FTC Staff Report Finds Many ISPs Collect Troves of Personal Data while Consumers Have No Options

The Federal Trade Commission (FTC) staff report released on Thursday, October 21st  found that a group of broadband Internet Service Providers (ISPs), including AT&T, Charter Communications, Comcast and Verizon, collect troves of personal data, and that consumers don’t have much choice on how that data is used.

Question to Ponder: Haven’t we all intuitively known that, just like Big Tech (Amazon, Google, Facebook, Apple, Microsoft) our privacy has been compromised by ISPs in return for “free services,” whereby our personal information is sold to “target advertisers?”

The report was approved unanimously 4-1 by the commission, with FTC chair Lina Khan issuing a separate statement.   Khan said the FTC report highlighted:

1) Problems with the notice-and-consent framework for data collection and sharing;

2) The expansion of ISPs into vertically integrated businesses including ones providing content for their broadband “pipes”; and

3) The potential use of “hyper-granular” online dossiers to discriminate against users.

Many ISPs collect and share far more data about their customers than many consumers may expect—including access to all of their Internet traffic and real-time location data—while failing to offer consumers meaningful choices about how this data can be used, according to an FTC staff report on ISPs’ data collection and use practices.

The staff report, which details the expanding scope and some troubling aspects of some ISP data collection practices, stems from  orders the FTC issued in 2019 using its authority under 6(b) of the FTC Act to six internet service providers, which make up about 98 percent of the mobile Internet market:

  • AT&T Mobility LLC;
  • Cellco Partnership, which does business as Verizon Wireless;
  • Charter Communications Operating LLC;
  • Comcast Cable Communications, which does business as Xfinity;
  • T-Mobile US Inc.; and
  • Google Fiber Inc.

The FTC also issued orders to three advertising entities affiliated with these ISPs: AT&T’s Appnexus Inc., rebranded as Xandr; Verizon’s Verizon Online LLC; and Oath Americas Inc., rebranded as Verizon Media. The FTC sought information on their data collection and use practices, as well as any tools provided to consumers to control these practices.

As noted in the report, these companies have evolved into technology giants who offer not just internet services but also provide a range of other services including voice, content, smart devices, advertising, and analytics—which has increased the volume of information they are capable of collecting about their customers. The report identified several troubling data collection practices among several of the ISPs, including that they combine data across product lines; combine personal, app usage, and web browsing data to target ads; place consumers into sensitive categories such as by race and sexual orientation; and share real-time location data with third-parties.

At the same time, the report found the privacy protections many of the companies offer raised several concerns. Even though several of the ISPs promise not to sell consumers personal data, they allow it to be used, transferred, and monetized by others and hide disclosures about such practices in fine print of their privacy policies. For example, several news outlets noted that subscribers’ real-time location data shared with third-party customers was being accessed by car salesmen, property managers, bail bondsmen, bounty hunters, and others without reasonable protections or consumers’ knowledge and consent, according to the report.

Many of the ISPs also claim to offer consumers choices about how their data is used and allow them to access such data. The FTC found, however, that many of these companies often make it difficult for consumers to exercise such choices and sometimes even nudge them to share even more information. In addition, while several of the ISPs promise to only keep the data for as long as needed for business purposes, the definition of what constitutes a “business purpose” varies widely among the companies.

The FTC report also found that ISPs use web browsing data and group consumers using “sensitive characteristics such as race and sexual orientation.”

The report concludes that many of the ISPs’ data collection and use practices mirror problems identified in other industries and underscore the importance of restricting data collection and use.

The Commission voted 4-0 to approve and issue the report. Staff presented findings from the report at today’s open virtual Commission meeting.  Chair Lina M. Khan issued a separate statementon the report.

Cable Industry Response from the NCTA:

The report drew a sharp rebuke from the cable industry (as represented by the NCTA  — The Internet & Television Association), maintaining that it provided a “highly distorted view” that casts them in the same arena as aggressive “Big Tech platforms” which are well known to compromise users privacy via data collected and sold to advertisers.

The NCTA said in a October 21st statement:

The FTC’s report provides a highly distorted view of ISP data collection policies and inappropriately attempts to lump broadband providers into the same category as the Big Tech platforms.

