An FTC Staff Report - What ISPs Know About You: Examining the

October 21, 2021

A Look At What ISPs

Know About You:

Examining the Privacy

Practices of Six Major

Internet Service Providers

An FTC Sta Report

A Look At What ISPs

Know About You:

Examining the Privacy Practices of Six Major

Internet Service Providers

An FTC Staff Report

October 21, 2021

FEDERAL TRADE COMMISSION

Table of Contents

Executive Summary.................................................................................................................. i

I. Introduction ..................................................................................................................... 1

II. Legal Framework Applicable to ISP Privacy ................................................................. 4

A. Historical Developments ............................................................................................ 4

B. Legal Framework Applicable to ISPs Today .............................................................. 6

III. Background Information About Order Recipients ..................................................... 10

IV. Information Obtained From Our Study ........................................................................ 14

A. Core Services .......................................................................................................... 15

B. Other Services Offered to Consumers .................................................................... 17

C. Advertising Services ................................................................................................ 18

1. Marketing Their Own Products and Services .................................................... 20

2. Advertising Third-Party Products and Services ................................................ 22

3. Other Services Offered to Businesses .............................................................. 24

4. Contractual Limitations on Use and Sharing ..................................................... 26

D. Privacy Practices ..................................................................................................... 26

1. Opacity ............................................................................................................. 26

2. Illusory Choices ................................................................................................ 27

3. Lack of Meaningful Access ............................................................................... 30

4. Data Retention and Deletion ............................................................................. 31

5. Accountability ................................................................................................... 32

V. Observations ................................................................................................................. 33

A. Many ISPs in our Study Amass Large Pools of Sensitive Consumer Data ............. 33

B. Several ISPs in Our Study Gather and Use Data In Ways Consumers Do Not

and Could Cause Them Harm ................................................................................ 34

C. Although Many ISPs in Our Study Purport to Offer Consumers Choices,

These Choices are Often Illusory ........................................................................... 39

D. Many ISPs in Our Study Can Be At Least As Privacy-Intrusive as Large

Advertising Platforms .............................................................................................. 42

VI. Conclusion .................................................................................................................... 44

APPENDIX A: Text of the Model Order ……………………………………………………….. A-1

APPENDIX B: Illustrative List of Segments………………………………………………….. B-1

Examining the Privacy Practices of Six Major Internet Service Providers

Executive Summary

The importance of the internet in the daily lives of consumers cannot be overstated. In its

relatively brief existence, it has become a vital tool for communication, information, commerce, and

entertainment. Approximately 93% of adults in the United States use the internet,

and the average

consumer spends six hours and fifty-six minutes online each day.

As the direct gateways to this

essential and ubiquitous tool, internet service providers (“ISPs”) can monitor and record their customers’

every online move, giving them the ability to surveil consumers and amass large amounts of information

on them as they go about their daily lives. In addition to providing internet, voice, and cable access,

these gatekeepers have also become major players in content creation and ad monetization.

Over the past few decades, the telecommunications industry has evolved into vertically-

integrated platforms that provide internet, cable, content, distribution, advertising, and analytics—all of

which has increased the volume of information available about consumers, improved the industry’s

insights into consumers’ behaviors, and strengthened the persistence of identifiers capable of tracking

users across platforms and assets. For example, in 2011, Comcast acquired NBC Universal, marking the

first time a cable company controlled a major broadcast network.

Verizon purchased AOL in 2015,

combining one of the biggest mobile network providers with a leading content producer, and Yahoo in

2017, creating a diverse house of more than fifty media and technology brands.

And in 2020, Amazon

received approval to deploy and operate 3,236 satellites, allowing it to deliver satellite-based broadband

services in the United States.

This rapid consolidation has allowed ISPs to access and control a much

larger and broader cache of consumer data than ever before, without having to explain fully their

purposes for such collection and use, much less whether such collection and use is good for consumers.

Internet/Broadband Fact Sheet, PEW RESEARCH CTR. (Apr. 7, 2021), https://www.pewresearch.org/internet/fact-

sheet/internet-broadband/.

Simon Kemp, Digital 2021 April Global Statshot Report, DATAREPORTAL (Apr. 21, 2021),

https://datareportal.com/reports/digital-2021-april-global-statshot

Tim Arango & Brian Stelter, Comcast Receives Approval for NBC Universal Merger, N.Y. TIMES (Jan. 19, 2011),

https://www.nytimes.com/2011/01/19/business/media/19comcast.html

See Ben Rooney, Verizon Buys AOL for $4.4 billion, CNN BUS. (May 12, 2015),

https://money.cnn.com/2015/05/12/investing/verizon-buys-aol/index.html

; Press Release, Verizon, Verizon Completes

Yahoo Acquisition, Creating a Diverse House of 50+ Brands Under New Oath Subsidiary (June 13, 2017),

https://www.verizon.com/about/news/verizon-completes-yahoo-acquisition-creating-diverse-house-50-brands-under-new-

oath-subsidiary. In September 2021, private equity firm Apollo Global Management acquired Yahoo (formerly known as

Verizon Media Group, itself formerly known as Oath) from Verizon. See Brian Heater & Ingrid Lunden, Apollo Completes

Its $5B Acquisition of Verizon Media, Now Known as Yahoo, T

ECHCRUNCH (Sep. 1, 2021),

https://techcrunch.com/2021/09/01/apollo-completes-its-5b-acquisition-of-verizon-media-now-known-as-yahoo.

Amazon Staff, Amazon Receives FCC Approval for Project Kuiper Satellite Constellation, AMAZON (July 30, 2020),

https://www.aboutamazon.com/news/company-news/amazon-receives-fcc-approval-for-project-kuiper-satellite-constellation

FEDERAL TRADE COMMISSION

FT C.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

In August 2019, the Federal Trade Commission (“FTC” or “Commission”) issued identical

Orders to File Special Reports (“Orders”) under Section 6(b) of the FTC Act to the country’s six largest

ISPs (AT&T Mobility LLC, Cellco Partnership d/b/a Verizon Wireless, Charter Communications

Operating LLC, Comcast Cable Communications d/b/a Xfinity, T-Mobile US Inc., and Google Fiber

Inc.)—comprising approximately 98.8 % of the mobile internet market

—and three advertising entities

affiliated with these ISPs (AT&T’s Appnexus Inc.—rebranded as Xandr—and Verizon’s Verizon

Online LLC and Oath Americas Inc.—rebranded as Verizon Media).

Appendix A is a copy of the text

of the Orders that the Commission issued to the ISPs and their affiliated entities. The Orders sought

information from these ISPs as to their data collection and use practices, as well as any tools provided to

consumers to control these practices.

This report summarizes the information provided in response to the Commission’s Orders,

including information gathered through follow-up questions and meetings. The companies’ narrative

responses and several detailed data sets provide remarkable insight into how many of the ISPs

in our

study surveil consumers, use and disseminate consumer data, and the privacy implications of such use

and dissemination. Based on this data, publicly-available materials, and the Commission’s long

experience with ISPs, this report highlights the ISP industry’s data surveillance and privacy practices.

Key Findings

1. Collection and Use

In general, many of the ISPs in the study collect and use information for four primary reasons:

(1) to provide core communications services to consumers (internet, voice, video); (2) to provide other

services to consumers (e.g., Internet of Things, and video or website content); (3) advertising; and (4) to

provide other services to businesses. The following findings relating to collection and use are notable:

• Some ISPs in Our Study Combine Data Across Product Lines. Three of the ISPs in

our study revealed that they combine information they receive from consumers across

their core services and at least some of their other services (e.g., TV and video streaming

services, home automation and security products, connected wearables, etc.).

• Some ISPs in Our Study Collect Data Unnecessary for the Provision of Internet

Services. Some of the ISPs in our study collect additional data from their customers that

Wireless Subscriptions Market Share by Carrier in the U.S., STATISTA (Apr. 2021),

https://www.statista.com/statistics/199359/market-share-of-wireless-carriers-in-the-us-by-subscriptions/

In May 2021, after the issuance of these Orders, Verizon announced that it was selling Verizon Media to private equity firm

Apollo Global Management. See Jordan Valinsky, Verizon Offloads Yahoo and AOL in $5 Billion Deal, CNN

BUS. (May 3,

2021), https://www.cnn.com/2021/05/03/media/verizon-yahoo-sold-apollo/index.html

Due to Sections 6(f) and 21(d)(1)(B) of the FTC Act prohibiting the Commission from disclosing trade secrets or

commercial or financial information that is privileged or confidential, the data discussed in this report is provided on an

anonymous and aggregated basis. See 15 U.S.C. § 46(f) (2018); 15 U.S.C. § 57b-2 (2018).

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

iii

is not necessary to provide ISP services in order to enhance their ability to advertise (e.g.,

app usage history).

• A Few ISPs in Our Study Use Web Browsing Data to Target Ads. Two of the ISPs in

our study stated that they use web browsing information to target ads to consumers, and

another reserves the right to use such information for advertising purposes.

• Many ISPs in Our Study Group Consumers Using Sensitive Characteristics to

Target Ads. Many of the ISPs in our study serve targeted ads across the internet on

behalf of third parties. In doing so, they place consumers into segments that often reveal

sensitive information about consumers, allowing advertisers to target consumers by their

race, ethnicity, sexual orientation, economic status, political affiliations, or religious

beliefs.

• Some ISPs in Our Study Combine Personal, App Usage, and Web Browsing Data.

At least three ISPs in our study report combining consumers’ personal information, app

usage information, and/or browsing information for advertising purposes.

• A Significant Number of ISPs in Our Study Share Real-Time Location Data With

Third-Parties. There is a trend in the ISP industry to offer real-time location data about

specific subscribers to the ISPs’ third-party customers.

2. Privacy Practices

In response to the Orders, the ISPs in our study detailed their notice and disclosure; consent and

choice; and access, correction, and deletion practices. The ISP industry’s privacy practices raise

concerns in four key areas:

• Opacity. While several ISPs in our study tell consumers they will not sell their data,

they fail to reveal to consumers the myriad of ways that their data can be used,

transferred, or monetized outside of selling it, often burying such disclosures in the fine

print of their privacy policies. In addition, three of the ISPs in our study reserved the

right to share their subscribers’ personal information with their parent companies and

affiliates, which seems to undercut the promises not to sell personal information.

• Illusory Choices. There is a trend in the ISP industry to purport to offer consumers

some choices with respect to the use of their data. However, problematic interfaces can

result in consumer confusion as to how to exercise these choices, potentially leading to

low opt-out rates.

• Lack of Meaningful Access. Although many of the ISPs in our study purported to

offer consumers access to their information, the information was often either

indecipherable or nonsensical without context, potentially leading to low access

requests.

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

• Data Retention and Deletion. While several of the ISPs in our study provided time

frames for deleting information, many asserted that they keep information as long as it

is needed for a business reason. However, many ISPs in our study have the ability to

define (or leave undefined) what constitutes a business reason, giving them virtually

unfettered discretion.

Observations

As a result of the findings detailed above, we make the following four observations:

• Many ISPs in Our Study Amass Large Pools of Sensitive Consumer Data. Several

ISPs in our study and their affiliates collect significant amounts of consumer information

from the range of products and services that they offer. The vertical integration of ISP

services with other services like home security and automation, video streaming, content

creation, advertising, email, search, wearables, and connected cars permits not only the

collection of large volumes of data, but also the collection of highly-granular data about

individual subscribers. Moreover, there is a trend in the ISP industry to combine the

subscriber data with additional information from third-party data brokers, resulting in

extremely granular insights and inferences into not just ISP subscribers but also their

families and households.

• Several ISPs in Our Study Gather and Use Data in Ways Consumers Do Not Expect

and Could Cause Them Harm. While consumers certainly expect ISPs to collect

certain information about the websites they visit as part of the provision of internet

services, they would likely be surprised at the extent of data that is collected and

combined for purposes unrelated to providing the service they request—in particular,

browsing data, television viewing history, contents of email and search, data from

connected devices, location information, and race and ethnicity data. More concerning,

this data could be used in a way that’s harmful to consumers, including by property

managers, bail bondsmen, bounty hunters, or those who would use it for discriminatory

purposes.

• Although Many ISPs in Our Study Purport to Offer Consumers Choices, These

Choices are Often Illusory. Although many of the ISPs in our study purported to offer

consumers choices, some of these choices were not offered clearly and indeed, nudged

consumers toward more data sharing.

• Many ISPs in Our Study Can be At Least As Privacy-Intrusive as Large

Advertising Platforms. Despite ISPs’ relative size in a market dominated by Google,

Facebook, and Amazon, the privacy challenges that permeate the advertising ecosystem

may be amplified by ISPs because: (1) many ISPs have access to 100% of consumers’

unencrypted internet traffic; (2) several ISPs are able to verify and know the identity of

their subscribers; (3) many ISPs can track consumers persistently across websites and

geographic locations; and (4) a significant number of ISPs have the capability to combine

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

the browsing and viewing history that they obtain from their subscribers with the large

amounts of information they obtain from the broad range of vertically integrated

products, services, and features that they offer.

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

I. Introduction

We are in the midst of a global pandemic that has fundamentally changed our way of life. As

businesses, schools, governments, and communities have struggled to find new models for staying open,

providing critical services, and keeping in touch, the importance of reliable internet has grown.

Consumers are increasingly dependent on internet service providers (“ISPs”) to access essential services

and communicate with others.

Indeed, as the global pandemic forced cities and states into mandatory

lockdowns, ISPs increased their broadband subscriptions by nearly 8 million consumers during the last

two years,

with one ISP reporting historic broadband subscription numbers in the third quarter of

2020.

Online shopping and e-commerce with U.S. retailers in 2020 increased by 44% from the

previous year, or over $263 billion, as consumers stayed home.

Video conferencing platforms saw

their subscriptions dramatically increase.

Telehealth services soared upwards of 154% during the last

week of March 2020 as compared to the same period as the previous year.

As of August 2020, nearly

93% of households with school-age children reported engaging in some form of distance learning from

As described in greater detail in Section III of this report, many ISPs in our study often provide services other than internet

access to consumers. They provide bundles of services that might include internet, video, and voice. Additionally, many

ISPs in our study might provide other services, such as connected cars, home security, or mobile money. This study

examines how information about internet subscribers is collected, used, combined, and shared across products and services

offered by the ISPs in our study. As such, for purposes of this report, the term “ISP” refers to the entities that provide this

panoply of services, rather than focusing purely on the provision of internet access.

Press Release, Leichtman Research Grp., About 890,000 Added Broadband in 2Q 2021 (Aug. 18, 2021),

https://www.leichtmanresearch.com/about-890000-added-broadband-in-2q-2021/

Michelle Caffrey, Comcast Q3 Earnings: Broadband Growth Hits All-Time High, but NBCU Struggles Weigh Down

Results, B

IZJOURNALS (Oct. 29, 2020), https://www.bizjournals.com/philadelphia/news/2020/10/29/comcast-q3-2020-

earnings-call.html.

Fareeha Ali, Charts: How the Coronavirus is Changing Ecommerce, DIGITAL COMMERCE 360 (Feb. 19, 2021),

https://www.digitalcommerce360.com/2020/08/25/ecommerce-during-coronavirus-pandemic-in-charts

Heather Kelly, The Most Maddening Part About Working From Home: Video Conferences, WASH. POST (Mar. 16, 2020),

https://www.washingtonpost.com/technology/2020/03/16/remote-work-video-conference-coronavirus/

; Ella Koeze and

Nathaniel Popper, The Virus Changed the Way We Internet, N.Y. TIMES (Apr. 7, 2020),

https://www.nytimes.com/interactive/2020/04/07/technology/coronavirus-internet-use.html.

Lisa Koonin et al., Trends in the Use of Telehealth During the Emergence of the COVID-19 Pandemic–United States,

January-March 2020, M

ORBIDITY AND MORTALITY WKLY. REP. (MMWR) (Oct. 30, 2020),

https://www.cdc.gov/mmwr/volumes/69/wr/mm6943a3.htm

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

home.

Even when the pandemic subsides, studies predict that as many as a third of all U.S. companies

anticipate having half or more of their staff working from home or operating from remote locations.

As the internet assumes an increasingly pervasive role in the most personal aspects of our lives,

including telehealth and distance learning, the aggregation of data—along with the privacy of consumer

data in general—requires increased attention, especially for minority and low-income communities.

According to Pew Research, as of February 2019, 79% of white U.S. adults are home broadband users,

as compared to 66% of Black U.S. adults and 61% of Hispanic U.S. adults. According to more recent

research from UCLA, Black and Hispanic households are 1.3 to 1.4 times as likely as white households

to experience limited connectivity.

Low-income households are most impacted by digital

unavailability, with more than two in five having only limited access to a computer or the internet.

did not study this issue, but observers report that these consumers may have fewer internet options

and

sometimes those options include free or low-price services with fewer privacy protections.

These concerns bring to the forefront privacy and competition issues associated with internet

access. This report is based on materials provided by the country’s six largest ISPs comprising

Kevin Mcelrath, Nearly 93% of Households with School-Age Children Report Some Form of Distance Learning During

COVID-19, U.S.

CENSUS (Aug 26, 2020), https://www.census.gov/library/stories/2020/08/schooling-during-the-covid-19-

pandemic.html.

Alexa Lardieri, One-Third of Companies Will Have Half of Workforce Remote Post-Pandemic, Study Finds, U.S. NEWS

(Aug. 24, 2020),

https://www.usnews.com/news/health-news/articles/2020-08-24/one-third-of-companies-will-have-half-of-

workforce-remote-post-pandemic-study-finds.

