Excerpt of letter:
We respectfully request that you provide a written response to the following questions:
1. Do you obtain affirmative opt-in consent to use, share, or sell any of the following information: web browsing history, app usage history, the content of communications, children’s information, health information, financial information, geo-location, and Social Security numbers? If yes, please detail your policy. If no, why not? If no, please disclose what information you are sharing and selling and with whom you are sharing or selling that information.
2. Do you provide consumers opt-out control over their information? If yes, for what types of information and please detail your policy. If no, why not?
3. Do you maintain information or data related to former subscribers? If yes, what information do you keep, how is it maintained, and is it minimized? What are your data security and privacy policies for the data and personal information of former subscribers?
4. Do you make “take-it-or-leave-it” offerings, where consumers are refused internet service if they do not permit their information to be used, shared, or sold? If yes, why? When updating privacy policies, must current subscribers agree to the new terms in order to continue service? Would a consumer be forced to pay a termination fee if service is denied for refusing to agree to new privacy or data collection terms? Please detail your policy.
5. Do you make “pay for privacy” offerings, where consumers could be required to pay an additional amount to protect their privacy or receive compensation for declining to protect their privacy? Please detail your policy.
6. Do you notify customers at the point-of-sale, before purchase, of the types of information collected, how and for what purposes you use and share this information, and with whom that information is shared or sold? If yes, please detail your policy. If no, why not?
7. Do you develop and adhere to reasonable data security practices sufficient to protect the information you collect about your subscribers? If yes, please detail your policy. If no, why not?
8. Do you notify customers within 30 days if their information has been breached or accessed by unauthorized parties? Do you also alert customers to any mitigating action they should take? Do you provide free services to mitigate the impacts of a breach, such as free credit monitoring service? If yes, please detail your policy. If no, why not?
9. Do you practice strong de-identification or anonymization, such that de-identified personal information cannot be reasonably linkable to a person or device? If yes, please explain your process for de-identifying data. If no, why not?
10. Do you prohibit third parties with whom you share or sell consumers’ sensitive information from re-identifying de-identified information? If yes, please detail your policy. If no, why not?
11. Do you refuse to serve a customer who does not agree to mandatory arbitration clauses? If yes, why? Please detail your policy.
12. Do you notify customers when you make material changes to your privacy policies? If yes, please detail your policy. If no, why not?
13. Do you have a clear, user-friendly, easily accessible, and responsive complaint process for consumers who have evidence or reason to believe their privacy has been violated? If yes, please detail your policy. If no, why not?
14. Many ISPs retain so called “netflow” records, related to their customers’ internet usage. Do you retain netflow records for your customers’ web browsing activity? If so, for how long do you retain them? Will you disclose netflow records pursuant to a National Security Letter, or only court orders?
15. Under Section 222 of the Communications Act, carriers may not disclose subscriber location information without the “express prior authorization of the customer”. Over each of the last three years, how many times did your company disclose to third parties individually identifiable customer location data or other Customer Proprietary Network Information with a customer’s express prior authorization? Does your company obtain the consent from the subscriber directly? If not, and the third party obtains the consent (or claims they do), do you request or retain a copy of documentation showing that the customer provided such consent?
16. Please detail any changes you have made to your privacy policy or practices since the President signed the broadband privacy CRA into law.
Thank you for your attention to this important matter. We respectfully request that you provide a written response by May 1, 2017.
https://www.leahy.senate.gov/press/leahy-sanders-and-other-senators-query-major-broadband-providers-about-privacy-rules
= new reply since forum marked as read
