Cross-Device Privacy Must be Protected by FCC Proposed Rule on Broadband ISPs

 ... ISPs are engaged in cross-device tracking of its subscribers and customers which allow them to target advertising at the individual and household level.  Exemplary for all ISPs, we are highlighting AT&T’s efforts in this area.  AT&T is expanding its cross-device tracking in order to target individuals on their mobile device after collecting and analyzing their data using the company's internal data and analytics capabilities.   In a recent interview, AT&T AdWorks President Rick Welday explained that by the end of this year AT&T will allow marketers to “advertise in 14 million addressable households, 30 million mobile devices and millions of streams within the DirecTV app.”

While AT&T may claim that its cross-device tracking is done “anonymously,” that is merely a euphemism to obscure the invasion of privacy that underlies such practices. Mr. Welday explains that AT&T’s data-driven monitoring of its customers enables it to develop dossiers that reveal whether their users are a new homeowner, a new parent, or in the market for an automobile.  In its trials with cross-device targeting, AT&T worked with leading Fortune 100 brands as well as promoting its own “AT&T Mobility Wireless” service. The Fortune 100 companies that AT&T worked with likely provided their own so-called first-party data to be used for such cross-device targeting. This illustrates the operational realities today for consumer profiling data, where data are no longer shared with advertisers, but rather advertisers provide such data to ad-delivery platforms (such as AT&T's) for increasingly granular targeting.[3]

Linking devices (and the application history on and geolocation on of those devices) to a particular consumer via a unique identifier should be prohibited, unless the ISP has obtained affirmative, express consent (opt-in). The rule’s definition of ‘sensitive information’ must therefore reflect industry practices and include any data elements that allow for this kind of cross-device tracking. The final rule must give ISP customers control over their data, and before companies can proceed with targeted advertising, they must obtain an opt-in consent from their customers. We are particularly concerned that without such safeguards the rules would allow for a by-passing of requirements of the Children’s Online Privacy Protection Act, by using insights gained via cross device tracking to target children without parental consent.

 Finally, we urge the Commission to affirm in its final rule the need for safeguards against any unauthorized attempts to re-link devices (and its app usage history and geolocation information) to associate them with one user.

CDD respectfully urges the FCC to enact its proposed safeguards as soon as possible to help address the further eroding of Americans’ privacy by ISPs.