Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

FTC says ISPs provide limited protections for consumer data

Federal Issues FTC Privacy/Cyber Risk & Data Security Consumer Protection Act

Federal Issues

On October 21, the FTC reported that internet service providers (ISPs) are able to gather and share large pools of sensitive consumer data while providing limited privacy protections. According to an FTC staff report, ISPs’ data collection and use practices allow them to monitor and record their customers’ every online move, granting them the ability to collect large amounts of information without their customers’ knowledge. The FTC launched the internet privacy study in 2019 under Section 6(b) of the FTC Act and analyzed information from six major ISPs, which comprise roughly 98 percent of the mobile internet market. Three advertising affiliates associated with the ISPs were also asked to provide information on their data collection and use practices. The report found, among other things, that ISPs typically collect and share more customer information than is necessary to provide ISP services. According to the report, some ISPs collected personal information to market products and services, serve targeted ads on behalf of third parties, or share insights into customers’ behaviors with other businesses. The report also found that customers are often placed into categories by “race, ethnicity, sexual orientation, economic status, political affiliations, or religious beliefs,” and that ISPs often share real-time location data with third parties.

Additionally, the report found that while several ISPs tell customers their personal information will not be sold, the companies’ privacy notices obscure other ways personal data can be used, transferred, or monetized by other parties, and “often bury[] such disclosures in the fine print of their privacy policies.” The report further explained that many customers are often confused about how to opt-out of or limit ISPs’ data collection, adding that while several ISPs promise to retain data only for as long as needed for a business reason, the definition of what constitutes a “business reason” varies widely.

Chair Lina M. Khan issued separate remarks, emphasizing that the report’s finding are “striking” and “underscore deficiencies of the ‘notice-and-consent’ framework for privacy, especially in markets where users face highly limited choices among service providers.”