The Federal Communications Commission on Friday proposed fining AT&T, Verizon, Sprint and T-Mobile roughly $200 million in total for improperly handling customers’ location data, a penalty some critics decried as weak given the gravity of the industry’s alleged misdeeds.

The agency, led by Republican Chairman Ajit Pai, said it appeared that the nation’s top four wireless carriers did not properly inform consumers that their real-time whereabouts had been sold and made available to a wide array of other businesses. And the FCC further faulted telecom giants for failing to ensure that smartphone location data wasn’t later abused.

“This FCC will not tolerate phone companies putting Americans’ privacy at risk,” Pai said in a statement.

All four telecom giants can still contest the FCC’s allegations and proposed punishments. T-Mobile on Friday indicated that it would fight back against the agency; AT&T, Sprint and Verizon did not immediately respond to a request for comment.

For now, the FCC’s efforts left lawmakers and consumer watchdogs deeply disappointed: They faulted the FCC for taking too long to initiate, then conclude, its investigation, and they think the punishment is far too weak.

“Our real-time location information is some of the most sensitive data there is about us, and it deserves the highest level of privacy protection,” said Jessica Rosenworcel, a Democratic commissioner at the FCC, in a statement. “It did not get that here — not from our nationwide wireless carriers and not from this agency.”

Roughly two years ago, an investigation by Sen. Ron Wyden (D-Ore.) first shed light on what he at the time had described as the “abusive and potentially unlawful practices of wireless carriers.” His May 2018 letter to the FCC centered on Securus Technologies, a private company that services correctional facilities. The firm had purchased real-time location data from telecom giants, Wyden said, and it effectively allowed law enforcement officials to potentially spy on millions of Americans.

Wyden’s efforts — and a slew of news reports to follow — soon shed light on a wider world of so-called “location aggregators.” Little known to consumers, and in some ways unregulated in Washington, the industry amasses location data and sells access to smartphone users’ whereabouts for a variety of commercial and law-enforcement purposes, including advertising and fraud prevention. Even bounty hunters ultimately appeared to gain access to the data, a report from the news site Motherboard found.

Experts said the potential for abuse was high: Tracking a person’s location — at school, work, doctor’s offices or inside their own homes — generally threatened to reveal a great deal about one’s private life. Yet companies such as AT&T and Verizon appeared to have little visibility and oversight into the network of companies that had access to geolocation data, according to the FCC, which said the carriers relied largely on “contract-based assurances” from its business partners.

Top wireless carriers began severing their relationships with companies that collected location data in 2018, facing intense pressure from privacy watchdogs and congressional lawmakers. Still, FCC investigators ultimately concluded that AT&T, Verizon, Sprint and T-Mobile for years had appeared to violate federal laws that require them to safeguard personal information and take strong steps to prevent unauthorized access or disclosure. The resulting fines vary in size depending on the length of the violations.