Paul M. Ong, Covid-19 and the Digital Divide in Virtual Learning, UCLA CTR. FOR NEIGHBORHOOD KNOWLEDGE 7 (Dec.

9, 2020), https://knowledge.luskin.ucla.edu/wp-content/uploads/2020/12/Digital-Divide-Phase2_brief_release_v01.pdf

Id.

Kaleigh Rogers, Internet Service Providers Systematically Favor White Communities Over Communities of Color, VICE

(Feb. 23, 2018), https://www.vice.com/en/article/8xdd7b/internet-service-providers-systematically-favor-white-communities-

over-communities-of-color (citing studies to support the point that “[i]nternet infrastructure is often built first in more

affluent and more white communities, leaving lower income neighborhoods and neighborhoods with higher percentages of

people of color with fewer options”).

See, e.g., Benjamin Dean, The Heavy Price We Pay for “Free” Wi-Fi, THE CONVERSATION (Jan. 25, 2016),

https://theconversation.com/the-heavy-price-we-pay-for-free-wi-fi-52412

(noting that there’s a “longstanding trend in which

companies offer ostensibly free Internet-related products and services” but “[u]se is free on the condition that companies

providing the service collect, store, and analyze users’ valuable personal, locational, and behavioral data”). See also Harold

Li, The Pandemic Has Unmasked The Digital Privacy Divide, F

ORBES (May 5, 2021),

https://www.forbes.com/sites/forbestechcouncil/2021/05/05/the-pandemic-has-unmasked-the-digital-privacy-divide/ (citing a

study that found that 32% of Americans “have had to seek free internet access outside of their homes since the pandemic”

and noting that “[s]uch free public networks are notoriously lacking in security and privacy—with traffic at risk of

monitoring by the hotspot operator or even those sharing the network, if proper encryption isn’t used”); Nicole A. Ozer, No

Such Thing As a “Free” Internet: Safeguarding Privacy and Free Speech in Municipal Wireless Systems, 11 N.Y.U.

EGISLATION & PUB. POLICY 519 (2012).

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

approximately 98.8% of the mobile internet market as of Q1 2021

(AT&T Mobility LLC, Cellco

Partnership d/b/a Verizon Wireless, Charter Communications Operating LLC, Comcast Cable

Communications d/b/a Xfinity, T-Mobile US Inc., and Google Fiber Inc.) (“ISP Order Recipients”) and

three advertising entities affiliated with these ISPs (AT&T’s Appnexus Inc.—rebranded as Xandr—and

Verizon’s Verizon Online LLC and Oath Americas Inc.—rebranded as Verizon Media)

(collectively,

“Order Recipients”) pursuant to Special Orders issued by the Federal Trade Commission (collectively,

“Commission’s Orders”).

Appendix A is a copy of the text of the Orders that the Commission issued

to the Order Recipients. In response to the Commission’s Orders, the Order Recipients produced

information and documents related to the types of information they collected, the purposes for which

information about consumers is used, the types of information shared with affiliated and unaffiliated

entities, the notices and privacy choices provided to consumers, and consumers’ access and deletion

rights.

While staff of the Federal Trade Commission (“FTC” or “Commission”) conducted a

comprehensive examination of the privacy practices of the Order Recipients, this report contains a

number of limitations. First, it is a snapshot in time, comprised of information obtained from Order

Recipients between July 2019 and July 2020,

as well as publicly available information. Second, there

are thousands of local and regional ISPs throughout the country.

As such, while we tried to capture a

variety of models for providing internet service, our ISP Order Recipients are primarily limited to the

country’s largest ISPs comprising approximately 81.6% of the fixed residential internet market in

2020.

Third, our report is limited to the privacy practices of ISPs. While this report does not discuss

On April 1, 2020, T-Mobile closed on its acquisition of Sprint, forming the second largest mobile carrier in the country.

Press Release, T-Mobile, T-Mobile Completes Merger with Sprint to Create the New T-Mobile (Apr. 1, 2020),

https://www.t-mobile.com/news/un-carrier/t-mobile-sprint-one-company

. This figure reflects the combined T-Mobile/Sprint

market share. Wireless Subscriptions Market Share by Carrier in the U.S., STATISTA (Apr. 2021),

https://www.statista.com/statistics/199359/market-share-of-wireless-carriers-in-the-us-by-subscriptions/.

In May 2021, Verizon announced that it is selling Verizon Media, which includes AOL and Yahoo, to private equity firm

Apollo Global Management; Verizon Media Group’s name will be changed to Yahoo, and Verizon will retain a 10% stake in

the new entity. Jordan Valinsky, Verizon Offloads Yahoo and AOL in $5 Billion Deal, CNN

BUS. (May 3, 2021),

https://www.cnn.com/2021/05/03/media/verizon-yahoo-sold-apollo/index.html

Press Release, Fed. Trade Comm’n, FTC Seeks to Examine the Privacy Practices of Broadband Providers (Mar. 26, 2019),

https://www.ftc.gov/news-events/press-releases/2019/03/ftc-seeks-examine-privacy-practices-broadband-providers

; Press

Release, Fed. Trade Comm’n, FTC Revises List of Companies Subject to Broadband Privacy Study (Aug. 29, 2019),

https://www.ftc.gov/news-events/press-releases/2019/08/ftc-revises-list-companies-subject-broadband-privacy-study.

One Order Recipient discontinued an advertising program shortly before it received our Order, but reinstituted the program

as we were drafting this report. The report includes references to that program, even though it is outside this time frame.

Fed. Commc’ns Comm’n, Protecting and Promoting the Open Internet, 80 Fed. Reg. 19737, 19771 (2015),

https://www.fcc.gov/document/fcc-releases-open-internet-order

See Press Release, Leichtman Research Grp., About 4,860,000 Added Broadband From Top Providers in 2020 (Mar. 3,

2021), https://www.leichtmanresearch.com/about-4860000-added-broadband-from-top-providers-in-2020/

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

competition issues between ISPs or their vertically-integrated entities, the intersection of the two is

relevant to this discussion.

For example, market power may enable violations of consumer protection

laws and exacerbate the effects of those violations. Consumer protection violations, in turn, often have

detrimental effects on competition. Companies may gain market share through deceptive reassurances

on privacy. As such, competition issues will continue to inform the Commission’s approach to privacy

in this space. Finally, this report does not discuss other products and services provided by ISPs or their

related entities (e.g., video, voice, content and websites, Internet of Things, connected cars, home

security), unless such products or services use or share information obtained from internet subscribers.

Section II of this report starts with a general overview of the legal framework applicable to ISPs.

Section III discusses how our ISP Order Recipients collect, use, and share consumers’ personal

information. Section IV then discusses the privacy practices of our ISP Order Recipients, including the

transparency, control, access rights, and deletion rights that they provide to consumers. Finally, Section

V offers several key observations on the internet landscape, such as the large-scale aggregation of data

and use of dark patterns.

II. Legal Framework Applicable to ISP Privacy

A. Historical Developments

As noted above, this report addresses ISPs as entities that offer a multitude of services, one of

which is the provision of internet access. But historically, the different services ISPs offer have been

treated differently under applicable regulatory frameworks. The Communications Act of 1934, as

amended by the Telecommunications Act of 1996, distinguishes between so-called “information

services” and “telecommunications services.” An entity is treated as a common carrier, and subject to

Title II of the Communications Act, when providing telecommunications services but not when

providing information services.

Much legal significance attaches to the classification of a service,

although the distinctions are not always easy to draw. Whether a service offered by an ISP is classified

as an “information service” or a Title II “telecommunications service” has two main implications for

privacy.

See, e.g., David Meyer, The Privacy and Antitrust Worlds are Starting to Cross Over, IAPP (April 23, 2019),

https://iapp.org/news/a/the-privacy-and-antitrust-worlds-are-starting-to-cross-over/

(noting that large platforms “‘may be

accumulating data—in some cases against consumers’ wishes—on account of a lack of choice and immense imbalances in

market power between service providers and consumers’” (quoting several U.S. attorneys general). See generally M

ARIA

WASASTJERNA, COMPETITION, DATA AND PRIVACY IN THE DIGITAL ECONOMY: TOWARDS A PRIVACY DIMENSION IN

COMPETITION POLICY? (2020) (citing the German case Bundeskartellamt vs. Facebook as an example of a dominant player in

the market for social networks that exploited such a position by adopting terms of service on the use of user data in violation

of data protection provisions).

47 U.S.C. § 153(51) (2018).

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

First, Title II includes specific provisions to protect the privacy of customers of

telecommunications services. Section 222 imposes a duty on telecommunications service providers to

protect the confidentiality of their customers’ “proprietary information,” and places restrictions on the

use and sharing of customer proprietary network information (“CPNI”) without customer approval,

subject to certain exceptions.

Additionally, Section 201 prohibits “unjust or unreasonable” charges,

practices, classifications, or regulations in connection with telecommunications service. Designating a

service as a Title I service, however, excludes such service from the ambit of Title II of the Act,

including Section 222 and the Federal Communication Commission’s (“FCC”) CPNI rules.

Second, the FTC Act exempts “common carrier activities subject to the Acts to regulate

commerce” from the FTC’s jurisdiction.

Therefore, if a service is classified as a common carrier

service under Title II of the Communications Act, the FTC loses its jurisdiction over the service.

However, the FTC has repeatedly argued, and the Ninth Circuit has agreed, that this exception is

“activities based,” rather than “status based.” In other words, the FTC does not have jurisdiction over an

entity for its common carrier activities, but to the extent the entity engages in non-common carrier

activities, the FTC would have jurisdiction over these activities.

During the 2000s, the FCC classified broadband internet access service as an information

service rather than as a telecommunications service. But in 2015, the FCC adopted its Open

Internet Order, classifying Broadband Internet Access Services (“BIAS”)—a core service

offered by the ISPs in our study—as a telecommunications service.

This reclassification made

ISPs subject to statutory privacy duties under Title II of the Communications Act and allowed

the FCC to promulgate privacy rules for BIAS providers.

The FCC finalized, but did not

implement, privacy rules governing the collection, use, and disclosure of personal information by

47 U.S.C. § 222 (2018).

See 15 U.S.C. §§ 45(a)(2) (2018) (exempting “common carriers subject to the Acts to regulate commerce”), 44 (defining

“Acts to regulate commerce” as including “the Communications Act of 1934 and all Acts amendatory thereof and

supplementary thereto”).

In October 2014, the FTC filed an action against AT&T Mobility alleging the company had misled millions of consumers

with “unlimited” data promises. AT&T Mobility challenged the FTC’s action, arguing that its mobile data service was

exempt from FTC jurisdiction as a common carrier. In 2018, in an en banc decision, the Ninth Circuit held that the common

carrier exception under the FTC Act applies only to common carrier activities and therefore “by extension, the interpretation

means that the FTC may regulate common carriers’ non-common-carriage activities.” Fed. Trade Comm’n v. AT&T

Mobility LLC, 883 F.3d 848 (9th Cir. 2018),

https://www.ftc.gov/enforcement/cases-proceedings/122-3253/att-mobility-llc-

mobile-data-service.

Fed. Commc’ns. Comm’n, Protecting and Promoting the Open Internet, FCC-15-24 (Mar. 12, 2015),

https://docs.fcc.gov/public/attachments/FCC-15-24A1_Rcd.pdf

While the Open Internet Order granted broadband internet access service forbearance from many Title II provisions, the

FCC concluded that application and enforcement of privacy protections in Section 222 to broadband internet access service

was in the public interest and necessary for the protection of consumers. However, the FCC forbore from the application of

its existing rules implementing Section 222 pending the adoption of rules to govern broadband internet access service.

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

BIAS providers.

These rules provided requirements for how BIAS providers may use and

disclose their customers’ personal information.

However, prior to their effective date,

Congress repealed the FCC’s privacy rules pursuant to the Congressional Review Act.

The

FCC later reversed its prior classification of BIAS as a common carriage telecommunications

service in January 4, 2018 in its Restoring Internet Freedom Order, and reclassified BIAS as an

information service.

B. Legal Framework Applicable to ISPs Today

Although the FTC does not have jurisdiction over voice services because of the common carrier

exception in the FTC Act, it does have authority to oversee ISPs’ internet privacy practices, since

internet and data services are not a common carrier activity.

The FTC enforces a number of laws that

apply to the data practices of ISPs and their affiliated entities. First, Section 5 of the FTC Act prohibits

ISPs and their affiliated entities from unfair or deceptive practices.

A misrepresentation or omission is

deceptive if it is material and is likely to mislead consumers acting reasonably under the

circumstances.

An act or practice is unfair if it causes, or is likely to cause, substantial injury that is

not reasonably avoidable by consumers, and not outweighed by countervailing benefits to consumers or

Protecting the Privacy of Customers of Broadband and Other Telecommunication Services, 81 Fed. Reg. 87274 (Nov. 2,

2016), https://www.fcc.gov/document/fcc-releases-rules-protect-broadband-consumer-privacy

. In a comment submitted in

response to the FCC’s Notice of Proposed Rulemaking, FTC staff commended the FCC on its proposed rule and made some

recommendations. Fed. Trade Comm’n, Comment of the Staff of the Bureau of Consumer Protection of the Federal Trade

Commission on Protecting the Privacy of Customers of Broadband and Other Telecommunications Services (May 27, 2016),

https://www.ftc.gov/policy/advocacy/advocacy-filings/2016/05/ftc-staff-comment-federal-communications-commission-

matter.

Protecting the Privacy of Customers of Broadband and Other Telecommunication Services, 81 Fed. Reg. 87274.

The Congressional Review Act (“CRA”) provides a process for Congress to overturn rules issued by federal agencies.

Pursuant to the Act, Congress may issue a joint resolution disapproving of an agency rule. If passed and signed by the

President (or Congress overrides a veto), the CRA states that the disapproved rule “shall not take effect (or continue).” C

ONG.

ESEARCH SERV., THE CONGRESSIONAL REVIEW ACT (CRA): FREQUENTLY ASKED QUESTIONS (Jan. 14, 2020),

https://fas.org/sgp/crs/misc/R43992.pdf

. See also S.J. Res. 34, 115th Cong. (2017),

https://www.congress.gov/115/bills/sjres34/BILLS-115sjres34enr.pdf; Brian Fung, Republicans Voted to Roll Back

Landmark FCC Privacy Rules. Here’s What You Need to Know, WASH. POST (Mar. 28, 2017),

https://www.washingtonpost.com/news/the-switch/wp/2017/03/28/republicans-are-poised-to-roll-back-landmark-fcc-privacy-

rules-heres-what-you-need-to-know/.

Fed. Commc’ns. Comm’n, Restoring Internet Freedom Order, FCC-17-166 (Jan. 4, 2018), https://www.fcc.gov/fcc-

releases-restoring-internet-freedom-order.

See AT&T Mobility LLC, 883 F.3d 848.

15 U.S.C. § 45(a)(1) (2018).

FTC Policy Statement on Deception, 103 F.T.C. 110, 174 (1984) (appended to Cliffdale Assocs., Inc., 103 F.T.C. 110, 174

(1984)), https://www.ftc.gov/system/files/documents/public_statements/410531/831014deceptionstmt.pdf

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

competition.

Thus, for example, ISPs cannot make misleading statements about their privacy

practices; nor can they act in ways that are likely to harm consumers—for example, by collecting and

sharing sensitive information, without notifying consumers, with third parties that misuse that

information to the detriment of those consumers—unless those harms are outweighed by countervailing

benefits. The FTC has used its authority to address unfair or deceptive practices by ISPs, including

actions to protect consumers from deceptive ISP marketing and advertising offers;

malicious ISPs

hosting malware, child pornography, and botnets;

insecure on-premises equipment such as ISP-

provided routers;

mobile cramming charges;

illegal billing of videotext services;

and deceptive

throttling practices.

Most recently, in 2019, AT&T Mobility, an Order Recipient, agreed to a $60

million settlement with the Commission, resolving allegations that the company had deceptively

throttled consumers’ mobile internet speeds.

Second, the Children’s Online Privacy Protection Act (“COPPA”) prohibits operators of child-

directed websites and other online services from collecting the personal information of children under

J. Howard Beales, The FTC’s Use of Unfairness Authority: Its Rise, Fall, and Resurrection, FED. TRADE COMM’N (May

30, 2003), https://www.ftc.gov/public-statements/2003/05/ftcs-use-unfairness-authority-its-rise-fall-and-resurrection

Juno Online Servs., Inc., No. C-4016 (F.T.C. June 25, 2001), https://www.ftc.gov/enforcement/cases-proceedings/002-

3061/juno-online-services-inc; CompuServe, Inc., No. C-3789 (F.T.C. Mar. 16, 1998),

https://www.ftc.gov/enforcement/cases-proceedings/962-3096/compuserve-inc-matter; Prodigy Servs. Corp., No. C-3788

(F.T.C. Mar. 16, 1998), https://www.ftc.gov/enforcement/cases-proceedings/952-3332/prodigy-services-corporation-matter;

Am. Online Inc., No. C-3787 (F.T.C. Mar. 16, 1998), https://www.ftc.gov/enforcement/cases-proceedings/952-3331/america-

online-inc-matter.

