ISP Privacy Principles
ISPs understand the trust our customers place in us, and we are committed to protecting our customers’ privacy and safeguarding their information. For 20 years, we have implemented policies and practices that are consistent with the FTC’s widely respected and effective privacy framework and other federal and state privacy laws. This framework helped drive the success of today’s Internet ecosystem by balancing consumer protection with the flexibility necessary to innovate. We understand the importance of maintaining our customers’ trust.
That is why we will continue to provide consumer privacy protections, while at the same time meeting consumers’ expectations for innovative new product solutions to enhance their online experiences. Regardless of the legal status of the FCC’s broadband privacy rules, we remain committed to protecting our customers’ privacy and safeguarding their information because we value their trust.
As policymakers evaluate the issues, we will maintain consumer protections that include the following:
Transparency. ISPs will continue to provide their broadband customers with a clear, comprehensible, accurate, and continuously available privacy notice that describes the customer information we collect, how we will use that information, and when we will share that information with third parties.
Consumer Choice. ISPs will continue to give broadband customers easy-to-understand privacy choices based on the sensitivity of their personal data and how it will be used or disclosed, consistent with the FTC’s privacy framework. In particular, ISPs will continue to: (i) follow the FTC’s guidance regarding opt-in consent for the use and sharing of sensitive information as defined by the FTC; (ii) offer an opt-out choice to use non-sensitive customer information for personalized third-party marketing; and (iii) rely on implied consent to use customer information in activities like service fulfillment and support, fraud prevention, market research, product development, network management and security, compliance with law, and first-party marketing. This is the same flexible choice approach used across the Internet ecosystem and is very familiar to consumers.
Data Security. ISPs will continue to take reasonable measures to protect customer information we collect from unauthorized use, disclosure, or access. Consistent with the FTC’s framework, precedent, and guidance, these measures will take into account the nature and scope of the ISP’s activities, the sensitivity of the data, the size of the ISP, and technical feasibility.
Data Breach Notifications. ISPs will continue to notify consumers of data breaches as appropriate, including complying with all applicable state data breach laws, which contain robust requirements to notify affected customers, regulators, law enforcement, and others, without unreasonable delay, when an unauthorized person acquires the customers’ sensitive personal information as defined in these laws.
These principles are consistent with the FTC’s privacy framework, which has proved to be a successful privacy regime for many years and which continues to apply to non-ISPs, including social media networks, operating systems, search engines, browsers, and other edge providers that collect and use the same online data as ISPs. That framework has protected consumers’ privacy while fostering unprecedented investment and innovation. The principles are also consistent with the FCC’s May 2015 Enforcement Advisory, which applied to ISPs for almost two years while the FCC’s broadband privacy rules were being considered.
The above principles, as well as ISPs’ continued compliance with various federal and state privacy laws, will protect consumers’ privacy, while also encouraging continued investment, innovation, and competition in the Internet ecosystem.
Myth vs. Reality on ISP Privacy Claims
Clearing up misconceptions about online privacy
Myth. ISPs will now start selling sensitive personal data about their customers.
Reality. Completely False. ISPs today do not sell their customers’ sensitive personal data and have no plans to do so. Repeal of the FCC’s rules will not change current ISP practices. They have long complied with privacy practices related to the use of sensitive data collected online that are consistent with the Federal Trade Commission’s framework for privacy protection.
In January, ISPs reiterated their commitment to follow practices consistent with the FTC’s proven approach. These principles explain that ISPs will not sell their customers’ “sensitive” information – including financial, children’s, and health information, social security numbers, and precise geolocation data – without first obtaining the affirmative, opt-in consent of their customers. So contrary to the baseless claims of some, Congress’s repeal of the FCC’s misguided rules will not allow ISPs to sell sensitive data to the highest bidder without their customers’ knowledge or consent.
Myth. ISPs now plan to ignore consumer wishes and sell customer data collected online to advertisers for their use in trying to target more relevant marketing messages to consumers.
