“Rather than craft an ISP-specific privacy regulation, Congress should pass a national privacy law that preempts states and sets baseline standards for the whole economy,” said Aurelien Portuese, director of The Schumpeter Project on competition policy at the Information Technology & Innovation Foundation.
Portuese’s comments followed the FTC staff presentation of a report on the privacy practices used by six major internet service providers – AT&T, Verizon Wireless, Charter Communications, Comcast, T-Mobile and Google Fiber – and three of their advertising affiliates regarding data collection and use practices. The six ISPs combined comprise 98.8% of the U.S. mobile internet market.
“The expansion of ISPs into vertically integrated entities that not only provide internet, voice and cable services, but also produce the content transmitted across these pipes and sell behavioral advertising, has enabled these firms to consolidate and aggregate a staggering array of data,” said FTC Chair Lina Kahn.
If anything, Kahn said, the report reveals a need to keep an eye on mergers that would lead to the “degradation of user privacy.”
Khan added that the report further unveiled problems with the notice and consent framework for privacy and noted concern for how the “individualized and hyper-granular dossiers” these ISPs have gathered on their users could lead to discriminatory practices. To these means, she sounded support for reasserting the FTC’s authority to oversee ISPs and “put in place nondiscrimination rules, privacy protections and other basic requirements needed to create healthier markets.”
ISPs tend to provide one core service – internet, voice and video – to the consumer, Khan said. They also provide Internet of Things services like home security or connected wearables or content like video or website content, or advertising as an ad platform or providing advertising analytics. The report found that some of the ISPs combine the data they have across products, said Andre Arias, an FTC attorney.
Many ISPs, Arias claimed, “can be at least as privacy intrusive as advertising platforms.”
Several ISPs in the study “pool and cross-reference” sensitive and detailed data about subscribers and their households, gathering it sometimes through unexpected ways like web browsing history or email contents, that can then be used in harmful ways by property managers, bail bondsmen or bounty hunters. The privacy choices that the ISPs give their customer are also “often illusory…[nudging] consumers towards great sharing of personal data through a variety of dark patterns.” Even when the customer blocks the tracking through device or browser settings, she said the ISPs still use their “supercookie technology to defeat those tools.”
The current “patchwork process” in data collection and privacy regulation further confuses consumers and reduces their ability to protect their privacy online, said Shane Tews, non-resident senior fellow at the American Enterprise Institute.
And there is no need nor benefit for a sector-based solution to privacy laws, Portuese said, warning the chilling effect that unilaterally enforcing sector-specific privacy standards will have on competition.
“A federal policy framework would avoid the current fragmentation of guidance and encourage more secure digital innovation,” Tews said, applying a “holistic approach to privacy protections and…the same safeguards” to all companies collecting and using data in the space.
This “fact-finding” study undertaken by the FTC into the industry, which was initiated in 2019, was and will continue being imperative,” said John Verdi, senior vice president of policy at the Future of Privacy Forum, and the FTC could garner more authority to investigate and enforce consumer protections by working with Congress on this bipartisan issue.
The foundation for this federal privacy law can be found through coupling a 2012 FTC privacy report with an Obama-era Consumer Privacy Bill of Rights, said Nancy Libin, partner at Davis Wright Tremaine. A former chief privacy and civil liberties officer at the Justice Department, Libin said the 2012 bill laid down the framework that distinguishes sensitive and nonsensitive data. The companies, however, would not need to request consumer consent for first-party marketing as it is inferred by the mere nature of the company-consumer relationship, she explained. The 2012 framework directs companies to provide consumers with the option to opt-out absent of this inferred consent and to request an opt-in when the company engages in deliberate data collection and use.