Fed. Trade Comm’n v. Pricewert LLC, No. C-09-CV-2407 RMW (N.D. Cal. Apr. 8, 2010),

https://www.ftc.gov/enforcement/cases-proceedings/092-3148/pricewert-llc-dba-3fnnet-ftc

Letter from Maneesha Mithal, Assoc. Dir. of the Div. of Privacy & Identity Prot., Fed. Trade Comm’n, to Dana Rosenfeld,

Partner, Kelley Drye (Nov. 12, 2014),

https://www.ftc.gov/system/files/documents/closing_letters/verizon-communications-

inc./141112verizonclosingletter.pdf (finding that, while Verizon took steps to mitigate the risk to consumer information, the

use of Wired Equivalent Privacy (“WEP”) as an encryption standard could leave consumers vulnerable to hackers).

Fed. Trade Comm’n v. T-Mobile USA, Inc., No. 2:14-cv-0097-JLR (W.D. Wa. Dec. 19, 2014),

https://www.ftc.gov/enforcement/cases-proceedings/132-3231/t-mobile-usa-inc

; Fed. Trade Comm’n v. AT&T Mobility,

LLC, No. 1:14-cv-3227-HLM (N.D. Ga. Oct. 8, 2014), https://www.ftc.gov/enforcement/cases-proceedings/132-3248/att-

mobility-llc.

Fed. Trade Comm’n v. Verity Int’l, Ltd., No. 00 Civ. 7422 (LAK) (S.D.N.Y. Sept. 17, 2004),

https://www.ftc.gov/enforcement/cases-proceedings/002-3386/verity-international-ltd-et-aldefendants

Fed. Trade Comm’n v. AT&T Mobility LLC, No. 3:14-cv-04785-EMC (N.D. Cal. Feb. 26, 2018),

https://www.ftc.gov/enforcement/cases-proceedings/122-3253/att-mobility-llc-mobile-data-service

; Fed. Trade Comm’n v.

TracFone Wireless, Inc., No. 3:15-cv-00392-EMC (N.D. Cal. Feb. 20, 2015), https://www.ftc.gov/enforcement/cases-

proceedings/132-3176/straight-talk-wireless-tracfone-wireless-inc.

Fed. Trade Comm’n v. AT&T Mobility LLC, No. 14-CV-04785 (N.D. Cal. Dec. 4, 2019),

https://www.ftc.gov/enforcement/cases-proceedings/122-3253/att-mobility-llc-mobile-data-service

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

the age of 13 without parental consent.

For ad networks in particular, COPPA applies if the network

has actual knowledge that it is serving advertisements on a child-directed site or service.

Thus, for

example, if an ISP-affiliated ad network were to knowingly serve behaviorally-targeted ads on a child-

directed app or website, it would be required to obtain consent from the parents of those app users.

Third, the Fair Credit Reporting Act

(“FCRA”) applies to ISPs that act as “furnishers”—

companies that provide information to consumer reporting agencies

—and “users”—companies that

use consumer reports.

Furnishers have an obligation to ensure that the information they provide to

consumer reporting agencies is accurate.

Users of consumer reports must certify that they have a

“permissible purpose” for obtaining such reports.

When an ISP provides information to a consumer

reporting agency on the timeliness of consumers’ payments, it is acting as a furnisher and subject to

certain requirements regarding the accuracy of the information and the correction of errors. Moreover,

when an ISP takes an adverse action against a subscriber, such as denying service or offering less

favorable terms, based on the subscriber’s credit report, the ISP must provide notice to that subscriber,

explaining how that subscriber can dispute any inaccurate information in the report. The FTC has

brought cases under the FCRA alleging that ISPs failed to provide required notices to consumers who

were given less favorable terms because of their credit scores.

In addition to laws enforced by the FTC, ISPs are also subject to laws enforced by the FCC. As

described above, some of these laws only apply to telecommunications services offered by ISPs. For

example, Section 201 of the Communications Act of 1934 prohibits unjust and unreasonable practices

by providers of telecommunications services.

Section 222 and its implementing rules protect customer

information, including information that relates to the quantity, technical configuration, type, destination,

location, and amount of use of consumers’ telecommunications services as well as certain information

15 U.S.C. § 6501–6506 (2018).

Complying with COPPA: Frequently Asked Questions, FED. TRADE COMM’N, https://www.ftc.gov/tips-advice/business-

center/guidance/complying-coppa-frequently-asked-questions-0#E.%20Third%20Parties (last visited Sept. 30, 2021).

15 U.S.C. §§ 1681–1681x (2018).

15 U.S.C. § 1681s-2 (2018).

15 U.S.C. § 1681m (2018).

15 U.S.C. § 1681s-2 (2018).

15 U.S.C. § 1681b (2018).

United States v. Sprint Corp., 2:15-cv-9340 (D. Kan. Oct. 21, 2015), https://www.ftc.gov/enforcement/cases-

proceedings/142-3094/sprint-corporation-sprint-asl-program-0; United States v. Time Warner Cable, Inc., 13-cv-8998

(S.D.NY. Dec. 20, 2013), https://www.ftc.gov/enforcement/cases-proceedings/122-3149/time-warner-cable-inc.

47 U.S.C. § 201(b) (2018).

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

contained in consumers’ billing statements—defined as Customer Propriety Network Information

(“CPNI”).

It imposes restrictions on how telecommunications carriers can use, disclose, or permit

access to CPNI. Additionally, some ISPs in our study may also act as cable operators subject to the

Cable Communications Policy Act (the “Cable Act”), which requires these operators to provide their

subscribers with notices about their privacy practices, choices as to collection of personal information,

and the right to access their own personal information. It also requires that cable operators implement

data retention limits.

In addition, the Cable Act restricts operators’ unauthorized disclosure of

subscriber personally identifiable information, including a subscriber’s viewing and use of a cable

service, and requires cable operators to take action to prevent unauthorized access to such information.

Finally, the FCC’s “Transparency Rule”

requires ISPs to disclose information about their network

management practices, performance characteristics, and commercial terms, including privacy policies.

This last rule applies most broadly to ISPs.

Using the currently-available tools at their disposal, the FTC and FCC work together to enforce

their respective laws as they relate to the privacy practices of ISPs. In 2005 and 2017, both agencies

agreed to coordinate and consult on investigations and actions that implicate the jurisdiction of the other

agency, including that the FTC would exercise its Section 5 authority to “investigate and take

enforcement action as appropriate against internet service providers for unfair, deceptive, or otherwise

unlawful acts or practices…,” and that the FCC would investigate failures of ISPs to comply with its

Transparency Rule.

The two agencies also agreed to support continued and ongoing coordination and

cooperation, including through consultation on investigations, sharing of relevant investigative

techniques, and collaboration on consumer and industry outreach.

Consistent with this collaborative

approach, in 2020, the FTC and FCC sent joint warning letters to Voice over Internet Protocol (“VoIP”)

providers and service providers warning them that “routing and transmitting” or “assisting and

facilitating” illegal Covid-related robocalls is against the law.

47 U.S.C. § 222 (2018).

47 U.S.C. § 551 (2018) (requiring cable and satellite TV operators to “destroy personally identifiable information if the

information is no longer necessary for the purpose for which it was collected”); see also 47 U.S.C. § 338(i) (2018) (applying

the same protections to providers of satellite television services).

See 47 U.S.C. § 551.

47 C.F.R. § 8.1 (2018).

RESTORING INTERNET FREEDOM: FCC-FTC MEMORANDUM OF UNDERSTANDING (Dec. 2017),

https://www.ftc.gov/policy/cooperation-agreements/restoring-internet-freedom-fcc-ftc-memorandum-understanding

Id.

Press Release, Fed. Trade Comm’n, FTC and FCC Send Joint Letters to VoIP Providers Warning against ‘Routing and

Transmitting’ Illegal Coronavirus-related Robocalls (Apr. 3, 2020),

https://www.ftc.gov/news-events/press-

releases/2020/04/ftc-fcc-send-joint-letters-voip-service-providers-warning-against; Press Release, Fed. Trade Comm’n, FTC

and FCC Send Joint Letters to Additional VoIP Providers Warning against ‘Routing and Transmitting’ Illegal Coronavirus-

related Robocalls (May 20, 2020),

https://www.ftc.gov/news-events/press-releases/2020/05/ftc-fcc-send-joint-letters-

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

Finally, state and local laws and regulations address privacy practices of ISPs. As with Section 5

of the FTC Act, states have their own consumer protection laws that similarly prohibit unfair and

deceptive acts or practices. A number of states have also enacted specific privacy laws. For example,

Maine recently enacted an internet privacy law that, among other things, prohibits ISPs from using,

disclosing, selling, or permitting access to certain personal information, such as browsing history,

certain persistent identifiers, and location information from consumers without their express affirmative

consent.

Over the past several years, California’s legislative and ballot initiative processes have

enacted general broad-based technology-neutral privacy legislation, namely the California Consumer

Privacy Act of 2018 (“CCPA”),

and the California Privacy Rights Act of 2020 (“CPRA”).

In part,

both the CCPA and CPRA govern access and deletion rights, and the notice and choices that companies,

including ISPs, must provide to California residents.

Nevada and Virginia have similarly enacted their

own privacy laws,

with other states likely following suit.

III. Background Information About Order Recipients

As noted above, the Commission issued 6(b) Orders to six ISPs and three ISP-affiliated ad

networks. The ISP Order Recipients represent a broad swath of the internet services offered in this

country, including fixed residential internet and mobile internet providers. Together they represent

additional-voip-providers-warning. See also Press Release, Fed. Trade Comm’n, FTC Warns 19 VoIP Service Providers

That ‘Assisting and Facilitating’ Illegal Telemarketing or Robocalling Is Against the Law (Jan. 30, 2020),

https://www.ftc.gov/news-events/press-releases/2020/01/ftc-warns-19-voip-service-providers-assisting-facilitating.

ME. STAT. tit. 35-A, § 9301 (2019), https://legislature.maine.gov/statutes/35-A/title35-Asec9301-3.html.

California Consumer Privacy Act of 2018, CAL. CIV. CODE §§ 1798.100 – 17998.199.100 (2018) [hereinafter CCPA],

http://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5

California Privacy Rights Act of 2020, Proposition 24, CAL. CIV. CODE §§ 1798.100 – 17998.199.100 (2020) [hereinafter

CPRA],

https://oag.ca.gov/system/files/initiatives/pdfs/19-

0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf.

See CAL. CIV. CODE §§ 1798.100 – 17998.199.100.

NEV. REV. STAT. § 603A (2021), https://www.leg.state.nv.us/App/NELIS/REL/80th2019/Bill/6365/Text; Virginia

Consumer Data Protection Act, VA. CODE ANN. § 59.1-575 through 59.1-581 (2021), https://lis.virginia.gov/cgi-

bin/legp604.exe?211+sum+SB1392.

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

approximately $130.4 billion in revenue from mobile internet

and $54.8 billion dollars in revenue from

fixed residential internet, annually.

The ISPs in our study exemplify the evolution of the industry, from a series of conduits that route

internet traffic into vertically-integrated platforms that not only provide internet, voice, and cable access,

but also create the content transmitted across pipes and cables and monetize the ads served on our

websites, monitors, and screens. For example:

• AT&T provides both residential broadband internet and mobile internet, with 19 million

residential household subscribers and 77 million mobile subscribers, respectively.

In June

2018, AT&T acquired Time Warner.

This merger created the country’s third largest residential

internet provider,

third largest mobile provider,

a popular content provider—which offers

cable streaming services, a satellite and streaming TV service, and an advertising network.

AT&T’s advertising unit, Xandr (also an Order Recipient) reports reaching over 135 million

Laura Wood, USA Telecom Operators Country Intelligence Report 2020-2024, BUS. WIRE (July 14, 2020),

https://www.businesswire.com/news/home/20200714005656/en/USA-Telecom-Operators-Country-Intelligence-Report-

2020-2024---ResearchAndMarkets.com.

Julija Jurkevic, APAC Propels Fiber to Reach 51.3% of 1 Billion Global Fixed Broadband Households, S&P GLOBAL

(Dec. 17, 2020),

https://www.spglobal.com/marketintelligence/en/news-insights/blog/apac-propels-fiber-to-reach-51-3-of-1-

billion-global-fixed-broadband-households (“U.S. ISPs generated $71.5 billion in broadband services revenues, equating to a

monthly ARPU of $56.02—the highest in the world.”).

AT&T INC., ANNUAL REPORT FORM 10-K 4–5 (Feb. 25, 2021), https://investors.att.com/financial-reports/sec-filings

(AT&T reports 77 million postpaid, 18 million prepaid, 7 million reseller subscribers, and an additional 81 million connected

devices. Additionally, the company reports 17 million premium TV/OTT subscribers and 19 million residential internet

connections.).

Press Release, AT&T, AT&T Completes Acquisition of Time Warner, Inc. (June 15, 2018),

https://about.att.com/story/att_completes_acquisition_of_time_warner_inc.html

Press Release, Leichtman Research Grp., supra note 18 (reporting the following: Comcast (30.6 million subscribers);

Charter (28.8 million subscribers); AT&T (15.3 million subscribers); Verizon (7.1 million subscribers)).

Mike Dano, US Wireless Snapshot: Subscribers, Market Share and Q3 Estimates, LIGHT READING (Oct. 16, 2020),

https://www.lightreading.com/4g3gwifi/us-wireless-snapshot-subscribers-market-share-and-q3-estimates/d/d-id/764688

(finding the following US wireless subscriber market share: Verizon (42%), AT&T (27%), and T-Mobile (29%)).

In May 2021, AT&T announced that it would spin off WarnerMedia and combine it with Discovery as a new standalone

media company that would include HBO Max, discovery+, and CNN. See, e.g., Brian Stelter, AT&T to Spin Off and

Combine WarnerMedia with Discovery in Deal that Would Create Streaming Giant, CNN BUS. (May 17, 2021),

https://www.cnn.com/2021/05/17/media/warnermedia-discovery-deal/index.html; see also Press Release, AT&T,

supra note 65.

Acquisition of Time Warner, Inc. (June 15, 2018),

https://about.att.com/story/att_completes_acquisition_of_time_warner_inc.html.

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

unique consumers a month.

AT&T also provides a range of internet of things (“IoT”) products

and services, such as connected car and connected home automation and security solutions.

• Verizon is not only the nation’s largest mobile internet provider

but is also the country’s fourth

largest residential ISP, with 94 million and 7 million subscribers, respectively.

Through its

affiliates and subsidiaries, Verizon can access consumers’ information from a variety of sources

beyond its mobile and residential internet services, including from its advertising affiliates,

content-creating affiliates (e.g., Verizon Media,

Yahoo!, TechCrunch) and its IoT affiliates

(e.g., Hum by Verizon and Verizon Connect, which provide connected car diagnostic services).

• Comcast is the nation’s largest fixed residential ISP with approximately 30.7 million

subscribers.

The company also owns a digital advertising platform that focuses on multiscreen

advertising across TV, laptop, and mobile devices, which reaches more than 35 million

households across the United States.

Comcast also offers a broad range of connected home

services, such as home automation and security under the Xfinity brand.

Comcast Corporation

further owns website content, TV networks, and even amusement parks under the NBCUniversal

Press Release, WarnerMedia, AT&T’s Turner and Xandr Partner on New, Enhanced Ad Opportunities Entering 2019 (Jan.

8, 2019),

https://pressroom.warnermedia.com/us/media-release/warnermedia/atts-turner-and-xandr-partner-new-enhanced-ad-

opportunities-entering-2019.

See e.g., AT&T DIGITAL LIFE HOME, https://my-digitallife.att.com/learn/home-security-and-automation (last visited Sept.

30, 2021); AT&T SMART HOME MANAGER, https://www.att.com/internet/smart-home/ (last visited Sept. 30, 2021); AT&T

CONNECTED CARS, https://www.att.com/plans/connected-car.html (last visited Sept. 30, 2021).

Dano, supra note 67.

VERIZON COMMC’NS INC., ANNUAL REPORT FORM 10-K (2020), https://verizon.api.edgar-

online.com/EFX_dll/EdgarPro.dll?FetchFilingHTML1?SessionID=bYwwkx8-L-lzq1Q&ID=14744806 (reporting 94 million

wireless connections, 7 million broadband connections, and 4 million video connections).

Valinsky, supra note 14 (noting that Verizon announced that it is selling Verizon Media (including both Yahoo and AOL)

to private equity firm Apollo Global Management).

COMCAST CORP., ANNUAL REPORT FORM 10-K 2 (10-K) (2020), https://www.cmcsa.com/static-files/0ff6a41f-c1ff-4c25-

b07e-4ec8424907cf (reporting 30.7 million residential customer relationships); see also Jon Brodkin, Comcast, Charter

Expand Broadband Domination as Cable Hits 67% Market Share, ARS TECHNICA (Mar. 9, 2020),

https://arstechnica.com/information-technology/2020/03/comcast-charter-expand-broadband-domination-as-cable-hits-67-

market-share/.

Comcast Spotlight: Creating Solutions for a Multi-screen World, COMCAST, https://corporate.comcast.com/news-

information/news-feed/comcast-spotlight-advertising-solutions-for-a-multi-screen-world (last visited Sept. 30, 2021).

COMCAST HOME SECURITY, https://www.xfinity.com/learn/home-security (last visited Sept. 30, 2021).

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

banner.

Finally, in 2017, Comcast launched Xfinity Mobile, which offers unlimited mobile

data plans.

• Charter is the nation’s second largest cable provider, offering video, voice, and residential and

mobile internet to its approximately 29 million subscribers through its Spectrum brand.

