A report from the authority paints a poor picture of how ISPs handle customers’ personal data. To see an improvement, the US would need to thoroughly reform privacy laws
Two years after the location data scandal, ISPs are in the spotlight once again: In 2019, US mobile operators were found to share location data with third-parties, without users’ knowledge and consent, and were forced to stop the practice after the backlash that followed. It prompted the Federal Trade Commission (FTC) to begin a study on the privacy practices of major ISPs, to identify the categories of data they collect and whether the information is de-identified in some way. It also was designed to look at companies’ disclosures to consumers, and whether they have a choice about the collection and use of their personal information. Last week, the FTC published its findings.
A sobering picture of ISPs’ privacy practices: It found that ISPs share “far more data” than consumers may expect, including access to their internet traffic and real-time location data. This information is often combined to offer targeted ads, and categorises consumers based on things such as race and sexual orientation. Even where ISPs promise not to sell consumers’ personal data, they often allow it to be used and monetised by others. The data often ends up in the hands of bail bondsmen, bounty hunters, and others without reasonable protection or consumers’ knowledge. ISPs make it difficult for consumers to exercise their choices, and often even nudge them to share more information. In practice, it is near-impossible to escape what the FTC calls “persistent surveillance”.
The FTC wants to get tough on privacy, but will need legislation: While the report casts ISPs in a bad light, its findings are hardly surprising. In the early months of the Trump administration, Congress repealed the privacy safeguards imposed on ISPs by the FCC in 2016. Since then, operators have faced virtually no restriction in how they can use customers’ data. In commenting on the report, the FTC’s chair Lina Khan supported the efforts to reassert authority on privacy, and to continue the conversation about commercial data practices. However, it is likely to have limited power without stronger federal privacy rules. Democrats in congress are pushing a $1bn bill to create a new privacy bureau in the FTC, but there is still no sign of a new data protection law akin to Europe’s GDPR.
