Consumer advocate groups--Public Knowledge, Consumer Watchdog, Center for Digital Democracy, Consumer Action, TURN-The Utility Reform Network and Consumer Federation of America—recently filed a complaint with the Federal Trade Commission and a petition with the Federal Communications Commission against AT&T, Cablevision, and Comcast, citing privacy-related offenses. The FTC complaint notes the companies’ failure to adequately disclose the extent of their consumer data use and sharing, arguing that their use of customer data without appropriate disclosures and without opt-in consent amounts to an “unfair and deceptive” practice in violation of the Federal Trade Commission Act. The FCC petition, on the other hand, asserts that the cable and satellite providers fail to adequately obtain customer consent prior to collection and use of such data, in violation of federal law.
What’s the Issue?
According to the advocate groups, the noted cable companies’ data collection and sharing practices violate applicable law. Notably, the groups cite AT&T’s aggregation and analysis of data from millions of set-top boxes and its sharing of this data with advertising partners. Additionally, the advocate groups allege that Cablevision collects granular data and precise details of household viewing behavior, and combines this data with third-party data that is used to better target individuals with video advertising. Further, Comcast has acquired Visible World and This Technology, which has allowed Comcast to compile customer data to boost its targeted advertising.
In a recent press release, Dallas Harris, Policy Fellow at one of the complaining consumer advocate groups, stated that the “cable industry has tried to play the FTC and the FCC against one another on privacy. As this filing shows, the more privacy cops on the beat, the better protected consumers will be.” With these filings, the advocacy groups are pushing the FCC to ensure that cable operators obtain appropriate consent before using personal data, and pushing the FTC to ensure that cable operators provide necessary information about their data practices, including how they collect and use consumer information.
The filings note that AT&T, Cablevision, and Comcast allow consumers to opt out of the use of their PII, but the consumer advocate groups argue that federal privacy law requires these companies to obtain consumers’ written or electronic consent before collecting or using their data for advertising purposes. Specifically, the consumer advocate groups point to the FCC’s rules applicable to telecommunications services and the prohibition on sharing customer proprietary network information (CPNI) with third parties for advertising purposes in the absence of opt-in consent. In their FCC petition, the groups asserted that from “the consumer’s perspective, there is no distinction between the collection of PII by telecommunications carriers regulated under [the FCC’s CPNI rules] and cable operators.” Notably, the FCC is actively engaged in a separate rulemaking proceeding related to the privacy of customers of broadband internet access service, and it is considering to expand the scope of its CPNI rules to cover such services.
What’s the Takeaway?
As organizations escalate their personal data collection and use, their privacy-related risks also increase. This highlights the importance of keeping track of evolving privacy requirements, particularly those surrounding individual consent and disclosures, as illustrated by the complaints discussed here. Cable, broadband and telecommunications companies operating in the US, in particular, are finding themselves in the challenging position of navigating both the FTC’s and the FCC’s privacy regimes, which have been observed to clash at times. Regardless of whether an organization falls under FTC jurisdiction, FCC jurisdiction, or both, this much is clear: regulators here in the US and abroad are increasingly showing interest in policing the privacy arena. Given this, it is critical for today’s data-handling organizations to pay attention to, understand, and proactively tackle, their privacy obligations.