The

company also runs regional sports and news networks,

as well as an advertising platform,

Spectrum Reach, offering multi-channel and cross device solutions for advertisers attempting to

reach its video and internet subscribers.

• T-Mobile is the second largest mobile internet provider in the United States, with 81.35 million

subscribers.

The company continues to offer products and services beyond the provision of

internet, such as a financial services product,

a live streaming TV service,

wearable device

solutions,

and an advertising platform.

• Google Fiber is an ISP with relatively low subscribership and small geographic presence in

comparison to other ISP Order Recipients, offering high-speed gigabit internet and TV streaming

services in just nineteen cities.

However, Google Fiber is also a subsidiary of Alphabet, Inc.—

COMCAST CORP., supra note 74, at 2–10 (describing lines of business, such as communications, cable networks, broadcast

television, filmed entertainment, and theme parks).

Sarah Perez, Comcast’s New Wireless Service, Xfinity Mobile, is Now Live, TECHCRUNCH (May 17, 2017),

https://techcrunch.com/2017/05/17/comcasts-new-wireless-service-xfinity-mobile-is-now-live/

CHARTER COMMC’NS., 2020 ANNUAL REPORT (2020), https://ir.charter.com/static-files/c7d3ae3d-011f-4962-89cb-

c098c848ed15 (reporting 29 million residential customer relationships).

SPECTRUM NEWS, https://spectrumlocalnews.com/splash (last visited Sept. 30, 2021).

SPECTRUM REACH, https://www.spectrumreach.com/ (last visited Sept. 30, 2021).

T-MOBILE US, INC., ANNUAL REPORT 10-K (2020), https://www.t-mobile.com/2020-annual-report (reporting 102.1 million

total subscribers, including 81.35 million postpaid and 20.71 million prepaid subscribers). T-Mobile also offers Home

Internet. See Home Internet, T-M

OBILE, https://www.t-mobile.com/isp (last visited Oct. 18, 2021).

T-MOBILE MONEY, https://www.t-mobilemoney.com/en/home.html (last visited Sept. 30, 2021).

T-MOBILE TVISION, https://www.t-mobile.com/tvision (last visited Sept. 30, 2021).

TIMEX Family Connect Smartwatch for Kids, T-MOBILE, https://www.t-mobile.com/devices/timex-familyconnect-kids-

smartwatch (last visited Sept. 30, 2021).

Data-Sharing and Marketing Choices: Advertising and Analytics, T-MOBILE, https://www.t-mobile.com/privacy-

center/education-and-resources/advertising-analytics (last visited Sept. 30, 2021).

GOOGLE FIBER, https://fiber.google.com (last visited Sept. 30, 2021).

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

primarily an online advertising company—which accounted for 28.9% of all digital

advertisement revenue in the United States in 2020.

In contrast to traditional ISP “pipes”

entering the content and advertising space, this is an example of an internet advertiser entering

the ISP space.

As this list demonstrates, many of the ISPs in this study are not simply providers of internet

connectivity; they are technology giants. To put the size of these technology giants in perspective, in

2021, Google Fiber’s parent company, Alphabet ranked 21st on the Fortune 500, generating $182 billion

in revenues; AT&T ranked 26th on the Fortune 500, generating over $171 billion in revenue; Verizon

ranked 45th generating $128 billion; Comcast ranked 64th with $103 billion; and Charter ranked 230th

with $48 billion.

T-Mobile is partly owned by German company Deutche Telekom and is therefore

not on the Fortune 500 list, but it generated $116 billion in annual revenue.

The consolidation of

internet, cable, voice, content, distribution, smart devices, advertising, and analytics exemplified by

these large vertically-integrated ISPs—which represent approximately 98.8% of the mobile internet

market—has increased the volume of information they are capable of collecting about consumers,

improved their insight into consumers’ behaviors, and strengthened the persistence of identifiers capable

of tracking users across platforms and assets, as described further below.

IV. Information Obtained From Our Study

The following chart demonstrates the range of products and services offered by many of the ISPs

in our study:

Alexandra Bruell, Amazon Surpasses 10% of U.S. Digital Ad Market Share, WALL ST. J. (Apr. 6, 2021),

https://www.wsj.com/articles/amazon-surpasses-10-of-u-s-digital-ad-market-share-11617703200

Other examples of technology platforms entering the internet-access market include Amazon’s Project Kuiper, Facebook’s

internet.org, and Facebook Connectivity.

Fortune 500, FORTUNE (2021), https://fortune.com/fortune500/2021/search/.

Cecilia Butini, Deutsche Telekom 4Q Earnings Rise on Higher Revenue, MORNINGSTAR (Feb. 26, 2021),

https://www.morningstar.com/news/dow-jones/202102261333/deutsche-telekom-4q-earnings-rise-on-higher-revenue

(“For

the whole of 2020, revenue amounted to EUR101 billion, up from EUR80.53 billion the previous year.”).

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

FIGURE 1: PRODUCTS AND SERVICES OFFERED BY ISPS

This section discusses how many of the ISPs in our study collect and use information to provide

(1) core ISP services to consumers (internet, voice, video), (2) other services to consumers (e.g., IoT,

content), (3) advertising, and (4) other services to businesses.

A. Core Services

In order to provide core internet, TV, and voice services to consumers, many of the ISPs in our

study must collect a variety of information about their subscribers. For example, there is a trend in the

ISP industry to collect personal information during registration, including name, contact information,

and billing information, in order to provide the requested services. They also collect dates of birth and

government-issued identification information to verify identities and conduct credit checks. Subscribers

are able to subsequently edit or update their information through online dashboards or applications

(“apps”) that many of the ISPs in our study offer to consumers.

In addition to collecting information that their customers affirmatively provide, several of the

ISPs in our study collect information passively about their customers as they browse and engage with

apps online, in order to provide internet service, connectivity and customer support. The categories of

information include the following:

• Device specifications (e.g., media access control (“MAC”) addresses; device serial numbers,

device type, operating system): Many ISPs in our study collect information about

consumers’ devices to authenticate, authorize, and connect devices to their networks.

• Service usage information (e.g., session detail records, volume of traffic sent/received,

speeds): A significant number of ISPs in our study collect broadband usage information,

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

such as volume of traffic sent/received and session detail records for metering and billing

purposes, and in order to manage data caps associated with the customer’s plan.

• Browsing information (e.g., domain-level and sub-domain level URLs): Several ISPs in

our study collect and use internet protocol (“IP”) address and the URLs consumers enter in

their browsers to send and deliver internet traffic to consumers’ devices.

• Location data: Some ISPs collect location data in connection with providing

telecommunication services and emergency 911 support. One Order Recipient stated that it

uses device location information to determine whether network signal strength is low in

specific geographic locations or whether it has sufficient bandwidth to serve all consumers in

an area.

Some of the information many of the ISPs in our study collect from consumers—whether

actively or passively—may be shared with service providers to provide core services. For example, an

ISP may share a subscriber’s name and address with a service provider in order to install home internet

or assist with customer service calls. There is a trend in the ISP industry to include contractual

provisions which limit the use of such information solely for the purpose of providing the service. Many

ISPs in our study further prohibit these vendors from using such information for other purposes or

further disclosing the information they receive to other parties.

Also, there is a trend in the ISP industry to use the information ISPs collect from consumers for

ancillary purposes, such as:

• To comply with legal obligations, law enforcement requests, and court orders. For example,

in response to search warrants, several ISPs in our study might be required to provide law

enforcement with personal information about consumers, such as real-time or historical

location information.

• For fraud detection and security purposes. Many of the ISPs in our study use consumers’

names, telephone numbers, location information, device information, persistent identifiers,

and mobile broadband usage information to prevent fraud and ensure the security of

customer devices connected to the ISP’s network. For example, several ISPs in our study use

location information or information about the number of devices on a consumer’s network to

detect and prevent botnets or other malicious activities. Likewise, if an ISP receives a report

or detects that someone is engaging in a distributed denial of service (“DDoS”) attack via a

customer’s IP address, the ISP may review the customer’s usage information, principally

with respect to the volume of traffic produced by that customer, to determine whether the

volume suggests a DDoS attack is occurring. If so, the ISP may notify the customer or block

these transmissions where warranted.

• For product development and testing. For this purpose, a significant number of ISPs in our

study might collect personal information about how consumers use certain features or new

equipment.

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

B. Other Services Offered to Consumers

In addition to providing internet services, many ISPs in our study—either directly or through

their parents or affiliates—offer a range of other products and services to consumers through which they

collect consumers’ personal information. This range of products includes the following:

• TV and video streaming services (many of the recipients);

• Email services, either owned or white-labeled (many of the recipients);

• Home automation and security products (a significant number of the recipients);

• TV, video, and film content and production (a significant number of the recipients);

• Additional digital content (a few of the recipients);

• Connected car services, such as in-car entertainment or safety services (at least three

recipients);

• Connected wearables (at least three recipients);

• Map apps (at least three recipients);

• Search engines (at least two recipients);

• Conferencing services (at least two recipients);

• Theme parks and resorts (at least two recipients); and

• Autonomous vehicles, virtual reality products, cloud services, and voice assistants (at

least one recipient).

In offering these services to consumers, these entities collect much of the same personal

information that many of the ISPs in our study collect to provide their core services: contact, billing,

device usage, location, and performance information. But these entities also collect additional

information from consumers to provide these other products and services. For example, companies that

offer TV and video streaming services collect information such as title of the program or movie viewed,

type of streaming content, duration of viewing, and viewing start and stop times. Companies that offer

home security and automation collect information such as dwelling type, security activity and events,

lighting type and energy usage, temperature readings, and alarm start and end times. Companies in the

connected car space can collect location information and driver behavior information (e.g., vehicle

speed, hard braking, and fuel efficiency). In addition to using this information to provide services that

consumers request, the companies can use the information to offer roadside assistance and communicate

with critical infrastructure and other vehicles on the road for safety purposes.

Although one ISP specifically disclaimed combining consumer data collected through its ISP

services with these other services, three of the ISPs in our study revealed that they combine information

they receive from consumers across their core services and at least some of their other services.

Because of study limitations, we could not ascertain how much data was pooled or for what specific

purposes, but ISPs have the capability to combine personal information gained from their status as ISPs

with personal information gained from their or their parents’ or affiliates’ status as email providers,

search engines, ecommerce marketplaces, and distributors of connected products. This can include

Several of the ISPs in our study described access restrictions they placed on the use of data across products.

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

information such as search queries, call details, email communications, purchase information, and

location.

C. Advertising Services

Advertising-driven surveillance of consumers’ online activity presents serious risks to the

privacy of consumer data. A previous FTC staff report addressed the practices of traditional ad

networks and edge providers—that is, entities that provide content, applications, services, and devices

accessed over the internet—in collecting, using, and deriving data from and about consumers for

advertising purposes.

Our study of the ISP’s practices demonstrates that many of the ISPs in our

study, like traditional ad networks and edge providers, also actively surveil consumers for advertising

purposes. Below we discuss the ways that many of the ISPs in our study collect and use consumers’

personal information for advertising services, and how such practices may impact negatively the privacy

of consumer data.

ISPs generally obtain consumer information from a variety of sources. First, they obtain

personal information from the consumers themselves. As described above, many ISPs in our study

collect a host of information from their customers to provide the services they request, and they

generally use some of this data for advertising purposes. Some ISPs even collect additional data from

their customers that is not necessary to provide ISP services, in order to enhance their ability to

advertise. For example, several ISPs collect information about consumers’ app usage history for

advertising purposes. Some of these ISPs do not need this information to provide their ISP services.

Other ISPs might need to collect certain data to perform ISP functions, but may also keep this data for

longer than is strictly necessary, so that they can use it for advertising purposes. An example of this is

web-browsing data. Two of the ISPs in our study stated that they use web-browsing information to

target ads to consumers, and another reserves the right to use such information for advertising purposes.

In contrast, two of the ISPs in our study specifically stated that they do not employ app usage history or

web-browsing data for advertising purposes.

Second, there is a trend in the ISP industry to buy consumer information from third party data

brokers, which many ISPs in our study use for advertising purposes. One reported using data from data

brokers to market their own products to new customers only. For example, they might get lists of new

homeowners in a particular geographic area. A sizable number of the ISPs in our study also buy data

from data brokers about their existing customers. For example, an ISP might send the data broker

subscriber names and addresses, which the data broker would then append with demographic

information (e.g., gender, age range, race and ethnicity information, marital status, parental status) and

See, e.g., FED. TRADE COMM’N, CROSS-DEVICE TRACKING: AN FTC STAFF REPORT (Jan. 2017) [hereinafter CROSS-DEVICE

TRACKING], https://www.ftc.gov/system/files/documents/reports/cross-device-tracking-federal-trade-commission-staff-

report-january-2017/ftc_cross-device_tracking_report_1-23-17.pdf. See also Press Release, Fed. Trade Comm’n, FTC Issues

Orders to Nine Social Media and Video Streaming Services Seeking Data About How They Collect, Use, and Present

Information (Dec. 14, 2020),

https://www.ftc.gov/news-events/press-releases/2020/12/ftc-issues-orders-nine-social-media-

video-streaming-services (noting that the FTC has issued orders to large platform providers to understand how they collect,

derive, and use consumer data).

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

interest data (e.g., hiking, biking, gardening, bodybuilding, high-end spirits) for those subscribers. Or,

for those ISPs that do not want to share their customers’ names and contact information with third-party

data brokers, the ISP might send persistent identifiers (e.g., cookies, advertising identifiers, or hashed or

encrypted account numbers or telephone numbers) associated with their subscribers to third party

“matching services.” These matching services then sync these identifiers with similar identifiers they

receive from other sources and provide the list of identifiers to the ISP. Once the ISP has the synced list

of identifiers, the ISP can then check with data brokers to request demographic and interest data

associated with all of those identifiers, without sharing consumers’ name and contact information.

The graphic on the following page represents how multiple ISPs in our study exchange

information with third parties for advertising purposes. Through this system, not only are many of the

ISPs in our study able to learn extremely specific demographic and interest categories about their

subscribers, but the third parties are able to build complex profiles of consumers based on information

they get from various sources and, in turn, sell the information to a variety of business customers.

Although many of the ISPs in our study represent that they deindentify or anonymize this data, there is a growing debate

about the efficacy of these tools and methods by which such data may be reidentified. See, e.g., Luc Rocher et al., Estimating

the Success of Re-Identification in Incomplete Datasets Using Generative Models, 10 N

ATURE COMMC’NS 3069 (2019);

Arvind Narayanan & Edward W. Felten, No Silver Bullet: De-identification Still Doesn’t Work, P

RINCETON UNIV. (July 9,

2014), https://www.cs.princeton.edu/~arvindn/publications/no-silver-bullet-de-identification.pdf; M.A. Rothstein, Is

Deidentification Sufficient to Protect Health Privacy in Research?, 10 AM. J. BIOETHICS 3–11 (2010); Paul Ohm, Broken

Promises of Privacy: Responding to the Surprising Failure of Anonymization, 57 UCLA L. REV. 1701 (2010).

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

FIGURE 2: INFORMATION EXCHANGE BY ISPS IN THE STUDY

The third source of consumer information that some ISPs in our study use for advertising is

property managers. At least one ISP reported obtaining the names and address of potential subscribers

who have moved into or within its service area directly from these property managers.

There is a trend in the ISP industry to use the information ISPs collect directly from consumers

and through third parties to market the ISPs’ own products and services. A sizable number of ISPs in

our study market third-party products and services, as explained below.

1. Marketing Their Own Products and Services

Several of the ISPs in our study use the information they collect to market products and services

to both new and existing customers. As to new customers, ISPs may have information about these

customers that they have themselves provided to the ISP. For example, a prospective customer may go

to the ISP’s website, share their contact information in the course of seeking to subscribe to the ISP’s

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

services, but then not complete the subscription process. In that instance, the ISP may still retain their

contact information, and later use that information to advertise to them. Many of the ISPs in our study

also use data from data brokers to target ads to new customers, for example, by asking for information

about new homeowners in a particular zip code. In addition, an ISP may use a former customer’s

contact information and other information—such as the products and services they subscribed to

previously—in combination with information from data brokers to send general and targeted

promotional communications for their products and services.

A significant number of the ISPs in our study also report marketing their own products and

services to existing customers. This could include advertising upgrades for products that a consumer

already has. For example, an ISPs can send an ad promoting an upgraded plan to customers who have

exceeded their allotment of minutes or data use. It could also include advertising for different product

lines. An ISP can also combine contact (e.g., name, address, and email), device (e.g., IP address), and

internet usage information (e.g., total amount of monthly gigabytes consumed) with demographic

information (e.g., likelihood that customer will move in the future) received from data brokers to

develop propensity models that determine the likelihood that that the ISP’s subscriber would be

interested in additional ISP-branded products or services, such as an internet-connected home security

service.

Several of the ISPs in our study market their own products in a variety of ways, including the

following:

• Traditional advertising in local publications and on signs (e.g., pole, car, and flyers) posted or

distributed to households within the ISP’s footprint;

• Direct mail marketing to current residents of homes and small businesses located within their

service area, or to existing subscribers;

• Door-to-door sales;

• Operation of retail locations in their service areas;

• Sales events. For example, one ISP hosts events at community centers or homeowner

association meetings in neighborhoods within its existing or prospective service footprint;

• Online advertising on third-party sites like Facebook, Zillow, and Nextdoor, which permit

audience targeting at the zip code level;

• Ads on their own websites;

• Email marketing, targeting consumers who have signed up to receive additional information

on their websites, in a store, at one of their events, or through other avenues; and

• Partnerships with potential referrers. For example, one ISP gives apartment managers

promotional materials when its services are available in their buildings.

