ISPs in the US are collecting and sharing large amounts of data about their customers, research by the Federal Trade Commission found. They're also failing to offer consumers meaningful choices about how this data can be used, the regulator warned.
The staff report details the expanding scope and "some troubling aspects" of ISP data collection practices, the FTC said in a statement. It started the survey in 2019 with orders to provide information to six internet service providers, which make up about 98 percent of the mobile internet market.
These are AT&T, Verizon, Charter Communications, Comcast, T-Mobile US and Google Fiber. The FTC also obtained information from three advertising affiliates, AT&T’s Xandr, Verizon’s Verizon Online and Verizon Media. The FTC sought information on their data collection and use practices, as well as any tools provided to consumers to control these practices.
The regulator found the ISPs were working on much more than internet services, becoming "technology giants" that also provide content, smart devices, advertising, and analytics. This has increased the volume of information they are capable of collecting about their customers.
Some of the troubling data collection practices used at several of the ISPs include that they combine data across product lines; combine personal, app usage, and web browsing data to target ads; place consumers into sensitive categories such as by race and sexual orientation; and share real-time location data with third-parties.
At the same time, the report found the privacy protections many of the companies offer raised several concerns. Even though several of the ISPs promise not to sell consumers personal data, they allow it to be used, transferred, and monetized by others and hide disclosures about such practices in fine print of their privacy policies. For example, several news outlets noted that subscribers’ real-time location data shared with third-party customers was being accessed by car salesmen, property managers, bail bondsmen, bounty hunters, and others without reasonable protections or consumers’ knowledge and consent, according to the report.
Many of the ISPs also claim to offer consumers choices about how their data is used and allow them to access such data. The FTC found, however, that many of these companies often make it difficult for consumers to exercise such choices and sometimes even nudge them to share even more information. In addition, while several of the ISPs promise to only keep the data for as long as needed for business purposes, the definition of what constitutes a “business purpose” varies widely among the companies.
The report concludes that many of the ISPs’ data collection and use practices mirror problems identified in other industries and underscore the importance of restricting data collection and use, the FTC said.
The FTC chair, Lina Khan said in a separate statement that the report raises the question whether the current type of 'notice and consent' systems are working to protect privacy. She suggested more structural limitations on data collection and usage may be needed and noted the FCC was best-placed to assert this type of control over ISPs.
