FTC says ISPs collect more data than broadband users think

The U.S. Federal Trade Commission (FTC) issued its findings from a more than two-year probe into broadband providers’ privacy practices, concluding operators are amassing large amounts of sensitive customer information and making it hard for consumers to opt out.

Summarizing a new report during an open meeting held Thursday, FTC Division of Privacy and Identity Protection Senior Attorney Andrea Arias said “it is not unusual for some ISPs in our study to collect data that is unnecessary for the provision of internet services” and use that additional information to boost their advertising capabilities.

She noted several ISPs combine data across their product lines, merging information gleaned from core internet services as well as TV and video offerings, home automation and security products and even wearables. Others gather details about consumers' app usage and web browsing histories to target ads even further, Arias stated. Additionally, the FTC discovered ISPs share real-time location data with third parties, including car salesmen, property managers and bail bondsmen.

“Several ISPs in our study gather and use data in ways consumers do not expect and could cause them harm. While consumers certainly expect ISPs to collect certain information about the websites they visit in order to provide efficient internet services, they would likely be surprised at the extent of data that is collected and combined for purposes unrelated to providing the service they request,” she said.

Arias said the FTC found consumers who want to opt-out of having their data collected or view information that has already been collected about them are often confronted with confusing interfaces or aggregate data that is indecipherable without context.

RELATED: FCC’s privacy overturn hailed by ISPs, but consumer groups cite concerns over security, protections

She stated the findings raised four key concerns, namely that it is unclear to consumers how their data is really being used; they are offered only “illusory” control over their information; they lack meaningful access to their data; and there are no clear rules around how long data can be retained.

The FTC initiated its probe of broadband privacy practices in March 2019, calling on several domestic internet providers to share information on how they collect, store and use information about consumers. Among other things it sought details about what categories of personal information is collected, how that information is used and whether it is shared with third parties. The agency also asked whether consumer information is aggregated or anonymized, whether consumers can opt out of having their data collected, what processes they must follow to have information about them deleted and how the providers disclose their data collection practices.

AT&T, Charter Communications, Comcast, Google Fiber, T-Mobile US and Verizon were all called on to answer the inquiry. Findings presented in the agency report released this week were aggregated and anonymized to avoid revealing trade secrets.

FTC chairwoman Lina Khan said during the meeting “the individualized and hypergranular dossiers that ISPs are collating can enable troubling and potentially unlawful forms of discrimination…The collection and use by ISPs of data on race and ethnicity raises the risk of digital redlining and other practices that undermine civil rights.”

She added the report raises serious questions about whether data collection by ISPs and other entities “creates inherent risks” for users and whether regulation should focus on data collection rather than just its use.

“Lastly, as the risks of persistent tracking continue to come to light, we face more fundamental questions around what it means to condition the use of essential technologies on this type of user surveillance,” Khan concluded.

NCTA – The Internet & Television Association responded to the report in a statement, arguing it "provides a highly distorted view of ISP data collection policies and inappropriately attempts to lump broadband providers into the same category as the Big Tech platforms."

“Viewed objectively, today’s presentation is a broad attack on online advertising generally, not specific ISP actions,” the group stated. “What is needed is a consistent set of privacy rules across the online marketplace on a technology-neutral basis.”

In 2019, the FTC also initiated a probe into the privacy practices of big tech companies including Amazon, Facebook, Google and Twitter. That investigation remains ongoing.


This story has been updated to include a statement from NCTA.