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

2. Advertising Third-Party Products and Services

Over the years, traditional advertising networks and edge providers have touted the benefits of

targeted advertising, including free content and personalized ads of value. However, as we have seen

more recently, targeted advertising can also lead to pernicious bias, resulting in large segments of the

population being stereotyped and denied access to key opportunities based on protected characteristics.

Like traditional advertising networks and edge providers, many of the ISPs in our study engage

significantly in targeted advertising and their practices raise bias and equity concerns.

Several of the ISPs in our study serve targeted ads across the internet on behalf of third parties.

Either directly or through affiliates, they use cookies, beacons, pixels, and tags on a consumer’s browser,

or they use device identifiers, mobile software development kits (“SDKs”), or similar technologies on a

consumer’s mobile device.

They buy demographic and interest information from data brokers and

then combine this information with additional information about ISP subscribers to place these

subscribers into segments. These segments often reveal sensitive information about consumers.

Examples of such segments include “viewership-gay,” “pro-choice,” “African American,”

“Assimilation or Origin Score,” “Jewish,” “Asian Achievers,” “Gospel and Grits,” “Hispanic Harmony,”

“working class,” “unlikely voter,” “last income decile,” “tough times,” “investor high-value,” “FEC-

avg donation,” “seeking medical care,” and “Political Views – Democrat and Republican.” Appendix B

provides an illustrative list of segments provided by the ISP Order Recipients. These categories allow

advertisers to target consumers by their race, ethnicity, sexual orientation, economic status, political

affiliations, or religious beliefs, raising questions about how such advertising might (1) affect

communities of color, historically marginalized groups, and economically vulnerable populations, or

(2) reveal sensitive details about consumers’ browsing habits.

See, e.g., Sec’y of Hous. & Urban Dev. v. Facebook, Inc., No 01-18-0323-8, 1, Charge of Discrimination, FHEO No. 01-

18-0323-8 (Mar. 28, 2019), https://www.hud.gov/sites/dfiles/Main/documents/HUD_v_Facebook.pdf

Staff found that several of the ISPs in our study have acquired advertising platforms to improve their affiliate and in-house

digital advertising capabilities. While some ISPs in our study consolidated advertising services internally, others engaged in

digital advertising through wholly-owned advertising affiliates.

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

FIGURE 3: HOW ISPS CREATE IBA PROFILES

Several of the ISPs in our study have the ability to target consumers on a granular basis, because

unlike many other entities, these ISPs have access to each of the websites a consumer visits, and they

can target based on subscriber information. Indeed, at least three ISPs report combining consumers’

personal information, app usage information, and/or browsing information for advertising purposes.

This enables them or their affiliated ad networks to display highly personalized and targeted

advertisements through extremely detailed and granular segments. Notably, unlike traditional ad

networks whose tracking consumers can block through browser or mobile device settings, consumers

cannot use these tools to stop tracking by these ISPs, which use “supercookie” technology to persistently

track users.

A supercookie is a type of tracking cookie that the user cannot delete. Craig Timberg, Verizon, AT&T Tracking Their

Users with ‘Supercookies’, W

ASH. POST (Nov. 3, 2014), https://www.washingtonpost.com/business/technology/verizon-

atandt-tracking-their-users-with-super-cookies/2014/11/03/7bbbf382-6395-11e4-bb14-4cfea1e742d5_story.html (explaining

that consumers cannot erase these supercookies or evade them by using browser settings).

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

A sizable number of ISPs in the study sell and/or facilitate the sale of third-party advertising on

video services, such as cable or satellite television and streaming services. The two primary types of

video advertising services are:

• Data Driven Linear: The ISP or affiliate uses viewing data to identify the programming in

which the advertisement should be shown to reach the advertiser’s desired audience. Under

this model, everyone who watches the program at the designated time will see the same

advertisement.

• Targeted or Dynamic Advertising: The ISP or affiliate facilitates the delivery of

“addressable” video advertising—i.e., advertising tailored to the inferred interests of the

households or individual viewers. Under this model, different viewers of the same program

may see different advertisements.

For targeted or dynamic advertising, advertisers can pick out audience segments based on

demographic factors. They can also specify segments based on real-time viewing information; for

example, a segment can be as simple as subscribers who live in a specific zip code and are watching a

particular program at a particular time. Other custom segments are based on historical viewing patterns,

such as subscribers within a particular zip code who the ISP or its affiliate is able to identify as repeat

viewers of a particular program. At least one ISP noted that in very few instances, advertisers have

provided it with specific addresses, email addresses, or names that the advertiser would like to reach.

Finally, several of the ISPs and affiliated entities in our study report providing “cross-screen”

services that help advertisers reach consumers across their various devices (e.g., smartphones and

television sets). These services essentially combine the ISP’s online ad delivery and video advertising

services within a single campaign. These types of campaigns rely on the ISP’s ability to link advertising

identifiers across devices. Indeed, the ISP can determine, through its own customer data or that of data

brokers, that certain advertising identifiers for multiple browsers and mobile devices are part of the same

household.

3. Other Services Offered to Businesses

Several of the ISPs and affiliates in our study also provided reports to business customers based

on aggregated and/or de-identified information about their customers unrelated to their digital

advertising business. Notably, these ISPs—particularly those that offer mobile services—are uniquely

able to leverage location information in connection with their aggregated business insight reports. For

example, using location information, one ISP reports that it might tell a retailer that 35% of visitors to a

particular store are Hispanic-Latino with household incomes between $40K–74.5K.

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

FIGURE 4: SAMPLE ISP AGGREGATED REPORT

While the above is an example of an aggregated report, the trend among our mobile ISP Order

Recipients was to offer real-time location data about specific subscribers to their third-party customers.

The purposes for this sharing included emergency roadside assistance, emergency medical assistance,

bank fraud prevention, workforce/employee/fleet management, law enforcement and house arrest

monitoring, and proximity marketing (e.g., sending a Starbucks ad to a person standing in front of

Starbucks). But in 2018 and 2019, news outlets reported that in addition to these purposes, subscribers’

real-time location data was also being accessed by car salesmen, property managers, bail bondsmen,

bounty hunters, and others without reasonable protections or consumers’ knowledge and consent.

2019, prior to receipt of our Order, each of the mobile internet Order Recipients had terminated access

to these third-party location based services. In 2020, the FCC found these entities to be apparently liable

for violating the Communications Act and proposed over $200 million in fines.

Joseph Cox, Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint Customer Location Data for Years,

OTHERBOARD (Feb. 6, 2019), https://www.vice.com/en/article/43z3dn/hundreds-bounty-hunters-att-tmobile-sprint-

customer-location-data-years; Joseph Cox, I Gave a Bounty Hunter $300. Then He Located Our Phone, MOTHERBOARD (Jan.

8, 2019), https://www.vice.com/en/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-

tmobile; Jennifer Valentino-DeVries, Service Meant to Monitor Inmates’ Calls Could Track You, Too, N.Y. TIMES (May 10,

2018), https://www.nytimes.com/2018/05/10/technology/cellphone-tracking-law-enforcement.html.

The FCC’s enforcement action was based on the companies’ wireless phone services, which are subject to Section 222 of

the Communications Act. See Press Release, Fed. Commc’ns. Comm’n, FCC Proposes over $200M in Fines for Wireless

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

4. Contractual Limitations on Use and Sharing

The contracts between many of the ISPs in our study and non-affiliated third parties impose

contractual limitations on the use of consumers’ personal information.

100

For example, when sharing

personal information for fraud prevention purposes or to check an applicant’s credit, an ISP might limit

the use of the data for these purposes and prohibit downstream sharing of such data. When sharing

consumers’ personal information with data brokers, the contracts generally appear to prohibit further

disclosure of such information. Finally, many of the ISPs in our study must share limited types of data

with other participants in the ad-tech ecosystem. For example, an ISP must bill advertiser customers

based in part on the number of ads delivered to particular audiences. In doing so, it must send those

customers itemized cookie and advertising identifiers regarding the ads served. In these cases, several

of the ISPs in our study typically prohibit their advertiser customers from re-identifying such data or

using such data for any purpose other than analytics regarding the advertising campaigns. Conversely, a

significant number of these ISPs also receive cookie IDs and similar identifiers from unaffiliated third

parties. The contracts between many of the ISPs in our study and these advertisers usually provide that

the ISPs may only use the consumer data it receives from the advertiser for the purpose of delivering ads

on the advertiser’s behalf.

Many of the ISPs in our study do not appear to have contracts in place with these ad networks as

to how they can or cannot not use the data. Rather, several ISPs in our study simply state that any

sharing between them and their advertising affiliates is governed by the ISP’s privacy policy, which

permits the combination and exchange of information between similarly-branded affiliate entities,

subject to consumers’ opting out.

D. Privacy Practices

This section discusses the privacy practices of many of the ISPs in our study. It covers the

following categories: (1) Opacity; (2) Illusory Choices; (3) Lack of Meaningful Access; (4) Data

Retention and Deletion; and (5) Accountability.

1. Opacity

Several of the ISPs in our study promise consumers that they “will not sell your personal

information,” providing an impression that their information will not be used or transferred for

unanticipated purposes. Many of these ISPs give insufficient information to consumers regarding the

myriad of ways that their data can be used, transferred, or monetized outside of selling it, often burying

such disclosures in the fine print of their privacy policies. The privacy policies for several of the ISPs in

our study reserve extremely broad rights as to how they will use consumer data, essentially permitting

Location Data Violations (Feb. 28, 2020), https://www.fcc.gov/document/fcc-proposes-over-200m-fines-wireless-location-

data-violations.

100

The information obtained in the study is limited to the contractual provisions themselves. Because we do not have

information about how many of these ISPs enforce of these provisions, we cannot independently verify how or whether they

are enforced.

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

these ISPs to use consumer data for virtually any purpose. Although many of the ISPs in our study

make promises not to sell consumers’ personal information, consumers may not understand the process

through which these ISPs buy consumer information from data brokers, use it to infer additional

information about them, categorize them into segments, and serve targeted ads to them on behalf of

third-parties. In addition, three of the ISPs in our study reserved the right to share their subscribers’

personal information with their parents and affiliates, which seems to undercut the promises not to sell

personal information.

To the extent that some ISPs in our study make promises to consumers about the collection, use,

and disclosure of data and their privacy choices, those promises appear on dedicated “Privacy Center”

pages or privacy policies. Visits to the privacy policies average between 0.55% to 6.7% of total

subscribers, depending on the ISP. The following table, for example, represents the percentage of total

subscribers that visit the privacy policies of many of the ISPs in our study.

101

FIGURE 5: PRIVACY POLICY VIEWS BY CONSUMERS

2. Illusory Choices

There is a trend in the ISP industry to purport to offer consumers some choices with respect to

the use of their data, but in reality these choices can be illusory. These choices may include the right to

101

One ISP experienced substantial privacy policy views due to automated collection and bots and, as such, was omitted from

the table at Figure 5.

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Lowest ISP 2nd 3rd 4th Highest ISP

by ISP

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

opt out of communications from the ISP (such as through voice, text message, email, and physical mail);

analytics; affiliate sharing; interest-based advertising; cross-channel advertising; and, for

telecommunications services, the use of Customer Proprietary Network Information for marketing of the

ISP’s own communications.

102

However, problematic interfaces can result in consumer confusion as to

how to exercise these choices, potentially leading to the low opt-out rates we observed from many of the

ISPs in our study.

First, the intersection of these choices with the CCPA requirement that companies include a “Do

Not Sell” button on their home page is confusing. One of the ISPs in our study stated that it does not

sell consumers’ personal information; thus, it does not offer an opt out of sale under California law.

Conversely, other ISPs state that they do not sell consumers’ personal information, but still offer a “do

not sell” option, which, if clicked, provides consumers with different privacy options. Given the

disclosure that these ISPs do not sell their personal information, or the fact that consumers do not fully

understand what it means for an ISP to “sell” their personal information, it is unclear why a consumer

would click on the “do not sell” option to get to their privacy choices.

Second, in many instances, a few of the ISPs in our study made the process of selecting privacy

choices complicated. For example, in order to exercise choices, one ISP Order Recipient requires users

to:

1. sign in;

2. select their account dashboard;

3. select one of the “ad preferences” at the bottom of the page;

4. select an additional “advertising preferences” tab, which directs them to the privacy page;

5. select a “control your data” tab at the bottom of the page; and

6. select “manage your privacy and communication settings” which directs them to the “your

personal information, in your hands” page.

Other ISP Order Recipients spread out multiple choices across multiple tabs and sections. For

example, one ISP Order Recipient required consumers to make as many as nine selections to fully

protect the privacy of their personal information. These settings, each residing in a separate tab,

included:

• “Audience Measurement,”

• “Digital Advertising,”

• “Video Advertising,”

• “Affiliate Sharing,”

• “Interested-Based Advertising,”

• “Social Media,”

• “Mobile and Website Analytics,”

102

Also pursuant to FCC Rules, in their provision of telecommunication services, all ISPs are required to obtain opt-in

approval to use CPNI for purposes other than marketing the ISP’s own communications. 47 C.F.R. § 64.2001–2011 (2021).

CPNI means information that relates to the quality, technical configuration, type, destination, location, and amount of use of

a telecommunication service; and billing information pertaining to telephone service. See also 47 U.S.C. § 222 (2018).

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

• “Calls, Mail Advertising, and In-Person Solicitation,” and

• “Marketing and Special Other Emails.”

To fully exercise their privacy intention, a consumer would have to adjust their settings in each

and every section. And in many cases, the disclosures next to consumers’ opt-out choices often

contained lengthy descriptions.

Third, it can be cumbersome to exercise choices. Rather than allowing consumers to opt out of

the use of their contact information, two of the ISP Order Recipients required consumers to manually

enter each phone number, email address, and physical address that they wish to opt out. Relatedly, some

ISPs require consumers to make privacy selections on a per device basis.

Finally, changing options can make it difficult for consumers to exercise their privacy intentions.

One ISP Order Recipient required consumers who wanted to sign up for its reward program to opt in to

the use of their sensitive browsing history and location information for targeted advertising. This ISP

has since stopped this practice and consumers may now sign up for its rewards without signing up for

targeted advertising or giving up their sensitive location and browsing information. However, the ISP

never told consumers they could participate in the rewards program without sharing their sensitive data.

As a result, many consumers that had previously signed up for this ISP’s rewards program likely

continue to have their browsing history and location information used for targeted advertising purposes.

Given the confusing nature of the choices, it is not surprising that opt-out rates generally are low,

typically less than 2% of total subscribers. Interestingly, however, one ISP in our study had an opt-out

rate for targeted video advertising of approximately 20%. Notably, the opt out was presented in a more

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

simple, clear, and prominent manner than the opt outs presented by other ISPs, with no extraneous or

distracting text.

FIGURE 6: TARGETED ADVERTISING OPT-OUTS

3. Lack of Meaningful Access

Although many of the ISPs in our study purported to offer consumers access to their information,

this offer is largely illusory, given that the information is either indecipherable or nonsensical without

context. As such, it is unsurprising that the number of access requests remains low: generally, the ISPs

in our study reported monthly access requests between zero and 380.

Many of the ISPs in our study provide consumers with access to some of their own personal

information through three primary means: (1) online account dashboards, where consumers log in to

manage their accounts; (2) monthly billing statements; and (3) in response to online access requests,

which vary widely from ISP to ISP.

Through online account dashboards, consumers are able to review information about their

accounts and billing history. The types of information available to consumers is limited and does not

provide them a complete picture of all the types of personal information that an ISP might have

collected about them or their households. Through an online account dashboard, a consumer might see

that the ISP has some basic information on them, such as their name, email and physical addresses, and

phone number. The consumer may also be able to find some information on their plan and past billing

history.

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

During 2019

(ISP 1)

During 2019

(ISP 2)

During 2019

(ISP 3)

Total as of late

2019

(ISP 4)

Total as of late

2019

(ISP 5)

Percent of Subscribers Opting Out of 3rd Party

Targeted Advertising by ISP, 2019

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

Similarly, consumers might receive monthly billing statements from their ISP via email or mail.

In addition to monthly fees and balances, these statements might also provide information to consumers

about their plans, products, services, internet usage activity, and the ISP’s privacy policy. Similar to

online account dashboards, the information provided to consumers is limited.

Finally, some of the ISPs in our study provide some consumers access to their personal

information through online access requests. The CCPA requires that companies, upon request, provide

consumers with access to their information, such as the categories and specific pieces of personal

information they have collected.

103

Most of the ISPs in our study solely limit access rights to California

consumers. Only two of the ISPs in our study have expanded access rights to all U.S. consumers. Even

for companies that allow all U.S. consumers to request access to their personal information, the number

of access requests is generally low.

The types of information available to consumers through an access request varied widely. Some

ISPs in our study provide consumers highly granular information including contact information, billing

information, demographic information, inferences made about consumers and their households, and

information obtained from other products and services. One ISP not only lists specific background and

demographic information, but provides concrete examples of inferences the ISP makes (e.g., “Low

Likelihood to Add internet” but “High Likelihood to Add TV”). Similarly, one ISP allows consumers to

see the segments associated with the cookies on their browser. However, some fields are quite opaque

and do not provide any information about what the ISP knows. For example, an ISP might label

“Religion Code” as “54,” “Race Code” as “W,” “Heritage Code” as “23,” and “Zip+4 US consumer

Segment” as “N.”

