NCTA — The Internet & Television Association

Protecting Consumer Privacy

Protecting Consumer Privacy

Protecting Consumer Privacy

In today’s digital age, protecting a customer’s personal information is one of the most important responsibilities for service providers. For decades, NCTA member companies have worked hard to preserve this trust and safeguard consumer data. ISPs are committed to providing customers with transparent privacy policies, including the ability to opt out of data sharing. But revelations about the data collection and sharing practices of a few global tech giants demonstrate that consumers are both unaware of how their data is being used and are left unprotected across much of the internet. Now is the time for federal policymakers to explore strong and consistent consumer privacy protections that apply equally to ISPs, online services and social networks.

by Michael Powell

Michael Powell

Two days of Congressional hearings this week about the data collection and sharing practices of Facebook have ignited a critical national conversation about online privacy and the dangers that stem from the power of large tech firms to build, use, and share detailed profiles of consumer behavior and track them across the internet.

Facebook CEO Mark Zuckerberg was well prepared and performed well in answering most of the questions posed to him, but the hearings did not alter the fundamental concern that “tens of thousands of apps” may have accessed the personal data of two billion users. While this week’s focus was on Facebook, it is clear that issues surrounding privacy practices apply similarly to other large online platforms as well.

That is why one of the biggest takeaways from this week’s hearings is the growing support among lawmakers for thoughtful federal strategies that might more fully empower consumers and protect their privacy across the internet.

Now more than ever, we believe the time is ripe for congressional action that would codify strong and enforceable consumer protections in an internet age.

In today’s digital age, a few global tech giants increasingly hold and traffic in massive amounts of personal data, using technology to increasingly addict, predict and manipulate digital consumers. These same massive platforms that undoubtedly promote social utility can also increasingly be used in less transparent ways by criminals and other unsavory forces to defraud, misinform, and divide. Governments have the power to establish policies that recognize the value of online commerce and innovation but also establish obligations to safeguard against the risk of harmful misuse of personal data. This risk is rising from the confluence of massive data sources, powerful data analytics, and the dangers of business models premised on consumer surveillance.

As the cable industry, our perspective is admittedly one of many, but it is one informed by our deep experience in offering valuable services premised on a direct relationship with our customers in which we safeguard their personal data. That experience guides us in believing that consumers’ interests would be best protected through the adoption and enforcement of a consistent set of privacy rules for all parties doing business online.

Indeed, the interconnected nature of the internet almost demands a consistent set of privacy protections. Consumers’ privacy rights shouldn’t change depending on which internet service provider they use to log on, what websites they visit, or what social networks or search engines they use.

Now more than ever, we believe the time is ripe for congressional action that would codify strong and enforceable consumer protections in an internet age. Such protections should require online firms to clearly explain how they collect, use, and share personal data. And, they should give consumers more control over their personal data, including requiring opt-in consent for using or sharing personal data with limited exceptions.

 

A technology-neutral, federal framework of online consumer protection is a first step to restoring America’s faith in our digital future.

New internet consumer protections should also include rules that codify principles of internet openness, empowering appropriate government action to stop practices that are unfairly discriminatory or otherwise impede the free flow of legal traffic over the internet. Net neutrality rules and privacy protections, for example, should be advanced together to help maintain a free and open internet that benefits all consumers.

Finally, and most important of all, these protections must apply across-the-board to internet service providers, online services, and social networks alike. This is the only way to give consumers clear confidence that their rights will be honored by all parties doing business online. Prior government efforts on privacy and net neutrality have been piecemeal, leaving consumers exposed to online risks. Only a comprehensive federal privacy and net neutrality regime will adequately serve the public interest.

A technology-neutral, federal framework of online consumer protection is a first step to restoring America’s faith in our digital future. When consumers go online, they shouldn’t have to think about what state they are in, and they shouldn’t need an engineering or law degree to understand what privacy requirements apply to different online services and what kind of entity may be engaged in blocking or throttling. They want to know that their personal data is protected, that their choices as consumers are respected, and that practices resulting in unfair discrimination or otherwise violating the spirit of internet openness will be punished swiftly.

Of course, there are many details to be addressed in developing such a framework, but the cable industry is committed to working with government, the private sector, and civil society representatives to do so.

Let’s get started.

