FTC Staff Report Puts Spotlight Back on ISP Data Collection and Use Practices; FCC Re-Regulation Suggested
Over the past few years, the data collection and use practices of Internet Service Providers (“ISPs”) have largely flown under the radar while large internet platforms and the broader adtech industry have been under greater scrutiny. That respite may be coming to end following a staff report released last week by the FTC detailing the scope of ISPs’ data collection and use practices. The staff report was based on orders issued in 2019 under Section 6(b) of the FTC Act and puts ISPs and large platforms on similar footing, observing that “many ISPs in our study can be at least as privacy-intrusive as large advertising platforms.” In addition, the staff report finds that several ISP data practices could cause harm to consumers but does not go as far as calling any practices unfair or deceptive.
What the FTC will do with the staff report is less clear. The Commission voted unanimously to release the report, which does not make any specific policy recommendations. Members of the Commission, however, drew their own conclusions and articulated starkly different outlooks on the report’s implications. Chair Lina Khan and Commissioner Rebecca Kelly Slaughter declared that the FCC should play a leading role in overseeing ISPs’ data practices, citing the FCC’s industry expertise and legal authority. Commissioner Christine Wilson, however, stated that “oversight of ISPs for privacy and data security issues should remain at the FTC.” ISPs’ data practices – and the broader question of whether the FCC should reclassify broadband service back to a Title II telecommunications service and re-impose strict broadband privacy rules – are likely to be prominent issues as the Biden FCC takes shape in the months ahead.
The FTC Staff Report’s Findings
The staff report is based on information the FTC obtained from the country’s six largest ISPs and three of their adtech companies. The FTC compelled the companies to provide information about their data collection and use practices through orders issued under FTC Act Section 6(b) in March and August of 2019. While this group of ISPs “represents a broad swath of the internet services offered” to U.S. consumers, their practices are not necessarily representative of ISPs in general.
The staff report raises several concerns about ISPs’ practices, beyond generally equating ISPs with large advertising platforms, which include the following examples.
- Scope and Scale of Data Collection. The staff report finds that “many” of the ISPs in the FTC’s study “have access to 100% of consumers’ unencrypted internet traffic,” potentially allowing the ISPs to obtain information about sensitive web browsing behavior. In addition, FTC staff determined that several ISPs in the study collect and use potentially sensitive, real-time location information for advertising. They are also collecting customer information from other products and services they offer—such as voice, content, smart devices, advertising, and analytics—as well as purchasing information about consumers from data brokers. According to the report, several ISPs combine data from across their product lines, though the report did not reach a conclusion about how extensively ISPs combine this data.
- Opacity and Consumer Choices. The staff report concludes that ISPs collect and use personal data more extensively than consumers expect, do not provide clear disclosures about their practices, and generally provide opt-out choices that are difficult to use.
- Potential Consumer Harm. Finally, FTC staff conclude that some of the practices observed among these ISPs could cause harm to consumers. These practices include combining data from distinct services (e.g., video, web browsing, location, and connected devices) in a manner that consumers do not expect, as well as enabling third-party data uses that could harm consumers (e.g., targeting ads in a discriminatory manner, or making location data available to third parties “without reasonable protections”).
Tags: adtech, Broadband, Chair Lina Khan, Commissioner Christine Wilson, Commissioner Rebecca Kelly Slaughter, Congressional Review Act, CPNI, Customer Proprietary Network Information, FCC or Federal Communications Commission, FCC’s Transparency Rule, FTC, Gigi Sohn, Internet service providers, ISPs, Jessica Rosenworcel, Privacy, Section 222, Section 6(b)