Other ISPs in our study provide consumers less granularity. For example, one ISP notes simply

that it collects and/or uses personal information from websites, apps, or other public sources, without

detailing the personal information or the types of websites, apps, or public sources that have access to

such information.

4. Data Retention and Deletion

Several of the ISP Order Recipients hold data pursuant to record retention schedules, asserting

that they only keep the information as long as it is needed for a business reason. An ISP Order

Recipient has the ability to define (or leave undefined) what constitutes a business reason, giving them

virtually unfettered discretion. For those that provide time frames, those frames seem to vary widely.

For example:

• One ISP in our study deleted logs of the websites consumers visited every twenty-four hours,

another kept the same logs for thirty-five days, and yet another kept the logs for one year.

• Some ISPs in our study retain consumers’ demographic information for up to two years, while

others in our study retain that same data for three years. This means that many ISPs in our study

103

CCPA, CAL. CIV. CODE § 1798.110 (2018).

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

may retain demographic information about their customers for years after consumers have

terminated the relationship with their ISP and no longer use their services.

• Some ISPs in our study pass on consumer information to their affiliated ad networks, which do

not delete the data at the end of the specified retention period. Instead, they deidentify or

anonymize that data,

104

and then keep that data for an additional period of time, ranging from

two years to indefinitely.

Following enactment of CCPA, California residents have the right to delete their personal

information.

105

As with access requests, some of the ISPs in our study purport to extend this right to all

U.S. consumers, while others restrict the deletion right to California residents.

Generally, we found that deletion requests are low given the total number of the ISPs’

subscribers. In the numbers provided by many of the ISPs in our study, the range of reported deletion

requests by U.S. consumers in any month for any ISP ranged from 0 to 322.

5. Accountability

It is common practice in the ISP industry to have designated privacy officers or similar staff to

be responsible for administering company-wide privacy programs, or at the very least, for reviewing,

validating, and approving decisions relating to the use of personal data. In addition, at least one ISP in

our study conducts risk assessments associated with any third-party relationships. Many of the ISPs and

their affiliates in our study appear to rely on staff to conduct privacy assessments prior to launching new

products and services or modifying existing programs.

106

104

Typically, many of the ISPs in our study deidentify data by removing internal and external identifiers, such as location

information, telephone numbers, device identifiers, advertising identifiers, IP address information, usage information,

demographic data, cookies, and mobile browsing information. They generally aggregate the data into large groups (hundreds

of thousands of users); use generalization techniques (e.g., using age bands like 30-40, generalizing dates to a year (1982) or

a time range (the 1990s)). They may also remove outliers. For example, if there is an outlier on ages of individuals over 90,

then all ages from 80 and higher could be combined into the 80+ range while still leaving the other ages intact. They also

typically hash, salt, and encrypt the data.

105

CCPA, CAL. CIV. CODE § 1798.105.

106

While staff received generalized responses about ISPs’ privacy assessment programs, staff does not opine on the

thoroughness or adequacy of any specific program.

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

V. Observations

A. Many ISPs in our Study Amass Large Pools of Sensitive

Consumer Data

Many of the ISPs in our study and their affiliates collect significant amounts of consumer

information across the range of products and services that they offer.

107

In terms of the sheer volume of

information, one recipient reported that it has over 370 million direct consumer relationships, across its

mobile, pay TV, broadband, and digital properties.

108

Another reported serving one trillion ad requests

monthly.

109

A third ISP reported offering home security and home automation services to 15 million of

its subscribers.

110

The vertical integration of ISP services with other services like home security and automation,

video streaming, content creation, advertising, email, search, wearables, and connected cars permits not

only the collection of large volumes of data, but also the collection of highly-granular data about

individual subscribers.

111

As noted above, a sizable number of the ISPs in our study combine their

107

The FCC has previously found that BIAS providers are gatekeepers to the internet, and as such collect an unprecedented

breadth of personal information about consumers. See Rules to Protect Broadband Consumer Privacy, 81 Fed. Reg. 87274,

87333 (Nov. 2, 2016) (“Based on our review of the record, we reaffirm our earlier finding that a broadband provider ‘sits at a

privileged place in the network, the bottleneck between the customer and the rest of the internet’—a position that we have

referred to as a gatekeeper. As such, BIAS providers can collect ‘an unprecedented breadth’ of electronic personal

information.”).

108

AT&T INC., ANNUAL REPORT 10-K (2019), https://investors.att.com/~/media/Files/A/ATT-IR/financial-reports/annual-

reports/2019/complete-2019-annual-report.pdf (noting that it has 370 million direct consumer relationships across mobile,

pay TV, broadband, and digital properties, including CNN Digital and Bleacher Report).

109

Todd Spangler, Tim Armstrong Unveils Oath: AOL-Yahoo Combo Is as Big as Netflix and Looking to Expand, VARIETY

(June 19, 2017), https://variety.com/2017/digital/news/tim-armstrong-aol-yahoo-oath-netflix-1202470016/

(noting that the

combined AOL and Yahoo properties reach about 1.3 billion users monthly, and serve 1 trillion monthly ad requests).

110

COMCAST CORP., supra note 74, at 4; see also Dean Takahashi, Comcast is Bringing Home Automation to 15 Million

Xfinity Customers, V

ENTURE BEAT (Jan. 10, 2018), https://venturebeat.com/2018/01/10/comcast-is-bringing-free-home-

automation-to-15-million-xfinity-customers (noting that Comcast brings internet or cable TV services to 29 million

customers, and provides home automation services to 15 million of its customers).

111

See e.g., Geoff Colvin, AT&T Has Become a New Kind of Media Giant, FORTUNE (May 21, 2019),

https://fortune.com/longform/att-media-company/

(“Adding strength to the whole proposition is AT&T’s unique aggregate

customer data trove and its value in addressable advertising over DirecTV and AT&T’s direct-to-consumer streaming

services; ads can also be directed less precisely through the former Turner networks. ‘Say you and your neighbor are both

DirecTV customers and you’re watching the same live program at the same time,’ says Brian Lesser, who oversees the vast

data-crunching operation that supports this kind of advertising at AT&T. ‘We can now dynamically change the advertising.

Maybe your neighbor’s in the market for a vacation, so they get a vacation ad. You’re in the market for a car, you get a car

ad. If you’re watching on your phone, and you’re not at home, we can customize that and maybe you get an ad specific to a

car retailer in that location.’”); Jeff Chester, AT&T, Comcast & Verizon Expand ‘Big Data’ Tracking & Targeting

Consumers, C

TR. FOR DIG. DEMOCRACY (Mar. 8, 2018), https://www.democraticmedia.org/blog/att-comcast-verizon-expand-

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

customers’ information across product lines. This means a single ISP has the ability to track the

websites their subscribers visit, the shows they watch, the apps they use, their energy habits, their real-

time whereabouts and historical location, the search queries they make, and the contents of their email

communications. Moreover, several of the ISPs in our study combine the data from their subscribers

with additional information from third-party data brokers, resulting in extremely granular insights and

inferences into not just their subscribers but their subscribers’ families and households. They use this

data to create advertising segments, including segments that reveal sensitive data such as race, religion,

national origin, sexual orientation, financial status, health status, and political beliefs.

B. Several ISPs in Our Study Gather and Use Data In Ways

Consumers Do Not Expect and Could Cause Them Harm

Many of the ISPs in our study claim that consumers derive many benefits from the ISPs’

collection of consumers’ information.

112

However, while consumers certainly expect ISPs to use

information about the websites they wish to visit in providing the internet services itself, they would

likely be surprised at the extent of data that is collected, retained, and combined for purposes unrelated

to providing the service,

113

particularly in ways that could cause them harm.

114

Indeed, the collection,

big-data-tracking-targeting-consumers (“Internet service provider (ISP) giants, which dominant how Americans gain access

to broadband internet, cable TV, streaming video, and other telecommunications services, are aggressively expanding their

capabilities to gather and use personal data. Leading ISPs AT&T, Comcast and Verizon are taking full advantage of all

information flowing from PC’s, mobile phones, set-top boxes, and other devices. ISP giants are using ‘Big Data’ analytics,

artificial intelligence, and an array of cutting-edge technologies to identify who we are, what we do and how best to target us

with marketing and advertising. They are also working closely with data brokers to gain access to even more personal

information.”). But see supra note 68 and accompanying text (noting that in May 2021, AT&T announced that it would spin

off WarnerMedia and combine it with Discovery as a new standalone media company).

112

These benefits include: (1) fraud prevention and security; (2) monitoring for child pornography; (3) convenience of single

assistance, medical emergency alerts, targeting of public resources (e.g., COVID prevention resources) and bank fraud

prevention, which is made possible when ISPs share location data with government and business partners; and (5) targeted

advertising that allows consumers to be alerted to interesting products and receive coupons, discounts, and upgrades.

113

See GROUPM, CONSUMER TRUST IN DIGITAL MARKETING 15–16 (Mar. 30, 2020), https://www.groupm.com/new-groupm-

research-examines-consumer-trust-digital-marketing/ (finding that six in ten consumers globally indicated they would be less

willing to buy or use a product or service if their data were used, for example, to deliver personalized ads or suggest

personalized content). See also Bree Fowler, Americans Want More Say in the Privacy of Personal Data, C

ONSUMER

REPORTS (May 18, 2017), https://www.consumerreports.org/privacy/americans-want-more-say-in-privacy-of-personal-data-

a5880786028/ (citing a study that found that 92% of respondents said that “internet service providers, such as Comcast and

Verizon, should be required to secure permission from users before selling or sharing their data”).

114

See FED. TRADE COMM’N, BIG DATA: A TOOL FOR INCLUSION OR EXCLUSION? UNDERSTANDING THE ISSUES 9–12 (Jan.

2016) [hereinafter B

IG DATA], https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-

understanding-issues/160106big-data-rpt.pdf (noting that the collection and combination of such information can be used to

categorize consumers in ways that can result in exclusion of certain populations, leading to, among other things, the denial of

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

combination, and use practices of many of the ISPs in our study could run counter to many consumers’

preferences. Some noteworthy examples follow.

First, as noted above, at least two of the ISPs in our study combine their customers’ personal

information with their browsing history for advertising purposes. Although consumers likely understand

that their ISP requires certain information in order to connect their browser with the websites they visit,

they might not expect their ISP to log this data in order to build behavioral profiles for advertising

purposes.

115

In a recent survey, consumers ranked browsing history as among the top five most

important pieces of personal information.

116

Past survey data similarly finds that 57% of consumers are

not comfortable with advertisers using their browsing histories to serve relevant ads.

117

Second, a significant number of ISPs in our study use television viewing history for advertising

purposes. Television viewing history reveals sensitive information related to religion, sexual

orientation, health, politics, and prurient interests. Congress has recognized the sensitivity of this

information by enacting laws to protect the privacy of consumers’ television viewing activities within

their homes. For example, the Cable Privacy Act requires that cable companies seek affirmative express

consent to collect non-aggregate or identifiable information about television watching.

118

The Video

Privacy Protection Act requires consent prior to the disclosure of video watching information along with

personally-identifiable information.

119

Analogously, forty-eight states and the District of Columbia

have laws protecting the confidentiality of library records; the remaining two states have attorneys

general’s opinions protecting library users’ privacy.

120

opportunities, the creation or reinforcement of existing disparities, the exposure of sensitive information, the targeting of

vulnerable consumers for fraud, and the weakening of consumer choices).

115

See Rules to Protect Broadband Consumer Privacy, 81 Fed. Reg. 87274, 87299 (Nov. 2, 2016) (citing FED. TRADE

COMM’N, PROTECTING CONSUMER PRIVACY IN AN ERA OF RAPID CHANGE: RECOMMENDATIONS FOR BUSINESSES AND

POLICYMAKERS 56 (2012), http://ftc.gov/os/2012/03/120326privacyreport.pdf) (“While a customer may expect that the

people and businesses she interacts with will know some things about her—her bookstore will know what she’s bought by

virtue of having sold it to her—this is distinct from having her voice or broadband provider extract that information from her

communications paths and therefore knowing every store she has visited and everything she has purchased.”).

116

The Consumer Privacy Bill of Rights, GHOSTERY (July 7, 2020), https://cdn.ghostery.com/website/wp-

content/uploads/2020/07/09130032/Privacy-Bill-of-Rights-visual-report.pdf.

117

Survey Information: Americans Care Deeply About Their Privacy, CTR. FOR DEMOCRACY & TECH. (Oct. 22, 2009),

https://cdt.org/insights/survey-information-americans-care-deeply-about-their-privacy/

(citing a 2008 TRUSTe survey).

118

47 U.S.C. § 551(c) (2018).

119

18 U.S.C. § 2710 (2018).

120

See State Privacy Laws Regarding Library Records, AM. LIBRARY ASS’N, https://www.ala.org/advocacy/privacy/statelaws

(last visited Sept. 30, 2021).

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

Third, although it was beyond the scope of our study, we note that several of the ISP Order

Recipients or their affiliates offer additional services through which consumers share the contents of

their communications, including email and search. The content of email communications and search

queries can reveal communications meant to be private. These communications often include sensitive

financial, health, and children’s information.

121

Email messages are also often used to view and access

private photos, videos, audio files, and information about financial transactions, prescriptions, and

medical appointments. Numerous courts have acknowledged the sensitivity of the contents of

communications and found that citizens have a reasonable expectation of privacy with respect to these

communications.

122

If ISPs or their affiliates were to combine multiple channels of sensitive

information about content of communications, as they are capable of doing, consumers would have little

digital privacy.

Fourth, at least three ISPs in our study engage in cross-device tracking. Because the practice of

cross-device tracking is often not obvious, consumers may be surprised to find that their browsing

behavior on one device will inform the ads they see on another.

123

For example, a person who

downloads an app to lose weight may later be surprised after being targeted by ads for dietary

supplements on other devices. A teen who does not want her parents to know she is gay may be

surprised to learn that her browsing behavior on her mobile device informs ads that appear on the

household computer. A consumer could get an ad on her work computer related to an intimate or

sensitive video she watched on her personal laptop, habits revealed by her wearable device, or retail

purchases, a possibility enhanced by the current global pandemic as billions of people continue to learn

and work from home.

Fifth, there is a trend in the ISP industry to use location information for advertising purposes and

sell this data to third parties. As demonstrated in other contexts, the persistent collection and sharing of

real-time location information can reveal sensitive details about where individuals live, work, worship,

121

See, e.g., Rules to Protect Broadband Consumer Privacy, 81 Fed. Reg. 87274, 87275 (Nov. 2, 2016) (“[W]e find that

sensitive customer PI includes financial information, health information, Social Security numbers, precise geo-location

information, information pertaining to children, content of communications, web browsing history, application usage history,

and the functional equivalents of web browsing history or application usage history.”)

122

See, e.g., People v. Lifshitz, 369 F.3d 173, 190 (2d Cir. 2004) (analogizing expectation of email user in privacy of email to

expectation of individuals communicating by regular mail); Quon v. Arch Wireless Operating Co., 529 F.3d 892, 905 (9th

Cir. 2008) (“[U]sers do have a reasonable expectation of privacy in the content of their text messages vis-à-vis the service

provider.”).

123

Audrey Schomer, Most Consumers are Creeped Out by Ads that Follow Them Across Devices, EMARKETER (July 23,

2021), https://www.emarketer.com/content/most-consumers-creeped-out-by-ads-that-follow-them-across-devices

(noting that

consumers do not know how cross-device tracking works and citing a study that found that 54% of U.S. consumers “felt that

ads that follow them across devices are creepy”). See generally C

ROSS-DEVICE TRACKING, supra note 93.

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

and attend school.

124

For example, in 2018, a Global Heat Map, published by a fitness data company,

revealed sensitive information about the location and movements of servicemen and women in various

conflict zones.

125

Real-time location information also reveals other sensitive information and

associations, such as childcare locations, visits to drug treatment or mental health clinics, and private

meetings.

126

Consumers find their location information to be sensitive. A 2016 report by Pew Research

found that 82% of Americans view location history to be sensitive/very sensitive.

127

Other studies

support this finding.

128

Significantly, several ISPs in our study also had in place location aggregator

programs where they sold the real-time location data of their subscribers—derived from the provision of

the wireless service itself—to third-parties. Public reports found that this information ultimately ended

up in the hands of car salesmen, property managers, bail bondsmen, bounty hunters, and others without

reasonable protections,

129

generating enforcement actions by the FCC, which proposed fines totaling

over $200 million.

130

124

The Location Privacy Protection Act of 2014: Hearing on S. 2171 Before the S. Comm. on the Judiciary, 113th Cong.

(2014) (statement of Jessica Rich, Director of the Bureau of Consumer Protection, Fed. Trade Comm’n),

https://www.ftc.gov/system/files/documents/public_statements/313671/140604locationprivacyact.pdf

125

Liz Sly, U.S. Soldiers are Revealing Sensitive and Dangerous Information by Jogging, WASH. POST (Jan. 29, 2018),

https://www.washingtonpost.com/world/a-map-showing-the-users-of-fitness-devices-lets-the-world-see-where-us-soldiers-

are-and-what-they-are-doing/2018/01/28/86915662-0441-11e8-aa61-f3391373867e_story.html.

126

See generally Betsie Estes, Geolocation – the Risk and Benefits of a Trending Technology, 5 ISACA J. at 1 (2016).

