ISPs, the FTC Has You In Their Crosshairs

On October 21, 2021, the FTC released a report making it quite clear: internet service providers (ISPs) are next in line for heightened FTC scrutiny. After analyzing the data collection, sharing, and usage practices of the six largest ISPs and three of their affiliated advertising entities, the FTC concluded that the ISPs "amass large pools of sensitive data, and that their uses of such data could lead to significant harms." [1] This report traces its lineage back to August 2019, when the FTC used its powers under Section 6(b) of the FTC Act to issue Orders to File Special Reports to the six largest ISPs that comprised approximately 98.8% of the mobile internet market. The FTC reviewed the responses, conducted follow-up questions and meetings, and compiled its findings into this report. Subsequently, the FTC concluded that the privacy practices of the ISPs warrant great concern in four key areas:

• Opacity - the FTC concluded that ISPs generally do not provide enough information to their respective consumers regarding how consumer data is used, transferred, or monetized;
• Illusory Choices - the FTC's findings indicate that many ISPs utilize "dark patterns" and needlessly complicated or cumbersome options for consumers to exercise their rights under privacy laws;
• Lack of Meaningful Access - the FTC revealed that due to the "indecipherable or nonsensical" information provided by many ISPs regarding consumer access, consumer access requests were worryingly low--in some instances as low as zero consumer access requests within a month; and
• Data Retention and Deletion - the inconsistency between ISPs' data retention and deletion practices resulted in surprisingly low consumer deletion requests--again in some instances as low as zero consumer deletion requests within a month.

• Certain ISPs combine customer personal information with customer browsing history for advertising purposes;
• A "significant number" of ISPs use television viewing history for advertising purposes, despite Congressional and state conclusions that such data is to be afforded privacy protections,
• Certain ISPs have the ability to collect data from private email and other communication mediums;
• Certain ISPs engage in cross-device tracking, which is especially pervasive here due to the ISPs' usage of "supercookie" technology to persistently track users. "Supercookies" cannot be blocked through browser or mobile device settings;
• There is "a trend in the ISP industry to use location information for advertising purposes and sell this data to third parties;" [4]
• Finally, ISPs often use race and ethnicity data for advertising purposes, which result in civil rights concerns.