Many internet service providers (ISPs) collect and share far more data about their customers than many consumers may expect—including access to all of their Internet traffic and real-time location data—while failing to offer consumers meaningful choices about how this data can be used, according to an FTC staff report on ISPs’ data collection and use practices.
The staff report, which details the expanding scope and some troubling aspects of some ISP data collection practices, stems from orders the FTC issued in 2019 using its authority under 6(b) of the FTC Act to six internet service providers, which make up about 98 percent of the mobile Internet market:
- AT&T Mobility LLC;
- Cellco Partnership, which does business as Verizon Wireless;
- Charter Communications Operating LLC;
- Comcast Cable Communications, which does business as Xfinity;
- T-Mobile US Inc.; and
- Google Fiber Inc.
The FTC also issued orders to three advertising entities affiliated with these ISPs: AT&T’s Appnexus Inc., rebranded as Xandr; Verizon’s Verizon Online LLC; and Oath Americas Inc., rebranded as Verizon Media. The FTC sought information on their data collection and use practices, as well as any tools provided to consumers to control these practices.
As noted in the report, these companies have evolved into technology giants who offer not just internet services but also provide a range of other services including voice, content, smart devices, advertising, and analytics—which has increased the volume of information they are capable of collecting about their customers. The report identified several troubling data collection practices among several of the ISPs, including that they combine data across product lines; combine personal, app usage, and web browsing data to target ads; place consumers into sensitive categories such as by race and sexual orientation; and share real-time location data with third-parties.
At the same time, the report found the privacy protections many of the companies offer raised several concerns. Even though several of the ISPs promise not to sell consumers personal data, they allow it to be used, transferred, and monetized by others and hide disclosures about such practices in fine print of their privacy policies. For example, several news outlets noted that subscribers’ real-time location data shared with third-party customers was being accessed by car salesmen, property managers, bail bondsmen, bounty hunters, and others without reasonable protections or consumers’ knowledge and consent, according to the report.
Many of the ISPs also claim to offer consumers choices about how their data is used and allow them to access such data. The FTC found, however, that many of these companies often make it difficult for consumers to exercise such choices and sometimes even nudge them to share even more information. In addition, while several of the ISPs promise to only keep the data for as long as needed for business purposes, the definition of what constitutes a “business purpose” varies widely among the companies.
The report concludes that many of the ISPs’ data collection and use practices mirror problems identified in other industries and underscore the importance of restricting data collection and use.
The Commission voted 4-0 to approve and issue the report. Staff presented findings from the report at Wednesday’s open virtual Commission meeting. Chair Lina M. Khan issued a separate statementon the report.