127

The State of Privacy in Post-Snowden America, PEW RESEARCH CTR. (Sept. 21, 2016), http://www.pewresearch.org/fact-

tank/2016/09/21/the-state-of-privacy-in-america/. The combination of email address and location history would enable a

hacker who has an individual’s email address to find that individual’s location. While some locks may be used in a setting

where the lock is not moved—say, a tool shed—and would only provide a static address such as a home address, a lock used

for a gym locker, or a bike lock that is used for running errands or daily commuting may provide more extensive information

about an individual’s location over time.

128

See, e.g., Kostas Drakonakis et al., Please Forget Where I Was Last Summer: The Privacy Risks of Public Location

(Meta)Data, N

ETWORK AND DISTRIBUTED SYS. SEC. (NDSS) SYMPOSIUM 2019 (Feb. 2019), https://www.ndss-

symposium.org/wp-content/uploads/2019/02/ndss2019_01A-6_Drakonakis_paper.pdf (Analysis of precise geolocation

information in tweets found that after Twitter changed an “invasive privacy policy” to give users the ability not to share

precise geolocation information, users were 18.5 times less likely to include GPS coordinates in their tweets, which resulted

in a 94.6% reduction in tweets with GPS coordinates.); State of Data Privacy Survey, T

REASURE DATA (July 2019),

https://blog.treasuredata.com/wp-content/uploads/2018/12/ATD_StateOfPrivacy_Survey18.pdf (Online survey of 600 adults

found that respondents were least comfortable handing over their locations and phone numbers to companies with whom they

were doing business.); KPMG, C

ROSSING THE LINE: STAYING ON THE RIGHT SIDE OF CONSUMER PRIVACY (Nov. 2016),

https://assets.kpmg/content/dam/kpmg/ch/pdf/crossing-the-line-en.pdf (finding that less than 20% of consumers are happy to

disclose information such as their search history, income, location, address or medical records).

129

See supra note 98 and accompanying text.

130

See Press Release, Fed. Commc’ns. Comm’n, supra note 99. Unlike the FTC, the FCC has the authority to obtain civil

penalties for first-time violations under Section 503 of the Communications Act.

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

Finally, the use by several of the ISPs in our study of race and ethnicity data (or proxies for such

data such as location data)

131

for advertising purposes and the sale of such data to unrelated businesses

raises concerns, particularly around the practices of “digital redlining,” in the same way that such use by

edge providers does. As early as 2013, one study showed how Google searches of Black-sounding

names yielded ads related to arrest records more often than searches of less ethnically-sounding names,

regardless of whether there was an arrest record associated with that name.

132

Similarly, reports indicate

that certain minority populations are targeted for fast food and alcohol advertisements.

133

recently, the Department of Housing and Urban Development charged Facebook, Inc. with violating the

Fair Housing Act of 1968 by allowing advertisers to restrict housing ads based on characteristics like

race, religion, and national origin.

134

On the financial side, there are concerns that minority populations

may be shown ads for less desirable financial products than their white counterparts. As these examples

demonstrate, the use of consumers’ personal information for advertising not only raises privacy concerns

but also civil rights concerns. Indeed, this form of “digital redlining” could reverse any progress on civil

rights issues if a business is able to discriminate in its advertising buys based on, for example, a person’s

color or religion, or based on a proxy that effectively discriminates against certain races or religions.

135

Even where businesses do not intend to discriminate, certain uses of consumers’ personal information

could disparately impact certain groups.

136

131

Proxy discrimination occurs when “the predictive power of a facially neutral characteristic is at least partially attributable

to its correlation with a suspect classifier.” See generally Anya E.R. Prince & Daniel B. Schwarcz, Proxy Discrimination in

the Age of Artificial Intelligence and Big Data, 105 I

OWA L. REV. 1257 (2020). The algorithms identify seemingly neutral

characteristics to create groups that closely mirror a protected class, and these “proxies” are used for inclusion or exclusion.

132

Latanya Sweeney, Discrimination in Online Ad Delivery: Google Ads, Black Names and White Names, Racial

Discrimination, and Click Advertising, 11 ACM

QUEUE 3 (2013), https://queue.acm.org/detail.cfm?id=2460278.

133

See Karen Kramer et al., Targeted Marketing of Junk Food to Ethnic Minority Youth: Fighting Back with Legal Advocacy

and Community Engagement, C

HANGELAB SOLS. (2012),

https://www.changelabsolutions.org/sites/default/files/TargetedMarketingJunkFood_FINAL_20120912.pdf

(published in

ADVANCES IN COMMUNICATION RESEARCH TO REDUCE CHILDHOOD OBESITY (Jerome D. Williams et al. eds., 2012); Alcohol

marketing in the digital age,

DIGITAL ADS, http://digitalads.org/how-youre-targeted/publications/alcohol-marketing-digital-

age-1 (last visited Sept. 30, 2021) (“An increasing number of online services now target Hispanics and African Americans. In

fact, it has been shown that youth of color consume more media, including digital media, than white youth, giving alcohol

marketers greater opportunity to target these groups.”).

134

Sec’y of Hous. & Urban Dev. v. Facebook, Inc., No 01-18-0323-8, 1, Charge of Discrimination, FHEO No. 01-18-0323-8

(Mar. 28, 2019), https://www.hud.gov/sites/dfiles/Main/documents/HUD_v_Facebook.pdf

135

See, e.g., Ava Kofman & Ariana Tobin, Facebook Ads Can Still Discriminate Against Women and Older Workers,

Despite Civil Rights Settlement, P

ROPUBLICA (Dec. 13, 2019), https://www.propublica.org/article/facebook-ads-can-still-

discriminate-against-women-and-older-workers-despite-a-civil-rights-settlement.

136

See Elisa Jillson, Aiming for Truth, Fairness, and Equity in Your Company’s Use of AI, FED. TRADE COMM’N (Apr. 19,

2021), https://www.ftc.gov/news-events/blogs/business-blog/2021/04/aiming-truth-fairness-equity-your-companys-use-ai

;

BIG DATA, supra note 114, 17–21; Latanya Sweeney, Online Ads Roll the Dice, FED. TRADE COMM’N (Sept. 25, 2014),

https://www.ftc.gov/news-events/blogs/techftc/2014/09/online-ads-roll-dice.

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

C. Although Many ISPs in Our Study Purport to Offer

Consumers Choices, These Choices are Often Illusory

Although many of the ISPs in our study purported to offer consumers choices, some of these

choices were not offered clearly and indeed, nudged consumers toward more data sharing. Academics

and experts commonly refer to these types of practices as “dark patterns,”

137

which was the subject of an

FTC workshop in April 2021.

138

Examples of interfaces we found from several of the ISPs in our study

include the following:

• Interfaces with the preferred choice highlighted and the other choice greyed out. Here the

greyed-out choice may indicate to consumers they have no choice but to select “accept.” Or,

given the difference in prominence, consumers might select “accept” out of expediency without

considering or realizing their ability to “reject.”

• Interfaces that do not allow consumers to reject information collection or continuously

prompt consumers if they select a disfavored setting. Here, consumers are prompted into

“accepting” the use of their sensitive browsing history and location information for online

behavioral advertising, but are not given an option to reject such practices. Additionally, user

experience (“UX”) designers have written about how options, such as the “remind me later”

137

See, e.g., Leon Paternoster, Getting Round GDPR With Dark Patterns. A Case Study: Techradar (Aug. 12, 2018),

https://www.leonpaternoster.com/posts/techradar-gdpr/

(providing examples of dark patterns, including interfaces that nudge

consumers into accepting cookies though the placement and color of the preferred option).

138

Transcript of Bringing Dark Patterns to Light: An FTC Workshop, in Washington, D.C. (Apr. 29, 2021), at 6 (Harry

Brignull), 9 (Arunesh Mathur), 31–32 (Jonathan Mayer), 38–40 (Finn Lutzow Holm Myrstad), 45–46 (Jasmine McNealy),

https://www.ftc.gov/system/files/documents/public_events/1586943/ftc_darkpatterns_workshop_transcript.pdf

FEDERAL TRADE COMMISSION FTC.GOV

FIGURE 7: INTERFACE WITH HIGHLIGHTED PREFERRED CHOICE

Examining the Privacy Practices of Six Major Internet Service Providers

button, can lead to consumer annoyance by repeatedly prompting consumers over and over until

they acquiesce and hit “accept.”

139

• Choices may be buried or hidden from consumers. Here, consumers wanting to exercise their

privacy preferences through their mobile device are required to search through a number of tabs

and sub-tabs. This example reflects not only buried choices but also how consumers’

experiences can vary depending on the device they use. From the dashboard, a consumer that is

searching for their privacy setting would have to click on “account,” “bill,” and “shop,” before

clicking on the “more” button. Once they click on “more,” consumers would have to decide

which button to click next: either “profile settings,” “coverage map,” “app settings,” “contact

us,” “find a store,” or “about the app.” While the privacy settings were actually under the

“profile setting,” it could just as well have been in the “app setting” or “about the app” tab.

Requiring consumers to search through multiple tabs and settings and can frustrate consumers

and discourage them from enabling privacy settings.

139

DesignX, What is a Dark UX Pattern You Most Dislike?, MEDIUM (Nov. 22, 2018), https://medium.com/thoughts-from-

designx/designx-discussions-what-is-a-dark-ux-pattern-you-most-dislike-216a7674e5f0.

FEDERAL TRADE COMMISSION FTC.GOV

FIGURE 8: INTERFACE WITH NO ABILITY TO REJECT

Examining the Privacy Practices of Six Major Internet Service Providers

• Unclear toggle settings that can confuse consumers into selecting a privacy setting that they

did not intend. Here, the “Do Not Sell my personal information” with an off toggle creates a

double negative. It is not clear whether the consumer needs to toggle the setting off to prohibit

sale, or set it to on to turn on “Do Not Sell.” This can lead to confusion and even the possibility

that consumers act against their privacy intention.

FEDERAL TRADE COMMISSION FTC.GOV

FIGURE 9: INTERFACE WITH BURIED PRIVACY CHOICES

FIGURE 10: INTERFACE WITH UNCLEAR TOGGLE SETTINGS

Examining the Privacy Practices of Six Major Internet Service Providers

D. Many ISPs in Our Study Can Be At Least As Privacy-

Intrusive as Large Advertising Platforms

In many respects, ISPs are small players in a nearly $455.30 billion global digital advertising

industry

140

and the $152.72 billion U.S. digital advertising industry.

141

In 2018, Verizon received just

3.4% of the digital advertising spend in the United States.

142

By contrast, in 2020, the three largest

players, Google, Facebook, and Amazon, received almost two-thirds of all U.S. digital advertising

spend, or approximately $98.34 billion.

143

Despite ISPs’ relative size in a market dominated by Google,

Facebook, and Amazon, the privacy challenges that permeate the advertising ecosystem may be

amplified by many of the ISPs in our study in a few respects.

First, many of the ISPs in our study have access to 100% of consumers’ unencrypted internet

traffic.

144

In contrast, only Google has a presence on 75% of the top million websites, with the others

having a presence on no more than 25% of the top million websites.

145

Some have argued that, with the

rising adoption of encryption by websites and prevalence of VPNs,

146

ISPs do not have access to as

140

Ethan Cramer-Flood, Worldwide Digital Ad Spending 2021, EMARKETER (Apr. 29, 2021),

https://www.emarketer.com/content/worldwide-digital-ad-spending-2021

141

Alexandra Bruell, Amazon Surpasses 10% of U.S. Digital Ad Market Share, WALL ST. J. (Apr. 6, 2021),

https://www.wsj.com/articles/amazon-surpasses-10-of-u-s-digital-ad-market-share-11617703200

142

Taylor Soper, Report: Amazon Takes More Digital Advertising Market Share from Google-Facebook Duopoly,

EEKWIRE (Feb. 20, 2019), https://www.geekwire.com/2019/report-shows-amazon-taking-digital-advertising-market-share-

google-facebook-duopoly.

143

Bruell, supra note 141.

144

See, e.g., UPTURN, WHAT ISPS CAN SEE: CLARIFYING THE TECHNICAL LANDSCAPE OF THE BROADBAND PRIVACY DEBATE

(March 2016), https://www.upturn.org/reports/2016/what-isps-can-see/ (finding that in 2016, more than 85% of the top 50

sites still failed to encrypt browsing by default, and that an ISP can see the full URL and the content for any web page

requested by the user).

145

Gabriel Weinberg, What Are The Biggest Tracker Networks and What Can I Do About Them?, DUCKDUCKGO (May 26,

2019), https://spreadprivacy.com/biggest-tracker-networks/

(finding that Google has trackers installed on 75% of top million

websites with all remaining advertising networks having less than a 25% presence on those websites).

146

Others have argued that consumers’ use of VPNs provide additional privacy protections, but the prevalence of VPNs

remains low, with only 6.26% of North American internet users adopting the technology. Sarah Coble, VPN Usage in US

Quadruples, I

NFOSECURITY (Mar. 26, 2020), https://www.infosecurity-magazine.com/news/vpn-usage-in-us-quadruples/.

Studies indicate, however, that the pandemic has led to a surge in VPN adoption, indicating a preference by consumers to

obfuscate their browsing habits and data. See, e.g., VPN Usage Increase in Selected Countries Impacted by the Coronavirus

Between March 8 and March 22, 2020, S

TATISTA, https://www.statista.com/statistics/1106137/vpn-usage-coronavirus/ (last

visited Oct. 1, 2021); Aliza Vigderman & Gabe Turner, 2021 VPN Usage Statistics, SECURITY.ORG (Sept. 9, 2021),

https://www.security.org/vpn/statistics/.

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

much of consumers’ browsing behavior as large ad networks like Google, Facebook and Amazon.

147

However, even with encryption, many ISPs in our study continue to store the IP addresses that their

customers access and thereby collect the domain names of the websites they visit.

148

Further, one study showed that health-related websites, containing sensitive information about

consumers and their health-related searches, remain among the least likely to be encrypted.

149

Other

smaller websites and apps, such as those that include information for LGBTQ+ communities and

domestic violence information, may similarly not be encrypted.

Second, several of the ISPs in our study are able to verify and know the identity of their

subscribers. At least two of the ISPs in our study associated consumers’ account information with

information about their web browsing history, app usage, information about other ISP products and

services, characteristics, behaviors, habits, and/or location. This gives some of the ISPs in our study and

their affiliates certainty about their subscribers.

Third, a significant number of the ISPs in our study can track consumers persistently across

websites and geographic locations. By virtue of their access to consumers’ internet traffic through the

provision of internet services, these ISPs are capable of persistently tracking consumers by appending

undeletable identifiers to consumers’ internet traffic, and at least two, in fact, do.

150

Commonly used

measures for protecting privacy, such as switching browsers and devices, enabling “private browsing

mode,” or deleting cookies, did not prevent these two ISPs from continuing to persistently track their

subscribers. Additionally, mobile internet providers can target consumers based on their real-time and

historical location through the use of cellular tower data, even when location tracking on their phones is

deactivated.

151

147

Ashish, How Can Your ISPs Track Your Online Activity?, SCIENCEABC (Apr. 12, 2019),

https://www.scienceabc.com/innovation/how-can-your-isps-track-your-online-activity.html

(“In a nutshell, your ISP might

not be able to see what exactly you’re looking at on a website (say, Youtube) if it’s HTTPS-encrypted, but it can certainly see

that you logged on to Youtube. Just as you cannot hide the recipient’s address from the mailman, you also cannot hide which

websites you’re accessing from your ISP. However, there are certain alternatives to block ISP from tracking, like using a

VPN (Virtual Private Network), which can protect your online privacy. Unfortunately, these often come at a premium price,

and their effectiveness and reliability are often a cause of concern for users.”). See also Rules to Protect Broadband

Consumer Privacy, 81 Fed. Reg. 87274, 87278 (Nov. 2, 2016) (describing the types of information that ISPs have access to

over HTTPS).

148

At least one Order Recipient has partnered with internet browsers and committed to deploying Domain Name System over

HTTPs (“DoH”), which limits the ISP’s access even to the websites visited. However, since DoH is largely browser

dependent, the breadth of its deployment is an open question and therefore, so is the impact that it will have on consumer

internet privacy. See also U

PTURN, supra note 144.

149

PONEMON INST., 2020 GLOBAL ENCRYPTION TRENDS STUDY (2020), https://www.encryptionconsulting.com/wp-

content/uploads/2020/04/2020-Global-Encryption-Trends-Study.pdf.

150

See discussion supra Part IV.C.

151

See discussion supra Part IV.C.

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

Finally, in terms of breadth and scope, as noted above, several ISPs in our study have the

capability to combine the browsing and viewing history that they obtain from their subscribers with the

large amounts of information they obtain from the broad range of vertically integrated products,

services, and features that they offer.

152

VI. Conclusion

The findings from our report show that many of the ISPs in our study amass large pools of

sensitive data, and that their uses of such data could lead to significant harms, particularly when

consumers are classified by demographic characteristics, such as race, ethnicity, gender, or sexuality.

Although several of the ISPs in our study purported to offer consumers access to their data and choices

as to their use and deletion, those choices were largely illusory, and sometimes even nudged consumers

toward more data sharing. This further demonstrates the importance of restricting the collection and

uses of data, rather than allowing ISPs to dictate how consumers’ information is used by obscuring how

they will use their information. Unfortunately, these data practices and abuses mirror problems across

other industries, including significantly, edge providers.

152

See discussion supra Part V.A.

