Verizon demo phone MDM data wipe

After Collery complained to the FCC, Verizon's executive relations department sent the agency a letter dated April 2, 2026, which he shared with Ars Technica. The letter acknowledged the mistake:

We acknowledge the seriousness of the error that led to Mr. Collery receiving a device subsequently identified as a 'demo phone,' which was found to have a Mobile Device Management (MDM) registration linked to Verizon. This procedural lapse has been formally submitted for internal investigation.

^[1]

A Verizon supervisor had earlier assured Collery that refurbished phones are like new & pass a 150-point inspection.^[1] In the same letter Verizon defended its supply chain to the FCC:

The Executive Office has advised that all Certified devices originate directly from the manufacturer and are designed to meet stringent quality assurance standards.

^[1] The letter said Collery had received compensation exceeding $400 before he filed the complaint, that no further credits would be issued, & that the executive office considers this case as resolved.^[1] Verizon's only statement to Ars Technica, in the seven weeks after it was contacted, was that it was aware of this customer's concern & working to address it.^[1] The carrier did not say who handles its phone refurbishment or how the management profile survived its inspection process.^[1]

Collery asked Verizon for records of what personal information the MDM software had recorded & what commands had been sent to the device. A Verizon executive-relations representative answered by email on May 12, 2026:

I received word back from the Legal team. In order to provide any details about the MDM, we would require a legal order.

^[1]

Collery replied on May 13 that the California Consumer Privacy Act requires a business to disclose the personal information it collects about a consumer when the consumer asks for it, & he warned that California's invasion-of-privacy statute provides for damages of $5,000 per violation.^[1] The CCPA gives a consumer the right to request that a business disclose the categories of personal information it collected, the sources & purposes, the categories of third parties that received it, & [t]he specific pieces of personal information it has collected about that consumer.^[2][3] California Penal Code section 637.2 lets a person injured by a violation of the state's invasion-of-privacy law recover the greater of $5,000 per violation or three times actual damages.^[4]

•  
  California Civil Code section 1798.110 gives a consumer the right to obtain the specific pieces of personal information a business has collected about them.
•  
  California Penal Code section 637.2 lets a person injured by an invasion-of-privacy violation recover the greater of $5,000 per violation or three times actual damages.

Verizon offered to waive Collery's remaining device payments to end the dispute, & a representative asked whether that would be enough for him to walk away.^[1] He declined. He sent Verizon a formal request for his data under the CCPA, submitted a notice of dispute as a prerequisite to arbitration, & said he was weighing a small-claims case, telling Verizon it was hard to negotiate while the company refused to confirm what information had left his device or who ordered it deleted.^[1] The network problems that started the dispute were never fixed. My service is still abysmal, Collery said. I can't even get a GPS signal in front of my building.^[1]

• Right to Repair