Following congressional hearings last month on potential federal data privacy legislation − Hearing on Policy Principles for a Federal Data Privacy Framework in the United States before the Senate Committee on Commerce, Science, and Transportation; Hearing on Improving Data Security at Consumer Reporting Agencies before the House Subcommittee on Economic and Consumer Policy − the Federal Trade Commission (FTC) on March 26, 2019, announced the initiation of a study concerning the privacy policies, procedures, and practices of seven internet service providers (ISPs). The FTC has used this process in other industries or areas of focus to gather information that it may later share in a public report.

A Major Endeavor to Uncover the Privacy Practices of Platform-Based ISPs

In the Order sent to the seven ISPs that maintain network platforms – AT&T Inc., AT&T Mobility LLC, Comcast Cable Communications doing business as Xfinity, Google Fiber Inc., T-Mobile US Inc., Verizon Communications Inc., and Cellco Partnership doing business as Verizon Wireless – the FTC identified a range of information it seeks from each ISP regarding data collection, retention, use, and disclosure practices and policies. The agency wants to understand the forms of privacy protection afforded to customers of these vertically integrated platform providers that also provide advertising-support content.

Specifically, the FTC expects responses and documents related to:

• How each company program or service collects, transmits, receives, stores, maintains, uses, or discloses personal information about consumers

• What ad services the company provides and what user or third-party information the company relies on in providing those ad services

• The statistics regarding its subscribers and unique consumers targeted, tracked, or otherwise identified by its ad services

• How each company uses, retains, and stores the collected information

• How consumer data is being transferred, disclosed, or provided from or to third parties

• How each company aggregates, combines, anonymizes, or de-identifies information about consumers and their devices

• How each company controls employee access or conducts privacy risk assessments

• What statements each company has disseminated publicly regarding its privacy practices and what privacy notices each company has used

• How each company offers consumer choices with regard to access, correction, and deletion

• How each company offers tiered or differentiated services to consumers based on their level of consent in sharing personal information.

By collecting and analyzing this data, the FTC expects to be able to assess the common risks and problems associated with ISPs using or selling subscribers’ web-surfing and app-usage data or otherwise allowing advertisers to deliver interest-based ads without the internet users’ prior consent. The ISPs have 45 days to provide this information to the FTC. While the FTC’s main focus has been to enforce its authority to protect consumers against unfair or deceptive practices, it is not unusual for the FTC to study issues of potential interest and publish reports on its findings. As the FTC continues to have its own public hearings on privacy protections and as Congress mulls potential federal privacy legislation, the FTC’s actions signal its intention to play a role in the process.

The FTC Picks up on Broadband ISP Privacy Policy from the FCC

Many consider this announcement a prelude to the FTC’s intent to pick up where the Federal Communications Commission (FCC) left off in 2017. During the Obama Administration, the FCC had adopted both Net Neutrality rules and a fairly aggressive set of privacy and data security rules that it intended to apply to broadband internet access providers. In particular, the 2016 Broadband Privacy Order required ISPs to “take reasonable measures to protect customer proprietary information from unauthorized use, disclosure, or access” and described best practices that the FCC “presently considers exemplary of a reasonable and evolving standard of data security.” At the time, a dozen petitioners opposed the FCC’s adopted rules and argued that they would “substantially widen the uncertainty and compliance burdens imposed upon ISPs relative to all other Internet entities and heightens the risks of different interpretations” with the FTC’s existing framework.

In March 2017, the new Republican FCC majority temporarily stayed the data security regulation portion of its 2016 Broadband Privacy Order, concluding that the petitioners “are uniquely likely to succeed on their claim” because a majority of the current Commission had dissented from the 2016 Broadband Privacy Order on either legal or policy grounds. In the same month, the Republican-majority Congress passed a Congressional Review Act (CRA) to stop the 2016 Broadband Privacy Order’s ban on ISPs’ collection of browsing history, app usage, and other user data from taking effect. As a result of the FCC in 2017 determining that broadband ISPs were not functioning as telecommunications carriers and the CRA’s prohibition on the FCC to reissue a rule in substantially the same form, the FTC currently has jurisdiction to examine their privacy practices.

Despite of the FCC’s 2017 ruling to “maintain the status quo that has been in place for nearly two years with respect to [ISPs] … and nearly a decade with respect to other telecommunications carriers,” privacy advocates continue to call for stricter regulations over ISPs because “broadband and wireless companies are privy to a more comprehensive view of people’s online activity, because they provide the underlying connection to the Internet.” The FTC’s announcement of its intent to examine the handling of consumer data by the nation’s largest broadband providers “highlights the advantages of having a single agency able to police the entire Internet ecosystem with respect to the important issue of privacy,” commented the FCC’s spokesperson, Tina Pelkey.