ISPs understand the trust our customers place in us, and we are committed to protecting our customers’ privacy and safeguarding their information. For 20 years, we have implemented policies and practices that are consistent with the FTC’s widely respected and effective privacy framework and other federal and state privacy laws. This framework helped drive the success of today’s Internet ecosystem by balancing consumer protection with the flexibility necessary to innovate. We understand the importance of maintaining our customers’ trust.

That is why we will continue to provide consumer privacy protections, while at the same time meeting consumers’ expectations for innovative new product solutions to enhance their online experiences. Regardless of the legal status of the FCC’s broadband privacy rules, we remain committed to protecting our customers’ privacy and safeguarding their information because we value their trust.

As policymakers evaluate the issues, we will maintain consumer protections that include the following:

  • Transparency. ISPs will continue to provide their broadband customers with a clear, comprehensible, accurate, and continuously available privacy notice that describes the customer information we collect, how we will use that information, and when we will share that information with third parties.

  • Consumer Choice. ISPs will continue to give broadband customers easy-to-understand privacy choices based on the sensitivity of their personal data and how it will be used or disclosed, consistent with the FTC’s privacy framework. In particular, ISPs will continue to: (i) follow the FTC’s guidance regarding opt-in consent for the use and sharing of sensitive information as defined by the FTC; (ii) offer an opt-out choice to use non-sensitive customer information for personalized third-party marketing; and (iii) rely on implied consent to use customer information in activities like service fulfillment and support, fraud prevention, market research, product development, network management and security, compliance with law, and first-party marketing. This is the same flexible choice approach used across the Internet ecosystem and is very familiar to consumers.

  • Data Security. ISPs will continue to take reasonable measures to protect customer information we collect from unauthorized use, disclosure, or access. Consistent with the FTC’s framework, precedent, and guidance, these measures will take into account the nature and scope of the ISP’s activities, the sensitivity of the data, the size of the ISP, and technical feasibility.

  • Data Breach Notifications. ISPs will continue to notify consumers of data breaches as appropriate, including complying with all applicable state data breach laws, which contain robust requirements to notify affected customers, regulators, law enforcement, and others, without unreasonable delay, when an unauthorized person acquires the customers’ sensitive personal information as defined in these laws.

These principles are consistent with the FTC’s privacy framework, which has proved to be a successful privacy regime for many years and which continues to apply to non-ISPs, including social media networks, operating systems, search engines, browsers, and other edge providers that collect and use the same online data as ISPs. That framework has protected consumers’ privacy while fostering unprecedented investment and innovation. The principles are also consistent with the FCC’s May 2015 Enforcement Advisory, which applied to ISPs for almost two years while the FCC’s broadband privacy rules were being considered.

The above principles, as well as ISPs’ continued compliance with various federal and state privacy laws, will protect consumers’ privacy, while also encouraging continued investment, innovation, and competition in the Internet ecosystem.

Altice USA
American Cable Association
AT&T
Charter Communications
Citizens Telephone and Cablevision
Comcast
Cox Communications
CTIA
Dickey Rural Networks
Inland Telephone Company d/b/a Inland Networks
ITTA – The Voice of Mid-Sized Communications Companies
NCTA – The Internet & Television Association
Northeast Louisiana Telephone Co., Inc. (NortheastTel)
NTCA – The Rural Broadband Association
SCTelcom
T-Mobile
USTelecom
Verizon
VTX1 Companies
Wheat State Telephone, Inc.
Wireless Internet Service Providers Association
WTA – Advocates for Rural Broadband

Myth. ISPs will now start selling sensitive personal data about their customers.

 

Reality. Completely False. ISPs today do not sell their customers’ sensitive personal data and have no plans to do so. Repeal of the FCC’s rules will not change current ISP practices. They have long complied with privacy practices related to the use of sensitive data collected online that are consistent with the Federal Trade Commission’s framework for privacy protection.
In January, ISPs reiterated their commitment to follow practices consistent with the FTC’s proven approach. These principles explain that ISPs will not sell their customers’ “sensitive” information – including financial, children’s, and health information, social security numbers, and precise geolocation data – without first obtaining the affirmative, opt-in consent of their customers. So contrary to the baseless claims of some, Congress’s repeal of the FCC’s misguided rules will not allow ISPs to sell sensitive data to the highest bidder without their customers’ knowledge or consent.

