FTC Staff Report Puts Spotlight Back on ISP Data Collection and Use Practices; FCC Re-Regulation Suggested

Over the past few years, the data collection and use practices of Internet Service Providers ("ISPs") have largely flown under the radar while large internet platforms and the broader adtech industry have been under greater scrutiny. That respite may be coming to end following a staff report released last week by the FTC detailing the scope of ISPs’ data collection and use practices. The staff report was based on orders issued in 2019 under Section 6(b) of the FTC Act and puts ISPs and large platforms on similar footing, observing that “many ISPs in our study can be at least as privacy-intrusive as large advertising platforms.” In addition, the staff report finds that several ISP data practices could cause harm to consumers but does not go as far as calling any practices unfair or deceptive.

What the FTC will do with the staff report is less clear. The Commission voted unanimously to release the report, which does not make any specific policy recommendations. Members of the Commission, however, drew their own conclusions and articulated starkly different outlooks on the report’s implications. Chair Lina Khan and Commissioner Rebecca Kelly Slaughter declared that the FCC should play a leading role in overseeing ISPs’ data practices, citing the FCC’s industry expertise and legal authority. Commissioner Christine Wilson, however, stated that “oversight of ISPs for privacy and data security issues should remain at the FTC.” ISPs’ data practices – and the broader question of whether the FCC should reclassify broadband service back to a Title II telecommunications service and re-impose strict broadband privacy rules – are likely to be prominent issues as the Biden FCC takes shape in the months ahead.

The FTC Staff Report’s Findings

The staff report is based on information the FTC obtained from the country’s six largest ISPs and three of their adtech companies. The FTC compelled the companies to provide information about their data collection and use practices through orders issued under FTC Act Section 6(b) in March and August of 2019. While this group of ISPs “represents a broad swath of the internet services offered” to U.S. consumers, their practices are not necessarily representative of ISPs in general.

The staff report raises several concerns about ISPs’ practices, beyond generally equating ISPs with large advertising platforms, which include the following examples.

  • Scope and Scale of Data Collection. The staff report finds that “many” of the ISPs in the FTC’s study “have access to 100% of consumers’ unencrypted internet traffic,” potentially allowing the ISPs to obtain information about sensitive web browsing behavior. In addition, FTC staff determined that several ISPs in the study collect and use potentially sensitive, real-time location information for advertising. They are also collecting customer information from other products and services they offer—such as voice, content, smart devices, advertising, and analytics—as well as purchasing information about consumers from data brokers. According to the report, several ISPs combine data from across their product lines, though the report did not reach a conclusion about how extensively ISPs combine this data.
  • Opacity and Consumer Choices. The staff report concludes that ISPs collect and use personal data more extensively than consumers expect, do not provide clear disclosures about their practices, and generally provide opt-out choices that are difficult to use.
  • Potential Consumer Harm. Finally, FTC staff conclude that some of the practices observed among these ISPs could cause harm to consumers. These practices include combining data from distinct services (e.g., video, web browsing, location, and connected devices) in a manner that consumers do not expect, as well as enabling third-party data uses that could harm consumers (e.g., targeting ads in a discriminatory manner, or making location data available to third parties “without reasonable protections”).
What The Staff Report Could Mean for ISPs

The unanimous vote to approve and issue the FTC staff report—an increasingly rare instance of bipartisan agreement on a major issue—does not necessarily signal consensus on further steps the FTC should take on the basis of the report. Chair Khan’s remarks highlight ISPs’ practices as an example of more general problems with the privacy framework the FTC was instrumental in establishing. In her view, the report’s findings “underscore deficiencies of the ‘notice-and-consent’ framework for privacy” and that “[a] new paradigm that moves beyond procedural requirements and instead considers substantive limits increasingly seems worth considering.”

Commissioner Slaughter expressed similar sentiments in her remarks, echoing some of her previous statements calling for “clear rules on data abuses” in general, and FCC-led regulation of ISPs, specifically.

The ISP disclosure practices described by the FTC staff report are subject to the FCC’s Transparency Rule. In 2017, although the Trump FCC classified commercial ISP services as subject to FTC jurisdiction, the FCC retained a transparency rule that, among other things, requires disclosure of “accurate information” regarding commercial terms of broadband internet access services. The FCC stated that disclosure of “commercial terms” included disclosure of information collection practices and privacy policies. If ISPs failed to adequately disclose their practices, as alleged in the FTC Report, the FCC retains jurisdiction to enforce that failure to comply with the transparency rule.

Further oversight by the FTC may not be necessary in the long term if oversight of ISP data practices is moved back under the FCC’s jurisdiction, and they once again become subject to Section 222 of the Communications Act. That statute places privacy restrictions on the use of customer proprietary network information ("CPNI") by telecommunications service providers. (The Obama FCC reclassified broadband as a telecommunications service under Title II of the Communications Act and imposed net neutrality regulations as well as broadband privacy rules. The Trump FCC largely reversed the net neutrality rules, and Congress nullified the broadband privacy rules.)

Commissioner Slaughter and Chair Khan may get their wish to have the FCC jump back into the fray. The White House announced on October 26 that President Biden will nominate Jessica Rosenworcel for another term as FCC Commissioner (and named her as the permanent FCC Chair) and Gigi Sohn as the third Democratic commissioner. Both Rosenworcel and current Democratic Commissioner Geoffrey Starks have expressed support for reclassifying broadband back to Title II, and Sohn was instrumental in orchestrating Title II reclassification in 2015 under former FCC Chairman Tom Wheeler. While Title II reclassification would subject ISPs to Section 222 of the Communications Act, the FCC’s authority to create broadband-specific rules remains unclear because Congress’ repeal of the FCC’s 2016 broadband privacy rules under the Congressional Review Act prohibits the agency from adopting substantially similar rules.

In the meantime, ISPs should be prepared to entertain further oversight activity by the FTC or potential FCC examination of the adequacy of ISP disclosures under its transparency rule.