In 2024, AT&T confirmed two major data breaches that exposed the personal information of tens of millions of customers, including call records, phone numbers, and account details. The incident also highlighted the extent to which mobile carriers collect, store, and share customer data with third parties.
For many customers, the breaches raised a simple question: what information does AT&T actually have on file? AT&T customers have the right to access, correct, or delete personal data associated with their accounts. By submitting an AT&T data request, you can see what information the company has on file and manage how it’s used.
This guide explains how the AT&T data request process works, what types of data may be linked to your account, and what steps you can take to reduce your exposure going forward.
What Is AT&T Data Request?
An AT&T data request is a formal request to AT&T to disclose, access, correct, or delete the personal information it holds about you. You might submit such a request if you want to:
- See what information the company collected about you
- Opt out of AT&T selling your personal information
- Get a copy of your data to take elsewhere
- Correct inaccurate AT&T account information
- Request that the mobile carrier delete your data
- Understand how your information has been used or shared
Under different U.S. state privacy laws, such as the California Consumer Privacy Act (CCPA), consumers have the right to know what data a company has collected and who it’s been shared with, as well as request its deletion. AT&T has voluntarily extended these rights to all U.S. customers, regardless of their state of residence.
AT&T Data Retention: What Data Does AT&T Keep?
AT&T collects a broad range of information. According to the company’s Privacy Notice, here’s what they retain:
Data Type | Data Collected |
Account information |
|
Equipment information |
|
Network performance | Information about how your device and AT&T’s network are performing during your use of their services |
Location information | Data generated by your interaction with:
|
Web browsing and app information |
|
Biometric information |
|
Third-party information | Data purchased from outside sources, including:
|
There are a few considerations worth noting:
- AT&T does not read the contents of your texts, emails, or calls for advertising purposes.
- Biometric data, such as fingerprints and facial scans, is governed by a separate Biometric Information Privacy Notice.
- Location data is collected automatically, meaning that you don’t need to actively share it.
Bonus read: Learn how to disable location and app tracking on both iPhone and Android to regain more control over your privacy.
How Long Does AT&T Retain Your Data?
In the Privacy Notice, AT&T states that it keeps your information as long as it is needed for tax, legal, or business purposes. However, the retention period actually depends on three main factors:
- What type of information is collected
- How long the data is needed to provide services
- Whether legal, contractual, or regulatory obligations apply
Once the retention period ends, AT&T claims it destroys data by rendering it “unreadable or indecipherable.” There is an exception, though: if there’s ongoing litigation, a government investigation, or a mandatory data-retention law, that data can be retained indefinitely.
It’s also worth noting that AT&T may share retained data with affiliates such as Cricket or Gigapower, as well as third-party advertising partners, fraud prevention services, and government or law enforcement entities when legally required.
Based on publicly available information, here’s a general overview of the retention period based on the data type:
Data Type | Estimated Retention Period |
Call and text records | Up to 5–7 years |
Billing and payment records | Up to 16 months |
Web browsing data | Approximately 1 year |
Location data | Up to 5 years |
Biometric data | Approximately 1 year |
Third-party data | As long as necessary |
Retention periods matter because the longer AT&T holds your data, the greater the risk that it will be exposed in a breach, shared with third parties, or subpoenaed by law enforcement. Under the Electronic Communications Privacy Act (ECPA), law enforcement can request certain stored information with nothing more than a subpoena, which has a lower legal bar than a warrant.
How Does AT&T Use Your Data?
AT&T uses the data they have about you in multiple ways. Knowing what they do with it can help you decide whether to opt out of certain programs or submit a request to delete some of the data.
After they collect the information about you, your device, or its performance, AT&T might use it for:
- Service delivery: To provide, manage, and improve their products and services.
- Fraud prevention and security: To verify your identity, detect fraud, protect your financial accounts, and authorize transactions.
- Network improvement: To monitor performance and keep the network running properly.
- Advertising and marketing: Based on information about which products interest you, they can design targeted ad campaigns.
- Billing and legal compliance: For invoicing, debt collection, and protecting their legal rights.
- Research and reporting: To create reports about groups of customers (not individuals) and conduct internal research.
- De-identification: AT&T may strip data of identifying details to use it more broadly, and they commit not to re-identify it afterward.
How To Submit a Data Request to the AT&T Data Request Center
The AT&T Data Request Center is the official channel for submitting requests to access or manage your data. If you’re a California resident, you can also do so by calling 866-385-3193.
For sending privacy-related requests online, you need to follow these steps:
- Visit the AT&T Data Request Center
- Select your state from the dropdown menu
- Choose your request type:
- Opt out of selling my personal information
- Access my data
- Delete my data
- If you want to access or delete data, choose whether you want to do so for current services or a past service from AT&T (within the last 12 months)
- Complete the form and submit
What’s left is to wait for a response. AT&T is legally required to respond within 45 days in most states, with the option to extend by another 45 days in complex cases. However, the company will notify you if the extension is needed.