 

Myth. ISPs now plan to ignore consumer wishes and sell customer data collected online to advertisers for their use in trying to target more relevant marketing messages to consumers.

Reality. Wrong again. All ISPs today allow their customers to “opt out” of practices that would use or sell their non-sensitive personal data collected online to enable targeted marketing communications from third parties. This is the same policy that has long been part of the FTC’s approach to privacy protection. And it is the standard applied today to all companies collecting online data as the appropriate way to balance the consumer’s interests in protecting the privacy of his or her personal information and the value of enabling marketing messages that may be more relevant to individual Internet users.

 

Myth. No one knows more about your online behavior than your ISP.

Reality. Not true. A comprehensive study submitted to the FCC by a veteran Clinton and Obama Administration privacy expert showed that ISPs actually have limited – and increasingly less – insight into consumer activities and information online due to the increases in Internet encryption – approximately 70% today – and other factors. In fact, other entities collecting online data (e.g., edge providers, search engines, social media platforms, operating systems, ad networks, and data brokers), who are far less heavily regulated, see and know much more about their customers and aggressively use and monetize their data.

 

Myth. Any time you type something in a browser or conduct any search online – such as a child with a medical disorder seeking information, a family doing its banking – your ISP knows what you are doing on line.

Reality. False. ISPs know what you type in as a top-level domain, such as www.webmd.com, because they need to get you to your online destination, but they don’t know what searches you make within an encrypted web site. And, in fact, most searches are on Google (65%), Microsoft (23%), or Yahoo (12%), which are encrypted, so ISPs cannot see them.

 

Myth. The Obama Administration imposed this rule because your ISPs know so much about what you are doing on line.

Reality. Not true. The rule came about because of the reclassification of broadband under Title II, which deprived the FTC of jurisdiction to regulate ISP privacy as it had done successfully for decades under a sweeping privacy framework that applied to all players in the Internet ecosystem. In 2012, the Obama FTC and the Obama White House looked at the specific question whether ISPs should be treated differently than edge providers under the privacy regulations – and concluded no, reaffirming that a technology-neutral approach to privacy was best. The current problem was created because the FCC over-reached and over-regulated ISPs, while the Internet edge providers (e.g., Google and Facebook) remain under the workable FTC privacy regime. The net impact is a competitive advantage to the edge providers and no additional protection – and much confusion – for consumers.

 

Myth. Repeal of the FCC rules leaves consumers legally unprotected.

Reality. Wrong. Repealing the rules does not alter the underlying statutory protections under section 222 of the Communications Act. Additionally, the commitments publicly made by ISPs with respect to their privacy practices are legally enforceable in multiple ways, including by state Attorneys General.

 

Myth. The FCC approach – which treated ISPs differently than other online giants collecting data online – was better than the FTC’s approach of creating consistent standards of privacy protection that applied all parties online.

Reality. The best approach to privacy protection focuses on what the consumer data is, not who is collecting it. Clear, technology-neutral privacy standards can provide consumers with consistent online protection that meets their expectations and not leave them to have to figure out who may be collecting data about them (especially since, often times, it may be parties that are not visible to the consumer and with whom they have not established a customer relationship). The FCC’s rules were contrary to what consumers want – in a recent survey, 94% of consumers said they expect their data should be governed by the same rules everywhere online.

Congressional approval of a resolution to reverse the previous FCC’s misguided privacy rules has resulted in some pretty serious and mistaken claims about what ISPs can and can’t do with customer information. This is unfortunate because consumer privacy is something that our member companies have always respected and have an excellent track record of protecting.

To help debunk some of these unfortunate claims, we’ve published a “myth vs. reality” document that we hope will clear up many of the misconceptions. We encourage you to take a look.

How do ISPs protect consumer privacy? NCTA’s members and nearly every ISP in America in late January reiterated their commitment to privacy principles that are based on the FTC’s successful privacy regime, which for over 20 years applied to all internet companies, and still applies to the world’s largest data collectors including Google, Facebook and Amazon.

And to further clarify how ISPs respect the privacy of their customers, see what some of our member companies have to say:

The bottom line is that ISPs are firmly committed to protecting our customers’ privacy and safeguarding their information. We value their trust and intend to keep it.