T-Mobile to Sell US Customers’ Web Usage Data on Opt-Out Basis
Telecoms giant will start selling information about how customers use the web and what apps are on their phones unless they opt out.
In the previous edition of Data Protection, I recommended reading the New York Times editorial on opt-in consent: America, Your Privacy Settings Are All Wrong.
This piece argued that the U.S. should be enacting a privacy law with an “opt-in” model of consent. It suggests that Virginia and California have missed this opportunity with recent legislation.
This same week, T-Mobile announced that it will start selling U.S. customers’ data on an opt-out basis, starting on 26 April.
The NYT’s editorial has been getting a lot of pushback from U.S. readers — much of which is well-founded, arguing for a more principles-led, “data fiduciary” role for businesses.
For my part, I think opt-in consent still plays a role in data protection, and I think criticizing states for choosing “opt-out” models is valid. On Monday, I defended the concept of opt-in consent in a LinkedIn article, In Defence of the NYT’s Opt-In Consent Editorial.
The T-Mobile case is an example of where opt-in consent would have worked well.
The company will use information including “web and device usage data” (which includes information about the apps installed on people’s phones) to target first and third-party ads.
Customers can opt out, but some say the process is difficult. Here’s Harvard researcher Elettra Bietti describing her attempt:
https://twitter.com/Elibietti/status/1369671861446062085
Bietti, incidentally, makes an excellent case for moving beyond a “notice and consent” model of privacy law.
In the U.S., ISPs are allowed to sell their customers’ browsing history (thanks in part to the Trump administration, which killed the FCC’s broadband rules in 2017).
Short of banning this practice altogether, states passing privacy laws can help protect their citizens’ privacy by prohibiting the sale of all personal information without opt-in consent.
In fact, Virginia’s new state privacy law does prohibit the sharing or sale of “sensitive personal information” without opt-in consent. Sensitive personal information includes people’s “precise geolocation.”
T-Mobile’s new policy, as it happens, doesn’t apply to “precise location data”:
A couple of things that are not changing — We do not use or share… precise location data for advertising unless you give us your express permission…
Perhaps if opt-in consent applied to the sale of other types of data — even in just a few states — T-Mobile customers’ web usage data might have been spared.