Reality. Wrong again. All ISPs today allow their customers to “opt out” of practices that would use or sell their non-sensitive personal data collected online to enable targeted marketing communications from third parties. This is the same policy that has long been part of the FTC’s approach to privacy protection. And it is the standard applied today to all companies collecting online data as the appropriate way to balance the consumer’s interests in protecting the privacy of his or her personal information and the value of enabling marketing messages that may be more relevant to individual Internet users.
Myth. No one knows more about your online behavior than your ISP.
Reality. Not true. A comprehensive study submitted to the FCC by a veteran Clinton and Obama Administration privacy expert showed that ISPs actually have limited – and increasingly less – insight into consumer activities and information online due to the increases in Internet encryption – approximately 70% today – and other factors. In fact, other entities collecting online data (e.g., edge providers, search engines, social media platforms, operating systems, ad networks, and data brokers), who are far less heavily regulated, see and know much more about their customers and aggressively use and monetize their data.
Myth. Any time you type something in a browser or conduct any search online – such as a child with a medical disorder seeking information, a family doing its banking – your ISP knows what you are doing on line.
Reality. False. ISPs know what you type in as a top-level domain, such as www.webmd.com, because they need to get you to your online destination, but they don’t know what searches you make within an encrypted web site. And, in fact, most searches are on Google (65%), Microsoft (23%), or Yahoo (12%), which are encrypted, so ISPs cannot see them.
Myth. The Obama Administration imposed this rule because your ISPs know so much about what you are doing on line.
Reality. Not true. The rule came about because of the reclassification of broadband under Title II, which deprived the FTC of jurisdiction to regulate ISP privacy as it had done successfully for decades under a sweeping privacy framework that applied to all players in the Internet ecosystem. In 2012, the Obama FTC and the Obama White House looked at the specific question whether ISPs should be treated differently than edge providers under the privacy regulations – and concluded no, reaffirming that a technology-neutral approach to privacy was best. The current problem was created because the FCC over-reached and over-regulated ISPs, while the Internet edge providers (e.g., Google and Facebook) remain under the workable FTC privacy regime. The net impact is a competitive advantage to the edge providers and no additional protection – and much confusion – for consumers.
Myth. Repeal of the FCC rules leaves consumers legally unprotected.
Reality. Wrong. Repealing the rules does not alter the underlying statutory protections under section 222 of the Communications Act. Additionally, the commitments publicly made by ISPs with respect to their privacy practices are legally enforceable in multiple ways, including by state Attorneys General.
Myth. The FCC approach – which treated ISPs differently than other online giants collecting data online – was better than the FTC’s approach of creating consistent standards of privacy protection that applied all parties online.
Reality. The best approach to privacy protection focuses on what the consumer data is, not who is collecting it. Clear, technology-neutral privacy standards can provide consumers with consistent online protection that meets their expectations and not leave them to have to figure out who may be collecting data about them (especially since, often times, it may be parties that are not visible to the consumer and with whom they have not established a customer relationship). The FCC’s rules were contrary to what consumers want – in a recent survey, 94% of consumers said they expect their data should be governed by the same rules everywhere online.
Taking Consumer Privacy Seriously
Congressional approval of a resolution to reverse the previous FCC’s misguided privacy rules has resulted in some pretty serious and mistaken claims about what ISPs can and can’t do with customer information. This is unfortunate because consumer privacy is something that our member companies have always respected and have an excellent track record of protecting.
To help debunk some of these unfortunate claims, the NCTA published the “myth vs. reality” document above that we hope will clear up many of the misconceptions. We encourage you to take a look.
How do ISPs protect consumer privacy? Nearly every ISP in America in late January reiterated their commitment to privacy principles that are based on the FTC’s successful privacy regime, which for over 20 years applied to all internet companies, and still applies to the world’s largest data collectors including Google, Facebook and Amazon.
And to further clarify how ISPs respect the privacy of their customers, see what some of our member companies have to say:
The bottom line is that ISPs are firmly committed to protecting our customers’ privacy and safeguarding their information. We value their trust and intend to keep it.