(Manu Fernandez/AP)

DON’T FORGET about the cellphone carriers.

An investigation by Vice’s Motherboard finds that top telecommunications companies are selling access to customers’ location data to aggregators, who in turn are selling it to other actors — each more unsavory than the last. Eventually, some of the information ends up in the hands of bail bondsmen and bounty hunters. The report is one more piece of evidence in the case for federal privacy legislation that overhauls today’s “notice and consent” regime. These rules must cover not only the tech companies at the center of the conversation but also all actors in the information ecosystem.

The companies implicated in this week’s story — T-Mobile, AT&T and Sprint — promised to stop selling location data to brokers last year, when Sen. Ron Wyden (D-Ore.) went after them for giving information to a firm that then offered it to low-level law enforcement without a warrant. Evidently, the practice persists. The telecom companies claim they are in the process of restricting sharing and that they require their third-party clients to ask users’ permission before tracking. Sometimes, this works well: A car repair service, for example, may send a consumer a text before pinpointing where to send roadside assistance.

The trouble is separating the responsible actors — such as those trusty repairmen, or fraud detectors — from the malicious. Persuading companies to do that separating attentively will prove almost impossible as long as privacy regulations stop at notice and consent; the system makes buck-passing far too simple. A carrier, for example, may mandate that its clients acquire consent from users, inform users that their data will reach third parties only with that consent in hand, and then decide its duty to provide notice is done. What the third parties do is their problem.

A privacy framework that established duties of care, loyalty and confidentiality, similar to what Sen. Brian Schatz (Hawaii) and other Democratic senators have proposed for online entities, would help. Brokers who receive information from carriers would be liable for using it in a manner harmful to consumers or passing it on heedless of the risk. But unless the rules Congress comes up with also address the carriers themselves, the problem will remain unsolved.

Ensuring that a comprehensive privacy framework truly is comprehensive will be tricky. The regulations that govern digital platforms cannot be the same as those that govern telecommunications companies or broadband providers (from whom Congress repealed privacy regulations nearly two years ago). The technologies themselves are so different that the expectations must be, too. But Congress must ensure that the same underlying principles of trust apply to all companies — and hold the relevant agencies accountable for enforcing them. Otherwise, carriers and social media sites alike will have little incentive to keep your data away from those bounty hunters.