Myth vs. Reality on ISP Privacy Claims
Clearing up misconceptions about online privacy
Myth. ISPs will now start selling sensitive personal data about their customers.
Reality. Completely False. ISPs today do not sell their customers’ sensitive personal data and have no plans to do so. Repeal of the FCC’s rules will not change current ISP practices. They have long complied with privacy practices related to the use of sensitive data collected online that are consistent with the Federal Trade Commission’s framework for privacy protection.
In January, ISPs reiterated their commitment to follow practices consistent with the FTC’s proven approach. These principles explain that ISPs will not sell their customers’ “sensitive” information – including financial, children’s, and health information, social security numbers, and precise geolocation data – without first obtaining the affirmative, opt-in consent of their customers. So contrary to the baseless claims of some, Congress’s repeal of the FCC’s misguided rules will not allow ISPs to sell sensitive data to the highest bidder without their customers’ knowledge or consent.
Myth. ISPs now plan to ignore consumer wishes and sell customer data collected online to advertisers for their use in trying to target more relevant marketing messages to consumers.
Reality. Wrong again. All ISPs today allow their customers to “opt out” of practices that would use or sell their non-sensitive personal data collected online to enable targeted marketing communications from third parties. This is the same policy that has long been part of the FTC’s approach to privacy protection. And it is the standard applied today to all companies collecting online data as the appropriate way to balance the consumer’s interests in protecting the privacy of his or her personal information and the value of enabling marketing messages that may be more relevant to individual Internet users.
Myth. No one knows more about your online behavior than your ISP.
Reality. Not true. A comprehensive study submitted to the FCC by a veteran Clinton and Obama Administration privacy expert showed that ISPs actually have limited – and increasingly less – insight into consumer activities and information online due to the increases in Internet encryption – approximately 70% today – and other factors. In fact, other entities collecting online data (e.g., edge providers, search engines, social media platforms, operating systems, ad networks, and data brokers), who are far less heavily regulated, see and know much more about their customers and aggressively use and monetize their data.
Myth. Any time you type something in a browser or conduct any search online – such as a child with a medical disorder seeking information, a family doing its banking – your ISP knows what you are doing on line.
Reality. False. ISPs know what you type in as a top-level domain, such as www.webmd.com, because they need to get you to your online destination, but they don’t know what searches you make within an encrypted web site. And, in fact, most searches are on Google (65%), Microsoft (23%), or Yahoo (12%), which are encrypted, so ISPs cannot see them.
Myth. The Obama Administration imposed this rule because your ISPs know so much about what you are doing on line.
Reality. Not true. The rule came about because of the reclassification of broadband under Title II, which deprived the FTC of jurisdiction to regulate ISP privacy as it had done successfully for decades under a sweeping privacy framework that applied to all players in the Internet ecosystem. In 2012, the Obama FTC and the Obama White House looked at the specific question whether ISPs should be treated differently than edge providers under the privacy regulations – and concluded no, reaffirming that a technology-neutral approach to privacy was best. The current problem was created because the FCC over-reached and over-regulated ISPs, while the Internet edge providers (e.g., Google and Facebook) remain under the workable FTC privacy regime. The net impact is a competitive advantage to the edge providers and no additional protection – and much confusion – for consumers.
Myth. Repeal of the FCC rules leaves consumers legally unprotected.
Reality. Wrong. Repealing the rules does not alter the underlying statutory protections under section 222 of the Communications Act. Additionally, the commitments publicly made by ISPs with respect to their privacy practices are legally enforceable in multiple ways, including by state Attorneys General.
Myth. The FCC approach – which treated ISPs differently than other online giants collecting data online – was better than the FTC’s approach of creating consistent standards of privacy protection that applied all parties online.
Reality. The best approach to privacy protection focuses on what the consumer data is, not who is collecting it. Clear, technology-neutral privacy standards can provide consumers with consistent online protection that meets their expectations and not leave them to have to figure out who may be collecting data about them (especially since, often times, it may be parties that are not visible to the consumer and with whom they have not established a customer relationship). The FCC’s rules were contrary to what consumers want – in a recent survey,94% of consumers said they expect their data should be governed by the same rules everywhere online.