The Federal Trade Commission on Oct. 21 released findings from a study it conducted on the privacy practices of six major internet service providers and raised concerns over how sensitive data collected by these companies can be used to harm and discriminate against consumers.
The FTC, which initiated the study in 2019 using its authority under the FTC Act, reveals the breadth of data collected, used and shared by companies including AT&T Inc., Comcast Corp., Verizon Communications Inc., T-Mobile US Inc., Charter Communications Inc. and Google Fiber. FTC officials are studying the providers as part of a larger crackdown on privacy practices by online platforms and advertising companies.
Key findings from the study found that ISPs and their related entities often combine user data across core product lines, including TV and video streaming services, home automation and security products and connected wearables.
It also found that it is not unusual for ISPs to collect data from users "beyond what is necessary" to provide services and use that additional data to enhance their ability to advertise to consumers, said Andrea Arias, senior attorney with the FTC's Division of Privacy and Identity Protection, who gave a presentation on the study at the agency's Oct. 21 meeting.
"While consumers certainly expect ISPs to collect certain information about the websites they visit in order to efficiently provide internet services, they would likely be surprised at the extent of data that is collected and combined for purposes unrelated to providing the service they request," Arias said.
For example, two ISPs in the FTC study stated that they used web browsing information to target ads to consumers. Other providers group consumers into segments by sensitive characteristics that allow advertisers to target users by race, ethnicity, sexual orientation, economic status and political affiliations, Arias said.
ISPs can pull and cross-reference highly detailed data about individual subscribers, resulting in extremely granular insights and inferences, Arias said.
A significant number of ISPs in the study also share real-time location data about specific subscribers with third parties, such as car salesmen, property managers and bounty hunters, Arias said.
In 2020, the Federal Communication Commission fined the top U.S. wireless carriers over $200 million in total for improperly disclosing consumers' real-time location data. The data reportedly ended up in the hands of bounty hunters and others not authorized to possess it. Each carrier named in the report — including AT&T, Verizon and T-Mobile — subsequently committed to ending customer location data practices with third parties.
The FTC study also raised concerns about the ISPs related to notice and disclosure and consumers' ability to access, correct and delete data.
While several ISPs in the study tell consumers they will not sell their data, the companies "obscure the myriad of ways that their data can be used, transferred or monetized short of selling it, often burying such disclosures in the fine print of their privacy policies," Arias said. In addition, three ISPs reserved the right to share their subscribers' personal information with their parent companies and affiliates.
Another area of concern is the ISPs' strategy to offer consumers some choices with respect to the use of their data but "problematic interfaces can result in consumer confusion as to how to exercise these choices, contributing to low opt-out rates, typically less than 2% of total subscribers," Arias said.
"Many ISPs in our study can be at least as privacy intrusive as large advertising platforms," Arias said.
Charter, Verizon, T-Mobile and Google Fiber did not immediately respond to a request for comment, while Comcast and AT&T declined.
"Consumers' online safety and privacy is a top priority for the wireless industry, and federal legislation that uniformly protects users across all platforms is the best way forward. We are looking forward to continuing to work with the FTC, lawmakers and companies across the ecosystem to ensure consumers are protected," CTIA, the wireless industry association, said in a statement.
FTC Chair Lina Khan said the findings are "striking" and underscore the need for the FTC to consider in its merger review how certain deals can enable degradation of user privacy.
She also noted that the collection of data by ISPs on race and ethnicity can "enable troubling and potentially unlawful forms of discrimination" and raises the risk of digital redlining and other practices that undermine civil rights.
In addition, the study raises questions as to whether the FTC should target its efforts toward the collection of particular forms of data rather than just its use, Khan said.
However, Khan noted that the FCC has the clearest expertise to fully oversee ISPs.
The FCC in 2016 adopted privacy rules that required internet service providers to seek permission before selling consumer data. However, those rules were repealed in 2017 under the Trump administration by means of the Congressional Review Act, or CRA. The law allows Congress to void regulations passed within the last 60 legislative days through a joint resolution and presidential approval. The law also prohibits an agency from creating a substantially similar regulation to replace the regulation Congress disapproved.
Noah Phillips, a Republican FTC Commissioner, said the study is the culmination of a bipartisan effort begun under a Republican FTC and ending under a Democratic commission.
Phillips noted that while the report highlights the need for more transparency, he did not agree with parts of the study, including the ISPs' use of data for advertising. "I have some concern with language suggesting that combining data obtained from consumers and other sources for advertising is necessarily bad," Phillips said.
Commissioner Rebecca Kelly Slaughter, a Democrat, stated that the study points to the need for urgent action across agencies — including the FTC, FCC and Congress — to protect users of ISPs.
'"This report shows how, absent the FCC's oversight, many ISPs participated in a race to the bottom to partake in a lucrative market of monetizing their customers' personal information," Slaughter said.