On October 21, 2021, the FTC released a report making it quite clear: internet service providers (ISPs) are next in line for heightened FTC scrutiny. After analyzing the data collection, sharing, and usage practices of the six largest ISPs and three of their affiliated advertising entities, the FTC concluded that the ISPs “amass large pools of sensitive data, and that their uses of such data could lead to significant harms.” [1]

This report traces its lineage back to August 2019, when the FTC used its powers under Section 6(b) of the FTC Act to issue Orders to File Special Reports to the six largest ISPs that comprised approximately 98.8% of the mobile internet market. The FTC reviewed the responses, conducted follow-up questions and meetings, and compiled its findings into this report. Subsequently, the FTC concluded that the privacy practices of the ISPs warrant great concern in four key areas:

  • Opacity – the FTC concluded that ISPs generally do not provide enough information to their respective consumers regarding how consumer data is used, transferred, or monetized;
  • Illusory Choices – the FTC’s findings indicate that many ISPs utilize “dark patterns” and needlessly complicated or cumbersome options for consumers to exercise their rights under privacy laws;
  • Lack of Meaningful Access – the FTC revealed that due to the “indecipherable or nonsensical” information provided by many ISPs regarding consumer access, consumer access requests were worryingly low–in some instances as low as zero consumer access requests within a month; and
  • Data Retention and Deletion – the inconsistency between ISPs’ data retention and deletion practices resulted in surprisingly low consumer deletion requests–again in some instances as low as zero consumer deletion requests within a month.

More importantly, the FTC expressed apprehension over the data collection practices of the ISPs. Due to the size and extent of vertical integration, the FTC noted that “”[t]his means a single ISP has the ability to track the websites their subscribers visit, the shows they watch, the apps they use, their energy habits, their realtime whereabouts and historical location, the search queries they make, and the contents of their email communications.” [2] Additionally, the FTC revealed that several ISPs combine the data “from their subscribers with additional information from third-party data brokers, resulting in extremely granular insights and inferences into not just their subscribers but their subscribers’ families and households.” [3]

All of these insights take on greater importance when paired with the FTC’s conclusion that certain ISPs gather and use data in ways consumers do not expect and could cause those same consumers grave harm. Focusing especially on ISP usage and sharing of data for advertising purposes, the FTC noted the following:

  • Certain ISPs combine customer personal information with customer browsing history for advertising purposes;
  • A “significant number” of ISPs use television viewing history for advertising purposes, despite Congressional and state conclusions that such data is to be afforded privacy protections,
  • Certain ISPs have the ability to collect data from private email and other communication mediums;
  • Certain ISPs engage in cross-device tracking, which is especially pervasive here due to the ISPs’ usage of “supercookie” technology to persistently track users. “Supercookies” cannot be blocked through browser or mobile device settings;
  • There is “a trend in the ISP industry to use location information for advertising purposes and sell this data to third parties;” [4]
  • Finally, ISPs often use race and ethnicity data for advertising purposes, which result in civil rights concerns.

Ultimately, the FTC’s report depicts a worrisome landscape riddled with consumer privacy abuses. The FTC closes its report by concluding that the ISPs’ practices of collecting and misusing troves of sensitive data, combined with largely illusory consumer options to access and delete this data, “further demonstrates the importance of restricting the collection and uses of data, rather than allowing ISPs to dictate how consumers’ information is used.” [5] While there has been no official action announced by the FTC yet, this report likely foreshadows greater scrutiny by the FTC in the near future.

The full text of the report can be found here.


Endnotes

[1] A Look at What ISPs Know About You: Examining the Privacy Practices of Six Major Internet Service Providers, FTC Staff Report (Oct. 21, 2021), https://www.ftc.gov/system/files/documents/reports/look-what-isps-know-about-you-examining-privacy-practices-six-major-internet-service-providers/p195402_isp_6b_staff_report.pdf.
[2] Id. at 34.
[3] Id.
[4] Id. at 36.
[5] Id. at 44.