Skip to main content

The FTC just released a report based on data received from major players in the mobile Internet market and A Look at What ISPs Know About You: Examining the Privacy Practices of Six Major Internet Service Providers is an eye opener. According to the FTC, several Internet service providers collect and share far more personal data than their customers expect while failing to give customers meaningful choice about how that data can be used.

Under Section 6(b) of the FTC Act, the agency may require companies to file “reports or answers in writing to specific questions” about their business practices. In 2019 the orders went to six ISPs that make up about 98% of the mobile Internet market:

  • AT&T Mobility,
  • Cellco Partnership (Verizon Wireless),
  • Charter Communications Operating,
  • Comcast Cable Communications (Xfinity),
  • T-Mobile US, and
  • Google Fiber.

The FTC also sent 6(b) orders to three advertising companies affiliated with those ISPs: AT&T’s Appnexus (now Xandr), Verizon’s Verizon Online, and Oath Americas (now Verizon Media).

You’ll want to read the entire report for more about data collection and privacy practices, but here are just a few observations that merit closer consideration:

Many ISPs amass large pools of sensitive consumer data. Several ISPs and affiliates collect significant amounts of consumer information across a broad range of products. Add to that the fact that people are using so many other services that depend on their Internet access – for example, home security and automation, video streaming, content creation, advertising, email, search, wearables, and connected cars. The result is the collection of detailed data about individual subscribers. When combined with even more information from third party data brokers, those ISPs are able to draw highly specific insights and inferences not just about subscribers, but about their families and households, too.

Several ISPs in the study gather and use data in ways consumers don’t expect and could cause them harm. Consumers may expect ISPs to collect certain information about the sites they visit as part of the task of providing internet service, but it goes way beyond that. Many ISPs in the study also collect and combine other highly sensitive data – browsing information, TV viewing history, contents of email and search, data from connected devices, location information, and data about race and ethnicity, to name just a few categories. That raises the specter of how that information could be used for discriminatory or other harmful purposes.

Although many ISPs in the study purport to offer consumers choices, those choices are often illusory. Several ISPs in the study claim to offer choices about data collection, but how clearly do they explain that to their subscribers? And to what extent do those ISPs nudge people toward sharing more data?

Many ISPs in the study can be at least as privacy-intrusive as large advertising platforms. Despite ISPs’ relative size in a market dominated by Google, Facebook, and Amazon, the privacy implications of ISPs are amplified. Four reasons suggest why: 1) Many ISPs have access to 100% of consumers’ unencrypted internet traffic; 2) many ISPs can verify the identity of their subscribers; 3) several ISPs can track consumers across websites and geographic locations; and 4) a significant number of ISPs can combine subscribers’ browsing and viewing history with large amounts of other information they get from additional Internet-dependent products, services, and features they offer.

Read A Look at What ISPs Know About You: Examining the Privacy Practices of Six Major Internet Service Providers for key details.


It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

More from the Business Blog

Get Business Blog updates