Facebook had a rough month so far, taking an utter beating from users, Congress and the press over dubious data practices which allowed data mining company Cambridge Analytica to exploit user information for political gain.
Mixed in with the other voices in the outcry are those of US ISPs, including wireless giants AT&T and Verizon, and cable company Charter Communications. With Facebook pegged as villain of the moment, these companies decried a lack of privacy regulation and sought to position themselves on consumers’ side.
USTelecom, an industry organisation which counts AT&T and Verizon among its members, issued a blog post touting ISPs’ “longstanding, pro-consumer privacy practices” and volunteered its principles to inform Congressional efforts to pass privacy legislation.
Meanwhile, Charter Communications CEO Tom Rutledge came out with a post of his own, urging Congress to establish privacy laws that apply to all players across the internet ecosystem, including providers, apps, browsers and advertisers.
But some of these companies have engaged in privacy violations similar to those Facebook is accused of, such as tracking user activity across the internet.
For instance, in May 2016, Verizon paid the Federal Communications Commission (FCC) $1.35 million to settle an investigation into the operator’s use of so-called “supercookies”, or undeletable identifiers which tracked the pages visited by phones on its network to aid third-party ad targeting. As with some of the complaints against Facebook, users impacted by the Verizon campaign weren’t given the choice to opt-out of the tracking programme for more than two years.
These operators also fought hard against certain consumer privacy protections in the past.
The same year the Verizon settlement occurred, the FCC implemented privacy protections for consumers requiring opt-in consent to collect certain user data. Verizon and AT&T were at the helm of opposition to those rules, not only resisting their passage but also lobbying energetically for their repeal. The operators ultimately won in April 2017, when Congress and US President Donald Trump passed legislation to roll back the FCC’s requirements.
One of providers’ main complaints about the scrapped regulations was that the rules only applied to ISPs and not to other ecosystem players such as Google or Facebook.
What operators really want
So what kind of privacy protections are US operators actually on board with?
AT&T, T-Mobile US and Verizon dropped a hint in February 2017, when they signed on to adhere to privacy principles based on Federal Trade Commission guidelines. Those include: providing transparency for consumers about what data is collected, how it’s used, and what is shared with third parties; secure protection of the data gathered; and timely notifications if a breach occurs.
But rather than springing for an opt-in requirement to share data – which is viewed as a higher privacy standard – US operators instead committed to offer consumers an opt-out choice for use of their non-sensitive data for third-party marketing and implied consent for use of their information for actions such as service fulfilment, market research and network management.
As evidenced by Verizon and AT&T’s objections to the FCC rules, and Charter Communications’ most recent proposal, operators also want an even playing field. If there are going to be rules, they want them to apply to everyone, including Facebook, Google and advertisers.
But it remains to be seen whether they’ll get their way.
The European Union is soon to adopt the General Data Protection Regulation (GDPR) measure, applicable to businesses which operate or have customers in Europe, which includes stronger consent requirements, swifter breach reporting and steep fines for violations. It’s unclear, however, whether US lawmakers will follow suit passing similar regulations.
With Facebook in the headlines, the US legislative spotlight seems to be centred squarely on edge-providers. Proposed new legislation introduced in the Senate would require internet companies including Google and Facebook to obtain opt-in consent to use or share user data, but would notably exclude ISPs from the requirement.
However, a bill introduced in May 2017, which would require both edge providers and ISPs to obtain opt-in consent, remains on the table in the House of Representatives.
The editorial views expressed in this article are solely those of the author and will not necessarily reflect the views of the GSMA, its Members or Associate Members.