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

A-1

APPENDIX A:

Text of the Model Order

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

A-2

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

A-3

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

A-4

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

A-5

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

A-6

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

A-7

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

A-8

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

A-9

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

B-1

APPENDIX

Illustrative List of Segments

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

B-2

Illustrative List of Segments

Combined Segments

• Aspirational Fusion

• Autumn Years

• Birkenstocks and Beemers

• Blue Collar Comfort

• Blue Sky Boomers

• Bohemian Groove

• Boomers and Boomerangs

• Booming and Consuming

• Booming with Confidence

• Colleges and Cafes

• Cosmopolitan Achievers

• Countrified Pragmatics

• Couples with Clout

• Cul de Sac Diversity

• Cultural Connections

• Dare to Dream

• Destination Recreation

• Diapers and Debit Cards

• Digital Dependents

• Everyday Moderates

• Expanding Horizons

• Families Matter Most

• Family Fun-tastic

• Family in Motion

• Family Troopers

• Family Union

• Fast-Track Couples

• Flourishing Families

• Footloose and Family Free

• Full Steam Ahead

• Generational Soup

• Golf Carts and Gourmets

• Golden Year Guardians

• Gotham Blend

• Heritage Heights

• Homemade Happiness

• Hope for Tomorrow

• Humble Beginnings

• Jet Set Urbanites

• Kids and Cabernet

• Metro Fusion

• Middle-Class Melting Pot

• Mid-scale Medley

• Modest Metro Means

• Pastoral Pride

• Picture Perfect Families

• Power Elite

• Promising Families

• Rooted Flower Power

• Rural Escape

• Rural Southern Bliss

• Settled and Sensible

• Settled in Suburbia

• Significant Singles

• Singles and Starters

• Silver Sophisticates

• Small Town Shallow Pockets

• Sports Utility Families

• Status Seeking Singles

• Steadfast Conventionalists

• Stockcars and State Parks

• Striving Forward

• Striving Single Scene

• Suburban Attainment

• Suburban Style

• Tight Money

• Thriving Boomers

• Touch of Tradition

• Tough Times

• Town Elders

• True Grit Americans

• Unspoiled Splendor

• Urban Ambition

• Urban Edge

• Wired for Success

• Young City Solos

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

B-3

Location Data

• Address

• City

• Country

• State

• Zip Code

Language

• Arabic

• Chinese

• Czech

• Danish

• Dutch

• English

• Finnish

• Greek

• Hebrew

• Hungarian

• Indonesian

• Korean

• Persian

• Polish

• Portuguese

• Romanian

• Russian

• Spanish

• Swedish

• Thai

• Turkish

• Ukrainian

• Vietnamese

Demographic Data

• Age

o General & Address Based

o Generational Age (e.g., Boomer /

Millennial, etc.)

• College Students

o Living on Campus

• Community Profile

o Rural

o Suburban

o Urban

• Education Level

o College Graduate

o College Intender

o General & Address Based

o Grad School

o High School

o Some College

o Trade School

• Empty Nester

• Estimated Current Home Value

• Ethnicity

o African American

o Asian American

o Hispanic

o Vietnamese / Asian

• Gender

• General & Address Based

• Grandparent

• Have a Brokerage Account

• Have a Retirement Plan

• Home Dwelling Type

o Size + Land Size

• Home Owner

• Income / Household Income

o General & Address Based

• Investor / Home Business / Business

Owner

• Job Seekers

• Language

• Length of Residence

• Marital Status

• Military Status

(Active Member / Veteran)

• New / Expecting

• Number of Kids + Children Ages

(0-3, 4-6, 7-9, 10-12, 13,15, 16-18)

• Number of People in Household

• Occupation

• Parental Status

• Participate in Online Trading

• Race / Ethnicity

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

B-4

o General & Address Based

• Relationship Status

o Recently Engaged

• Types of Investments

(Stocks, Bonds, Mutual Funds, etc.)

• Vehicle Type

• “Working Class”

o General and Address Based

Political Data

• Absentee & Early Voters

• Activist

o General & Address Based

• Likely Voter / Voter Propensity

o General & Address Based

• Political Affiliation + Leanings

o Dem / Rep & Lean Dem v. Solid

Dem, etc.

o General & Address Based

• Political Identity

o Conservative

o Fiscal Conservatives

o Liberal

o Social Conservatives

• Political Interests

o Children / Social Causes

o Conservative Political Social

Causes

o Health Causes

o Liberal Political Social Causes

o Other Social Causes

o Veteran Causes

• Political Issue Support

o Border Security

o Campaign Finance

o Choice / Life

o Energy

o Environmental Issues

o Free Trade

o Gun Control

o Minimum Wage

o Path to Citizenship / Immigration

o Progressive Tax

o Healthcare

o General & Address Based

(for all issues above)

• Potential Political Donor / Contributions

o General & Address Based

• Swing Voters

o Heavy TV Swing Voters

• Turnout Levels

o General & Address Based

• Trump Support / Resistance

o General & Address Based

• Vote History

o General & Address Based

• Voters by Congressional District

• Voter Registration

Phone Data

• Cellular Carrier

• Cell Phone Presence

• Device Age

• Device Performance

• Device Manufacturer

• Mobility Feed

• Operating OS

Browsing Data

• Browsing

o Accounting and Tax Service

o Airlines

o Alcoholic Beverages

o Amusement Parks and Seasonal

Attractions

o Apartments

o Appliances

o Arts and Crafts

o Automotive

o Auto Racing

o Banking and Investment

Management

o Baseball

o Basketball

o Bicycling

o Blogs

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

B-5

o Bodybuilding

o Booking Sites

o Books

o Bowling

o Boxing

o Business and Financial News

o Car Dealerships

o Car Manufacturers

o Casinos

o College Sports

o Concerts and Events

o Consumer Electronics

o Consumer Packaged Goods

o Convenience Stores

o Cosmetics and Hygiene

o Coupons and Offers

o Credit and Lending Services

o Credit Reporting

o Cricket

o Cruises

o Dating

o Department Stores

o Dieting and Fitness

o E-Cards

o Education

o Email Marketing Services

o Email Services

o Employment

o Entertainment

o Figure Skating

o Finance

o Financial Services

o Fitness Centers and Spas

o Fitness Equipment

o Food

o Food and Cooking

o Football

o Gambling and Lotteries

o Games Music Movies and Books

o Gaming

o Golf

o Government

o Government and Politics

o Grocery

o Ground Transportation and Car

Rental

o Guides and Classifieds

o Guides Classifieds and

Directories

o Health and Wellness

o Health Beauty and Wellness

o Hobbies

o Home and Garden

o Home Buying and Selling

o Home DVD

o Home Improvement

o Horoscopes

o Hotels and Resorts

o Household Products

o Humor Comics and Novelties

o Ice Hockey

o Institutions

o Insurance

o Interior Decorating

o International News

o Internet Radio

o Jewelry

o Lifestyle and Interests

o Local and Regional News

o Luxury Cars

o Luxury Goods

o Maps and Navigation

o Martial Arts

o Media and Entertainment

o Messaging Services

o Motorcycle Manufacturers and

Dealers

o NASCAR Racing

o News

o Non-Profit and Charities

o Office Supplies

o Olympics

o Online Audio

o Online Learning

o Online Payments

o Online Stores

o Online Video

o OTT Feed

o Outdoors

o Parenting and Family

o Parts Accessories and Services

o Pet Products

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

B-6

o Pharmacies

o Photo and Video Services

o Photo and Video Sharing

o Planning Tools and Guides

o Podcasts

o Poetry

o Poets

o Portals and Search

o Premium Music Services

o Premium Video Services

o Real Estate

o Reference

o Regional Transit

o Rentals

o Restaurants

o Retail

o Running and Jogging

o Sailing

o Search Engines

o Services

o Shoes and Accessories

o Shopping Centers and Malls

o Soccer

o Social Media and Networking

o Social Networking

o Soft Drinks

o Spanish Language Media

o Sporting Goods

o Sports

o Sports Events

o Sports Media

o Streaming

o Taxi Services

o Technology News

o Tennis

o Theater and Ticketing Services

o Toys

o Trade Schools

o Travel and Local

o Trucks

o TV and Movies

o Universities

o Weather

TV Data

• Episode

• Genre

• Network

• Series

• Show

• TV Feed

• Viewership

o Big 5

o Action

o Action Sports

o Adventure

o Aerobics

o Agriculture

o All Networks besides Big 5

o Alternative

o American History

o Ancient History

o Animals

o Animated

o Anime

o Anthology

o Archery

o Arm Wrestling

o Art

o Arts

o Auction

o Australian Rules Football

o Auto

o Auto Racing

o Aviation

o Awards

o Badminton

o Ballet

o Baseball

o Basketball

o Beach Volleyball

o Bicycle

o Biography

o Bluegrass

o Blues

o Boat

o Boat Racing

o Bodybuilding

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

B-7

o Bowling

o Boxing

o Bullfighting

o Bull Riding

o Bus

o Canoe

o Card Games

o Cheerleading

o Children

o Classical

o Classic Sport Event

o Collectibles

o Comedy

o Comedy Drama

o Community

o Computers

o Concert

o Consumer

o Cooking

o Country

o Crafts

o Crime

o Crime Drama

o Cycling

o Dance

o Dark Comedy

o Debate

o Diving

o Documentary

o Dog Show

o Drag Racing

o Drama

o Easy Listening

o Educational

o Entertainment

o Environment

o Equestrian

o Esports

o Event

o Exercise

o Fantasy

o Fashion

o Fencing

o Field

o Field Hockey

o Figure Skating

o Financial

o Fishing

o Floorball

o Folk

o Football

o Footvolley

o Freestyle Skiing

o Fundraiser

o Futsal

o Game Show

o Gaming

o Garden

o Gay

o Golf

o Gospel

o Gymnastics

o Harness Racing

o Health

o Heavy Metal

o Hip Hop & Rap

o Historical Drama

o History

o Hockey

o Holiday

o Home Improvement

o Horror

o Horse

o Horse Racing

o House

o How To

o Hunting

o Interview

o Intl Soccer

o Jazz

o Karaoke

o Kayaking

o Lacrosse

o Latin

o Law

o Lesbian

o Marathon

o Martial Arts

o Medical

o Military

o Miniseries

o Mixed Martial Arts

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

B-8

o Motorcycle

o Motorcycle Racing

o Motorsports

o Mountain Biking

o Multi-Sport Event

o Music

o Musical

o Musical Comedy

o Mystery

o Nature

o News

o Newsmagazine

o Olympics

o Opera

o Outdoors

o Parade

o Paranormal

o Parenting

o Performing Arts

o Pets

o Playoff Sports

o Poker

o Politics

o Political Viewings (Conservative

/ Liberal)

o Polo

o Pool

o Pop

o Pro Wrestling

o Public Affairs

o Reality

o Reggae

o Religious

o Rock

o Rodeo

o Romance

o Romantic Comedy

o Rowing

o Rugby

o Rugby League

o Rugby Union

o Running

o R&B

o Sailing

o Science

o Science Fiction

o Self-Improvement

o Shooting

o Shopping

o Sitcom

o Skateboarding

o Skiing

o Snowboarding

o Soap

o Soccer

o Softball

o Soul

o Special

o Speed Skating

o Sports Talk

o Standup

o Summer Olympics

o Sumo Wrestling

o Surfing

o Swimming

o Table Tennis

o Talk

o Technology

o Tennis

o Theater

o Thriller

o Track

o Travel

o Triathlon

o Variety

o Volleyball

o War

o Watersports

o Water Polo

o Weather

o Weightlifting

o Western

o WME Networks

o World

o World History

o Wrestling

o Yacht Racing

Interests Data

• Affluent Lifestyle

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

B-9

• Air Warriors

• Apparel / Fashion / Clothing

• Audio Book Listener

• Auto Enthusiasts

• Auto Intenders (Existing and New)

• Avid Runner

• Base Packages

• Beach Goers

• Boat Interest

• Bolt-on Packages

• Book Reader / Reading Interest

• Brokerage account owner

• Business Owner

• Camp or Hike Enthusiast

• Canoe and Kayak Enthusiast

• Casino Gambling Enthusiast

• Casual Gamer

• Celebrity News Fans

• Child prod interest

• Coffee Connoisseurs

• Coffee connoisseur model

• Collectors

• Comedy movie

• Comedy romantic comedy movie

• Communication interest

• Concert Enthusiast

• Craft interest

• Cultural arts interest

• Customer match level

• CY profitability score

• Debit card user model

• Dental Health

• Digital mag news buyer model

• DIY

• Doc-Foreign language movie model

• Drama movie model

• E-book reader model

• Environmentally conscious

• E-tech group

• Family film buff - model

• Family restaurant model

• Farmer / Agriculture

• Financial Enthusiasts

• Financial Intender (New)

• Financial Whiz

• Fishing enthusiast model

• Fitness interest

• Frequent movie attendee

• Frequent restaurant goer

• Gamer model

• Garden interest

• Gardening

• Getting Married

• Gourmet cooking model

• Gourmet interest

• Health / Fitness Enthusiast

• Health Clubs / Gyms

• Health interest

• Healthy Living

• Healthy living Enthusiasts

• Hi tech owner

• High-end Spirit Drinkers

• Home / Auto Insurance

• Home / Garden Enthusiast

• Home decor interest

• Home Entertainment/TV/Video

• Home Hunters model

• Home Improvement Spenders

• Horror movie

• Hunting or fishing enthusiast

• Internet online subscriber

• Investing / Personal Banking Interest

• iPhone owner model

• Kitchen aids interest

• Kitchen Aids/Small Appliances

• Mattress model

• Mobile Gamers

• Motorcycle aficionados

• Mountaineers

• Movie Buffs

• Movie Goers

• Movie Theater Ticket/Showtime App

Users

• Museums and Art Galleries

• Music Fan

o By music genre / type

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

B-10

• New Home Intenders (Buying) / Moving

/ New Homeowner / New Renters /

Home Searchers

• News Hounds / Enthusiasts

• News Reader

• Nurses

• Online Media Streaming Service

Subscribers

• Organic Foods

• Outdoor interest

• Parents Planning for College

• Personal beauty interest

• Pet Owners / Enthusiasts

• Photography

• Premium credit

• Prestige Makeup User

• QSR Fast Foodies

• Reading interest

• Religion

• Road Trippers

• Road Warriors

• Sci-Fi movie model

• Seeking Medical Care

• Self-improvement interest

• Skiing interest

• Social Influencers

• Sports Interest & Sports Fans

o By sport, league, and by type

(professional / college)

• Streaming

• Super store model

• Sweep contest entry

• Sweeps gambling interest

• Tech / gadgets

• Thriller movie

• Travelers / Vacationers

o Business Traveler

o Cruise Enthusiast / Seeker

o Domestic Travel Enthusiast /

Seeker

o Foreign Travel Enthusiast /

Seeker

o Hotel / Airline Loyalty

Affiliation

o Personal Traveler

o Rental Cars

o Travel / Vacation Enthusiast

o Travel Frequency

o Tourist by City

• Volunteer

• Weight conscious

• Weight Loss

Shopper Data

• Types of Shoppers

o Accountants

o American Goods

o Apparel

o Arts & Crafts

o Auto Dealership Visitors

o Bargain Conscious

o Beauty & Fragrance

o Big & Tall

o Big Box / Mass Market Store

o Boutique Store

o Car [Brand Specific]

o Children’s Apparel & Accessory

o Computers

o Convenience Store

o Corporate Attire & Suits

o Corporate Credit Card User

o Coupon User

o Credit Card

o Credit Card User

o Department Store

o Department Store Makeup User

o Drug Store

o Electronics / Gadgets

o Fashion Accessory

o Financial Advisory & Services

o Fine Jewelry

o Footwear

o Full-Service Restaurant

o Furniture / Outdoor Living /

Home Décor / Remodel

o Furniture & Accessories

o Holiday, Gifts, & Party

o Home Appliance

FEDERAL TRADE COMMISSION FTC.GOV

Examining the Privacy Practices of Six Major Internet Service Providers

B-11

o Home Delivered Groceries

o Home Entertaining Products

o Home Improvement

o Home Improvement Products

o Home Interior Products

o Impulse Buyers

o In-Store

o Jeans

o Large Appliance

o Life Insurance

o Luxury

o Mail Order

o Men’s Apparel

o Medical Care

o Office Supplies

o Online

o Personal Health

o Pets

o Plus Size

o Premium Credit

o Quick Service Restaurant

o Running Gear

o Senior Discount

o Senior Products

o Shoes

o Sports Equipment & Outdoor

Gear

o [Store / Website Specific]

o Subscription

o Tax Product Assistance

o Teen Apparel

o Theme Park

o Travel

o Warehouse Club Member

o Wearable Fitness

o Wholesale

o Women’s Apparel

App Data

• App Genre

• Business

• Entertainment

• Finance

• Games

o Action

o Adventure

o Arcade

o Board

o Card

o Casino

o Casual

o Educational

o Family

o Music

o Puzzle

o Racing

o Role Play

o Simulation

o Sports

o Strategy

o Trivia

o Word

• Health and Fitness

• Lifestyle and Food

• Music & Audio

• Photo & Video

• Productivity

• Shopping

• Social and Communication

• Sports

• Transportation & Navigation

• Travel & Local

• Utilities

• Weather

Other Data

• Charitable Contributions

o By type of charity (e.g., arts,

health, humanities, etc.)

o Computer Presence

o Time of Day

o Volunteer Worker

FEDERAL TRADE COMMISSION FTC.GOV

October 21

, 2021