FTC Staff Report Highlights ISP Data Collection and Use Practices; Suggested FCC Regulations | Kelley Drye & Warren LLP
Over the past few years, the data collection and use practices of Internet Service Providers (“ISPs”) have gone largely unnoticed as the major Internet platforms and the advertising technology industry at large. were the subject of further examination. This respite could end after a staff report released last week by the FTC detailing the scope of ISP data collection and use practices. The staff report was based on orders issued in 2019 under Section 6 (b) of the FTC Act and puts ISPs and major platforms on an equal footing, observing that “many ISPs in our study can be at least as intrusive as the big advertising platforms. . In addition, the staff report finds that several ISP data practices could harm consumers, but does not go so far as to characterize these practices as unfair or deceptive.
What the FTC will do with the staff report is less clear. The Commission voted unanimously to publish the report, which makes no specific policy recommendations. Commission members, however, drew their own conclusions and expressed radically different views on the implications of the report. President Lina Khan and Commissioner Rebecca Kelly Slaughter said the FCC should take a lead role in monitoring ISP data practices, citing the FCC’s expertise and legal authority in the industry. Commissioner Christine Wilson, however, declared that “monitoring ISPs for privacy and data security issues should remain with the FTC.” ISP data practices – and the broader question of whether the FCC should reclassify broadband service to Title II telecommunications service and re-impose strict broadband privacy rules – are likely to be at issue. significant issues as the Biden FCC takes shape in the coming months.
The FTC Staff Report Findings
The staff report is based on information the FTC obtained from the country’s six largest ISPs and three of their adtech companies. The FTC has required companies to provide information about their data collection and use practices through orders issued under Section 6 (b) of the FTC Act in March and August of 2019. While this group of ISPs “represent a wide variety of Internet services offered” to US consumers, their practices are not necessarily representative of ISPs in general.
The staff report raises several concerns about ISP practices, beyond the general assimilation of ISPs to large advertising platforms, which include the following examples.
- Scope and scale of data collection. The staff report finds that “many” of the ISPs in the FTC study “have access to 100% of consumers’ unencrypted Internet traffic,” potentially allowing ISPs to gain insight into sensitive web browsing behavior. Additionally, FTC staff determined that several ISPs participating in the study collect and use potentially sensitive real-time location information for advertising. They also collect customer information from other products and services they offer, such as voice, content, smart devices, advertising and analytics, and purchase consumer information from brokers. in data. According to the report, several ISPs combine data from all of their product lines, although the report did not come to a conclusion on how ISPs combine this data.
- Opacity and consumer choice. The staff report concludes that ISPs collect and use personal data more widely than consumers expect, do not provide clear disclosures about their practices, and generally offer hard-to-use opt-out choices.
- Potential harm to consumers. Finally, FTC staff conclude that some of the practices observed among these ISPs could harm consumers. These practices include combining data from separate services (for example, video, web browsing, location, and connected devices) in ways that consumers do not expect, as well as the use of data. by third parties that could harm consumers (for example, targeting advertisements in a discriminatory manner or by making location data available to third parties “without reasonable protections”).
What the staff report could mean for ISPs
The unanimous vote to approve and release the FTC staff report – an increasingly rare example of a bipartisan agreement on a major issue – does not necessarily signal consensus on what additional steps the FTC should take based on the report. President Khan Remarks highlight ISP practices as an example of more general issues with the privacy framework that the FTC helped establish. In his view, the report’s findings “highlight the shortcomings of the ‘notice and consent’ framework for the protection of privacy” and that “[a] a new paradigm that goes beyond procedural requirements and instead considers substantial limits seems more and more worth considering.
Commissioner Slaughter expressed similar sentiments in her Remarks, echoing some of his previous statements calling for “clear rules on data abuse” in general, and FCC-led ISP regulation, in particular.
ISP disclosure practices described by the FTC Staff Report are subject to the FCC’s Transparency Rule. In 2017, although the Trump FCC classified commercial ISP services as under the jurisdiction of the FTC, the FCC retained a transparency rule which, among other things, requires the disclosure of “correct information” regarding the commercial terms of broadband Internet access services. The FCC said the disclosure of “terms of trade” included disclosure of information collection practices and privacy policies. If ISPs do not adequately disclose their practices, as alleged in the FTC report, the FCC retains jurisdiction to enforce this breach of the transparency rule.
Additional monitoring by the FTC may not be necessary in the long term if monitoring of ISP data practices is returned to FCC jurisdiction, and they again become subject to Section 222 of the Communications Act. This law imposes confidentiality restrictions on the use of proprietary network information (“CPNI”) by telecommunications service providers. (Obama’s FCC reclassified broadband as a telecommunications service under Title II of the Communications Act and imposed net neutrality rules as well as broadband privacy rules. The Trump FCC largely reversed net neutrality rules, and Congress overturned broadband privacy rules.)
Commissioner Slaughter and President Khan might want the FCC to get back into the fray. The White House announced on October 26 that President Biden would appoint Jessica Rosenworcel for another term as FCC commissioner (and appointed her permanent FCC chair) and Gigi Sohn as third Democratic commissioner. Rosenworcel and current Democratic Commissioner Geoffrey Starks have expressed support for the upgrading of broadband to Title II, and Sohn was instrumental in orchestrating the upgrading to Title II in 2015 under the leadership of the former Chairman of the Title II. FCC, Tom Wheeler. While the Title II reclassification would subject ISPs to Section 222 of the Communications Act, the FCC’s power to create broadband-specific rules is unclear as Congress’s repeal of the rules. The FCC’s broadband privacy under the Congressional Review Act prohibits the agency from adopting substantially similar rules. .
In the meantime, ISPs should be prepared to undertake further FTC monitoring activity or a possible FCC review of the adequacy of ISP disclosures under its transparency rule.