Cable broadband providers take seriously their responsibility to safeguard the personal information of their customers and do not surveil their customers or sell their location data. Viewed objectively, today’s presentation is a broad attack on online advertising generally, not specific ISP actions. And what is further missing from today’s report is the much larger story about Big Tech platforms that are premised on maximizing user attention.

What is needed is a consistent set of privacy rules across the online marketplace on a technology-neutral basis. We look forward to continued engagement with policymakers to forge a strong, consistent framework for privacy protection.

–>What will come of the FTC staff report is not entirely clear. FTC chair Lina Khan said it would be part of an “ongoing conversation” about privacy and data practices that could be “incorporated” into FTC action, according to Multichannel News.

…………………………………………………………………………………………………………………………………………………….

FTC Boilerplate Text:

The Federal Trade Commission works to promote competition and to protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). For the latest news and resources, follow the FTC on social mediasubscribe to press releases and read our blogs.

…………………………………………………………………………………………………………………………………………………….

Separately, Politico reported that tech and telecom companies were among the top 20 spenders for the third quarter of 2021, according to a ranking of lobbying expenditures compiled by POLITICO Influence. Facebook was No. 5 at $5.1 million, with Amazon right behind it with $4.7 million. NCTA — The Internet & Television Association ranked 15th, spending $3.3 million, and Comcast was 18th, with $3.1 million.

2 thoughts on “FTC Staff Report Finds Many ISPs Collect Troves of Personal Data while Consumers Have No Options

  1. AT&T holds onto customer usage data for seven years, Mike Dano of Light Reading

    Amid an ongoing debate over Internet users’ privacy, new documents indicate that AT&T holds onto its customers’ location and usage data for seven years – far longer than its rivals.

    “There is no conceivable business reason they need that much,” Nate Wessler, deputy project director of the Speech, Privacy, and Technology Project at the American Civil Liberties Union (ACLU), told Motherboard.

    In comparison, T-Mobile holds onto its own subscriber data – including call records, cell site connection information and text content – for around two years before discarding it. Verizon holds onto such data for one year.

    The new information comes from Motherboard, which published a 139-page report from the FBI’s Cellular Analysis Survey Team (CAST) dated 2019. The report is essentially a guide for how law enforcement can legally access telecommunications data. Such data – which typically can only be obtained by law enforcement officers through a warrant or court order – is often used in cases involving kidnappings, homicides, missing persons and robberies.

    “I’ve never seen a visualization of it,” Wessler, of the ACLU, said of the report published by Motherboard.

    Indeed, the details of the report are eye-opening. For example, AT&T retains “cloud storage internet/web browsing” data for one year.

    “Like all companies, we are required by law to comply with mandatory legal demands, such as warrants based on probable cause. Our responses comply with the law,” AT&T spokesperson Margaret Boles explained to Motherboard.

    The report is noteworthy considering it comes just days after the Federal Trade Commission released a report that found that top broadband service providers including AT&T “collect troves of personal data,” and that consumers don’t have much choice on how that data is used.

    “Many internet service providers (ISPs) collect and share far more data about their customers than many consumers may expect – including access to all of their Internet traffic and real-time location data – while failing to offer consumers meaningful choices about how this data can be used,” the FTC said of its 74-page report (PDF).

    To be clear, the FTC report focused on data used for advertising services rather than law enforcement directives.

    https://www.lightreading.com/security/atandt-holds-onto-customer-usage-data-for-seven-years/d/d-id/773020?

  2. Regarding ISPs collecting personal data of customers who have no options to prevent that……………………………………

    I opened an account with Comcast in December of 2018, this account provides me with Internet and Cable TV.

    I have repeatedly asked Comcast to change my billing due date, But Comcast refuses to do so. They say the only way to change it is to install the My Xfinity App or used the Comcast Customer Online User Portal.

    Both of these option forces the customer to waive their rights to privacy. The My Xfinity app is known for harvesting customer data from mobile devices and the Online option places Tracking Cookies on the customer’s personal computer!

Comments are closed.