Following up on a mandatory 2019 request for information issued by the Federal Trade Commission (FTC) to the largest Internet Service Providers (ISPs) in the United States, the FTC staff in late October issued a Report titled – A Look at What ISPs Know About You: Examining the Privacy Practices of Six Major Internet Service Providers. Among the agency staff’s general findings on ISP data collection and use practices, the most striking perhaps is the apparent degree of integration among ISPs and advertisers with respect to their data collection and use practices. The report also highlights the tools ISPs offer to customers to either manage or control many types of ISP data collection and use.
The information presented in the Report is aggregated and de-identified and has been supplemented with information gathered from follow-up FTC staff questions and meetings with the ISPs that were the subjects of the FTC information request. The Report’s summary of information on real-world ISP data practices could prove useful as Congress wrestles with the potential for federal privacy legislation and states review the need for legislation.
Key Findings on ISP Data Collection and Use
ISPs generally collect and use information to provide core communications services, ancillary services, advertising and to provide other services to third-party businesses. Generally speaking ISPs collect information about device specifications, service usage information, browsing information, and location data, in addition to information that customers affirmatively provide and information that the ISPs purchase from third-party data brokers.
What stood out to the FTC staff in its review of common ISP data practices was that some ISPs combine and potentially share among commonly owned brands or product lines the information they collect that goes beyond the information related to the core provision of communications services. Several ISPs reported collection of customer data not necessary for the provision of Internet services, such as app usage history, to support their own or third-party advertising. Even when data are not shared with identifying names and contact information, persistent identifiers such as cookies, hashed or encrypted account numbers, and telephone numbers have enabled ISPs “to learn extremely specific demographic and interest categories about their subscribers” and enabled third parties “to build complex profiles of consumers based on information they get from various sources.”
A minority of ISPs also reported using customer web browsing data to target ads. Unlike traditional ad networks that collect information through tracking technologies that can be blocked through browser or device settings, ISPs have access to subscribers’ complete Internet traffic and therefore are uniquely positioned “to display highly personalized and targeted advertisements through extremely detailed and granular segments.” Through the process of combination, sharing, and resharing, businesses in each ISP’s entire associated ad-tech ecosystem are able to access sensitive information about the customer such as race, sexual orientation, political affiliations and similar categories. The FTC found it concerning “how such advertising might . . . affect communities of color, historically marginalized groups, and economically vulnerable populations.”
The ISPs that offer mobile services reported some sharing of real-time location data with their third-party customers. In addition to business purposes that are perceived as within a customer’s reasonable expectation, some ISPs reportedly allowed access to subscribers’ real-time location data by car salesmen, property managers, bail bondsmen and bounty hunters.
ISPs in some cases reportedly do not have contracts in place with ad networks to which they share combined personal customer information with app usage and web browsing data to enhance advertising options. This lack of contractual limitations on how the ad networks can or cannot not use the data raised a concern for the FTC. Several ISPs responded to this issue by noting that “any sharing between them and their advertising affiliates is governed by the ISP’s privacy policy, which permits the combination and exchange of information between similarly-branded affiliate entities, subject to consumers’ opting out.”
Key Findings on ISP Privacy Practices
The ISPs covered in the Report provided information about their notice and disclosure policies, how consent and choice options are exercised as well as consumer ability to access, correct and delete information. The FTC staff noted several concerns with the reported privacy practices.
First, while ISPs inform consumers that their data will not be sold, the ISPs fail to disclose the many ways in which data can be transferred, used or monetized, including in some cases “reserv[ing] the right to share . . . personal information with parent companies and affiliates,” which the FTC views as “undercut[ting] the promises not to sell personal information.” In addition, the FTC inferred that some ISPs’ placement of privacy policies on a dedicated page contributed to low viewing rate of privacy-related disclosures, with “[v]isits to the privacy policies averag[ing] between 0.55% to 6.7% of total subscribers.”
Second, while some choice in data use is offered, the FTC staff found that “problematic” interfaces can result in consumer confusion and low opt-out rates. Many privacy choices appeared to the FTC to be obscured by multi-step processes that are confusing to follow. To further illustrate the effects of this, the FTC highlighted that one ISP that had chosen to present its opt-out option “in a more simple, clear, and prominent manner . . . with no extraneous or distracting text” and had a noticeably higher opt-out rate for targeted video advertising of 20% as compared to the average of 2% opt-out rate among other ISPs.
Finally, while some ISPs provide time frames for deletion of information, others state that they retain information as long as it is needed for a “business reason.” The definition of a business reason within an ISP’s terms and conditions may be vague or undefined, leaving the ISP with nearly absolute discretion as to data retention timetables.
Observations of the Report that Could Lead to new FTC Regulations or Affect Potential Federal or State Legislation
The FTC staff summarized their findings into four general observations about common practices that they viewed as unexpected or potentially harmful to consumers:
- ISPs can (and do) amass large pools of sensitive, highly granular consumer data;
- Consumers would likely be surprised at the extent of data that is collected, retained, and combined for purposes unrelated to providing services and that may run counter to many consumers’ preferences;
- Although ISPs purport to provide consumers with choices as to data use and access, these choices may often be illusory; and
- The ISPs are in a unique position to access all of their customers’ unencrypted data and their ability to collect comprehensive data is further amplified by gleaning information from a broad range of vertically integrated products or services such as home security, automation, video streaming, content creation, advertising, email, search, wearables and connected devices.
The Report concludes that the FTC may have a role in developing restrictions on ISP collection and uses of data. The FTC staff observations could also influence both federal and state legislators as they review ISP data privacy practices and continue to introduce and negotiate privacy bills to build either a unified national privacy framework or more fragmented state by state regimes.
Meanwhile, since the release of the Report, several FTC commissioners and the Commissioner nominee Alvaro Bedoya publicly have endorsed the initiation of a privacy rulemaking to check ISPs “amassing of consumer information” and “use of data for discriminatory purposes” under the FTC’s “longstanding ability to protect broadband consumers” because “the price of browsing the internet is being tracked across the web” in the current data economy. The FTC issued an Advanced Notice of Proposed Rulemaking on December 10, 2021 to initiate this proceeding to, among other goals described in the FTC’s concurrently issued Statement of Regulatory Priorities, “limit privacy abuses” “stemming from surveillance-based business models.” The target February 2022 start date of this proceeding suggests these issues will continue to be front and center at the agency, and we will continue to monitor these developments.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.