FTC Eyeballs ISPs’ Data Privacy Practices
The United States Federal Trade Commission on Tuesday announced an investigation into the privacy policies, procedures and practices of seven Internet broadband providers and related entities:
- AT&T Inc.
- AT&T Mobility LLC
- Comcast Cable Communications doing business as Xfinity
- Google Fiber Inc.
- T-Mobile US Inc.
- Verizon Communications Inc.
- Cello Partnership dba Verizon Wireless
The FTC has ordered the companies to detail how they collect, retain, use, and disclose their use of data from consumers and their devices.
The companies must prepare a special report containing specified information and documents, and file it within 45 days of being served with the order.
The information sought includes the following:
- Categories of personal information collected about consumers or their devices, including why the information is collected or used, how it is collected or shared with third parties, internal policies for access to this data, and how long the information is retained;
- Whether the information is aggregated, anonymized or de-identified;
- Copies of the companies’ notices and disclosures to consumers about their data collection practices;
- Whether the companies offer consumers choices about the collection, retention, use and disclosure of personal information, and whether the companies have denied or degraded service to consumers who declined to opt in to data collection; and
- Their procedures and processes for letting consumers access, correct or delete their personal information.
The special report must restate each item of the order with which the corresponding answer is identified, and must be subscribed and sworn to by a company official who has prepared or supervised the preparation of the report from books, records, correspondence, and other data and material in the company’s possession.
If answers are incomplete, companies must provide whatever information is available, and explain in what respects the answers are incomplete, and why.
The special report and all accompanying documentary responses must be Bates-stamped.
AT&T Plays Ball
“Our customers’ privacy is important to us, and the FTC plays a critical role in privacy regulation,” an AT&T spokesperson said in responses provided to TechNewsWorld by Margaret Boles, assistant vice president of public affairs and federal media relations at AT&T.
“We continue to support comprehensive federal legislation to protect consumers’ data throughout the Internet ecosystem, and the FTC is the logical agency to enforce that legislation,” the AT&T spokesperson said. “If the FTC has any questions for us, we will respond appropriately.”
AT&T in 2014 paid US$80 million to the FTC for consumer refunds to settle charges of mobile phone cramming — that is, billing for unauthorized third-party charges — as part of a $105 million settlement with federal and state law enforcement officials.
In February 2018, AT&T lost its years-long battle against an FTC lawsuit alleging it throttled wireless broadband speeds by up to 90 percent after promising customers unlimited data access.
The court decision affirmed the commission’s authority to regulate broadband providers.
The Whys and Wherefores of the FTC Probe
“More and more, Internet service providers are becoming vertically integrated companies that provide access, create content, and monetize ads served,” FTC spokesperson Juliana Henderson told TechNewsWorld.
“At a time when jurisdiction of broadband Internet access service has been restored to the FTC, the commission regarded it to be appropriate to examine the industry to evaluate companies’ privacy practices,” she said. “In particular, through the orders, the commission is asking questions to learn more about how ISPs collect, use, combine, and disclose consumers’ personal information.”
Following an investigation, the FTC may initiate an enforcement action if it has reason to believe the law has been violated.
“We will determine next steps after staff and the commission have had time to review the requested information,” Henderson said.
“When the Federal Communications Commission killed Net neutrality, [FCC Chairman] Ajit Pai basically noted that anticompetitive issues would be best adjudicated at the FTC,” noted Michael Jude, program manager at Stratecast/Frost & Sullivan.
“Privacy kind of fits under that rubric,” he told TechNewsWorld.
Crime and No Punishment
Sen. Ron Wyden, D-Ore., last fall proposed the Consumer Data Protection Act of 2018 to give the FTC the authority and resources to address and prevent threats to consumers’ privacy. Among the reasons offered in support of the legislation:
- The FTC cannot fine first-time corporate offenders, and fines for subsequent violations of the law are “tiny and not a credible deterrent”;
- The commission does not have the power to punish companies unless they lie to consumers about how much they protect consumers’ privacy, or their behavior costs consumers money;
- It does not have the power to set minimum cybersecurity standards for products that process consumer data — nor does any federal regulator; and
- It does not have enough staff, especially skilled technology experts. Currently it has about 50 people policing the entire technology sector, as well as credit agencies.
Wyden’s bill would empower the FTC to take the following actions:
- Establish minimum privacy and cybersecurity standards;
- Issue fines of up to 4 percent of annual revenue on the first offense, and 10- 20-year criminal penalties for senior executives;
- Create a national Do Not Track system to let consumers stop third-party companies from tracking them on the Web. The system would let consumers pay a fee to use companies’ products and services rather than allow their personal information to be monetized;
- Give consumers a way to review the personal information a company held about them; challenge inaccuracies in that data; and learn the identities of any other entities that may have accessed it;
- Hire 175 more staff to police the largely unregulated market for private data; and
- Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy and security.
“I tend to distrust regulatory structures that build in such extreme penalties, especially when privacy is such an elusive concept generally, and on the Internet specifically,” Frost’s Jude said.
“We have run studies of consumer perceptions of the Internet and have asked how concerned with privacy people are,” he noted. “It’s almost a perfect Bell curve centered on ‘not much concerned.'”
Further, Wyden’s bill “is clearly modeled on the GDPR, and the GDPR is untested in the market yet,” Jude pointed out, “so we really don’t know the impact it will ultimately have on things like innovation.”