FTC Report on ISP Privacy Can’t See the Forest for the Trees

The Federal Trade Commission (FTC) released a staff report last week on the privacy practices of six major U.S. Internet service providers (ISPs). The report sharply critiqued their privacy practices arguing that not only do some of these ISPs collect and use data for targeted advertising, but in a number of cases they do not sufficiently disclose how they use consumer data, limit consumers privacy choices, do not provide consumers meaningful access to their data, and retain consumer data too long. In short, the FTC report argues that ISPs pose a significant threat to consumer privacy, a sentiment echoed by FTC Chair Lina Khan who summarized the report as finding that “[ISPs] are surveilling users across a broad swath of activities.” However, a close look at the report’s findings shows not only that the FTC has misrepresented the online risks consumers face from ISPs, but that the FTC has a fundamental and unjustified bias against online data collection and targeted advertising.

Let’s consider each of the four “observations” the FTC report makes about the ISPs.

First, the FTC report notes that ISPs “amass large pools of sensitive consumer data.” They are particularly vexed that many ISPs, or their parent company or subsidiaries, offer other services, such as home security and automation, video streaming, and email, and these companies share and combine data across services or integrate ISP subscriber data with data purchased from data brokers. It’s not clear why the FTC finds this observation notable. The same conclusions could be reached about virtually every large business in a consumer-facing industry—they offer multiple products and services, they have subsidiaries or parent companies, and they share consumer data across their organizations. Businesses use data to better understand their customers, discover opportunities to improve their products and services, make better operational decisions, advertise to their customers, and more. There is nothing illegal, unethical, or even problematic about these common industry practices.

Second, the FTC report notes that some ISPs “gather and use data in ways consumers do not expect and could cause them harm.” For example, some ISPs use a customer’s browsing history and television viewing history for advertising purposes, and three ISPs use cross-device tracking so that the ads they receive on one device may be based on their profile from their usage of another. But the risk of harm here is speculative—the FTC report did not offer any new insights into how consumers are being harmed by this data collection. Instead, it simply repeated potential concerns associated with illegal abuse of this information, such as sharing the data unlawfully or using it to discriminate against consumers. Given that the FTC collects data about fraud, scams, and other harmful businesses practices from consumers, it is telling that it was unable to offer any new evidence of tangible consumer harm.

Third, the FTC report claims that although ISPs offer consumer choices, “these choices are often illusory.” Here the FTC report really starts grasping at straws. For example, it considers a privacy prompt where the “accept” option is blue and the “reject” option is gray an example of how ISPs are tricking consumers. Similarly, the report says ISPs are frustrating consumers by not listing an option to edit privacy preferences on top-level navigation menus on their websites. The FTC’s assumption seems to be that users do not exercise privacy choices because these settings are not prominent, rather than considering the alternative that perhaps many businesses do not make this more prominent because most users do not visit their websites to adjust their privacy settings because it is not a priority for them.

Finally, the FTC report asserts that ISPs “can be at least as privacy-intrusive as large advertising platforms.” It is clear the FTC report meant that statement as a harsh attack on ISPs—the FTC apparently sees nothing worse than claiming another business is similar to Google, Facebook, or Amazon, three of the most successful and innovative U.S. businesses. Yet again, they fail to show any harm, and simply repeat the fact that some ISPs collect data about their customers’ Internet usage for advertising purposes, which apparently bears repeating, is not a harm on its own and in fact benefits consumers. Moreover, this last claim highlights the logical contortions the FTC is willing to assume in order to attack any tech company that uses data. For example, at the same time that the FTC is arguing that too few firms have all the consumer data and there is not enough competition among advertising platforms, they are also blasting ISPs for collecting similar consumer data, entering new markets, and posing a potential challenge to online ad networks. If anything, the FTC should welcome the competition.

The FTC report attempts to demonize ISPs for the simple fact that some of them collect data and use it for advertising. But collecting data is not illegal, advertising is not illegal, and targeted advertising is not illegal. Indeed, all three can benefit consumers and if the FTC is interested in protecting and promoting consumer welfare, it should welcome ISPs embracing data-driven innovation rather than try to throw cold water on it.