?ce of Privacy