FTC Study May Lead to New Privacy Rules for ISPs
October 29, 2021 | by Andrew Regitsky
The Federal Trade Commission (FTC) released a comprehensive study on October 21, 2021, analyzing how six major ISPs use their customer data. It is likely to have serious implications for our industry. The study which collected information from AT&T Mobility, Charter Communications, Google Fiber, T-Mobile US, Verizon Wireless, and Comcast's Xfinity found that many ISPs are sharing data about their customers in defiance of their expectations and are failing to give subscribers adequate choices about whether or how their data is shared. Here are more details about the findings.
Some ISPs Combine Data Across Product Lines - Three of the ISPs in the study revealed that they combine information they receive from consumers across their core services and at least some of their other services including TV and video streaming services, home automation and security products and connected wearables.
Some ISPs Collect Data Unnecessary for the Provision of Internet Services - Some of the ISPs collect additional data from their customers that is not necessary to provide ISP services in order to enhance their ability to advertise, such as app usage history.
A Few ISPs Use Web Browsing Data to Target Ads - Two of the ISPs in the study stated that they use web browsing information to target ads to consumers, and another reserves the right to use such information for advertising purposes.
Many ISPs Group Consumers Using Sensitive Characteristics to Target Ads - Many of the ISPs in the study serve targeted ads across the Internet on behalf of third parties. In doing so, they place consumers into segments that often reveal sensitive information about consumers, allowing advertisers to target consumers by their race, ethnicity, sexual orientation, economic status, political affiliations, or religious beliefs.
Some ISPs Combine Personal, App Usage, and Web Browsing Data - At least three ISPs in the study report combining consumers’ personal information, app usage information, and/or browsing information for advertising purposes.
A Significant Number of ISPs Share Real-Time Location Data with Third Parties - There is a trend in the ISP industry to offer real-time location data about specific subscribers to the ISPs’ third-party customers
These privacy practices reveal four areas of concern for the FTC:
Opacity - While several ISPs in the study tell consumers they will not sell their data, they fail to reveal to consumers the myriad of ways that their data can be used, transferred, or monetized outside of selling it, often burying such disclosures in the fine print of their privacy policies. In addition, three of the ISPs reserved the right to share their subscribers’ personal information with their parent companies and affiliates, which seems to undercut the promises not to sell personal information.
Illusory Choices - There is a trend in the ISP industry to purport to offer consumers some choices with respect to the use of their data. However, problematic interfaces can result in consumer confusion as to how to exercise these choices, potentially leading to low opt-out rates.
Lack of Meaningful Access - Although many of the ISPs in the study purported to offer consumers access to their information, the information was often either indecipherable or nonsensical without context, potentially leading to low access requests.
Data Retention and Deletion - While several of the ISPs in the study provided time frames for deleting information, many asserted that they keep information if it is needed for a business reason. However, many ISPs have the ability to define (or leave undefined) what constitutes a business reason, giving them virtually unfettered discretion.
In an October 21, 2021, Statement, FTC Chairwoman Lina Khan found the findings stunning and noted that “internet service providers are surveilling users across a broad swath of activities, enabling hyper-granular targeting in the serving of ads and other services.” She listed several areas of concern:
Deficiencies of the “notice-and-consent” framework for privacy, especially in markets where users face highly limited choices among service providers. The study found that even in instances where ISPs purported to offer customers some choice with respect to how their data was collected or used, in practice users were thwarted by design decisions that made it complicated, difficult, or near-impossible to escape persistent surveillance.
The expansion of ISPs into vertically integrated entities that not only provide Internet, voice, and cable services but also produce the content transmitted across these pipes and sell behavioral advertising has enabled these firms to consolidate and aggregate a staggering array of data.
The individualized and hyper-granular dossiers that ISPs are collating can enable troubling—and potentially unlawful—forms of discrimination. As the report notes, the collection and use by ISPs of data on race and ethnicity raises the risk of digital redlining and other practices that undermine civil rights and perpetuate discrimination.
While the FTC can publicize ISP privacy practices all it wants, it is the FCC that ultimately develops and enforces the privacy rules for IPs. Chairwoman Khan recognizes this and is ready for the FCC to act.
It’s worth noting, of course, that the Federal Communications Commission has the clearest legal authority and expertise to fully oversee internet service providers. I support efforts to reassert that authority and once again put in place the nondiscrimination rules, privacy protections, and other basic requirements needed to create a healthier market. (October 21, 2021, Statement of Lina Khan, at p. 2.).
ISPs should expect the FCC to jump on this issue early next year once the Democrats gain a majority. More on that next week.