If your request is denied, you have the right to appeal through the same portal.
Beyond AT&T Data Requests: Limiting AT&T’s Data Usage
Sending a data request to your carrier is only one way to reduce your data exposure. There are several other steps you can take to limit what AT&T does with your data:
- Opt out of AT&T advertising programs: Go to AT&T’s Privacy Choices to opt out of Personalized and Personalized Plus programs, which use your data for targeted advertising.
- Restrict the use of Customer Proprietary Network Information (CPNI): Stop AT&T from using your call data for internal marketing by opting out at AT&T’s CPNI page.
- Turn off identity verification sharing: Text “STOP” to 8010 to prevent AT&T from sharing your data with third parties for fraud verification.
- Request your data regularly: Send a request to the AT&T Data Request Center from time to time to stay informed about what information has been collected.
How To Protect Your Privacy From Mobile Carrier Data Collection
While submitting a data request can help you understand what information AT&T has on file, it’s ultimately a reactive measure. By the time you make the request, that information has already been collected, stored, and, in many cases, shared with third parties.
If you think the solution is to switch your mobile carrier, you should keep in mind that AT&T isn’t the exception when it comes to collecting and sharing user data. Other major carriers, like Verizon and T-Mobile, also collect large amounts of personal, location, and financial data. Both companies have experienced data breaches in recent years as well.
If data privacy is a priority for you, look beyond the big three. One way to reduce exposure and avoid data sharing and potential hacking is to choose a privacy-first alternative.
Cape is a mobile carrier built around user privacy. Unlike traditional carriers, it minimizes data collection from the ground up. Since less data is stored, there is less data at risk in the unlikely event of a breach.
Beyond modern encryption and network-level security, Cape goes a step further by limiting how long data is retained. While carriers like AT&T may store certain information for extended periods, Cape destroys text metadata and key calls after a single day.
Cape: The Carrier Built for Security and Privacy
Cape is a privacy-first mobile carrier designed to keep your communications safe from surveillance and misuse. Unlike traditional cell phone plan providers, our business model centers around providing you with premium and secure call, text, and data, rather than harvesting and selling your information.
Our service is built from the ground up with privacy and security at its core, offering unique features like:
Privacy & Security Feature | Description |
Cape doesn’t ask for your name, address, or Social Security number. We only collect the information necessary to provide service, and we retain that information for the minimum amount of time possible. | |
Traditional carriers rely on a fixed International Mobile Subscriber ID (IMSI) to connect your device to cellular networks. This is a vulnerability that lets carriers, advertisers, and bad actors identify and track your device. Cape lets subscribers automatically rotate their IMSI every 24 hours, making it infinitely more difficult to track you or your device. | |
Many services ask for your phone number, but sharing it exposes you to spam, scammers, data brokers, and a variety of other risks. VoIPs, on the other hand, don’t work with 2FA, cost extra, and aren’t encrypted. With Cape, you get two free additional SMS/MMS lines that are middle-to-end encrypted. | |
Most U.S. carriers store your call and text metadata for years, sometimes indefinitely. Cape is built to forget, so call data records (CDRs) are deleted after just 24 hours. | |
Cape nullifies the threat of SIM swapping by completely removing humans from the loop. During signup, you receive a 24-word phrase that generates a private key tied to your number. This effectively means that no one (but you) can move your number to a new carrier or device, not even Cape. | |
Legacy network protocols, like SS7, leave you vulnerable to hackers that can track your location, intercept your calls and texts, and steal sensitive information. Cape’s Network Lock relies on a proprietary signaling proxy to verify that your device’s physical location matches the network it’s trying to attach to. If we detect anything out of the ordinary, Cape automatically blocks the connection, nullifying the potential threat. | |
Traditional voicemail systems are outdated, unencrypted, and another security hole bad actors can exploit to gain access to your sensitive information. Cape encrypts all voicemails, ensuring only you can access them. | |
While roaming, your phone connects to local telecom providers to enable service. But, who knows who might be listening on the other end. Cape provides you with peace of mind by routing your traffic through our U.S.-based mobile core, ensuring your identity, data, and communications remain private and secure. |
Ditch Legacy Carriers: Get Cape Today
Cape is a “Heavy” Mobile Virtual Network Operator (MVNO), meaning we own our mobile core and provision our own SIMs. This gives us full control over how accounts are authenticated and what data is collected (and for how long), and is how we are able to provide privacy and security features no other carrier on the market can offer.
Get started with Cape today and enjoy the peace of mind, knowing you are fully protected against scammers, hackers, bad actors, and other mobile threats.
To help protect more than just your phone, we’ve partnered with Proton. As a new Cape subscriber, you can choose between Proton Unlimited and Proton VPN Plus for just $1 for six months.
