Rapid changes in technology have made protecting consumer privacy increasingly challenging. Telecommunications and utility companies are able to collect and maintain detailed usage information about their customers. This includes detailed usage histories that allow behavioral profiling as well as geolocation data from wireless phones. The information is valuable to third-party companies seeking to build detailed consumer profiles. This provides an incentive to sell the data, which in turn raises serious privacy concerns (see also Chapter 11, Financial Services and Consumer Products—Information Privacy; and Chapter 7: Health—Health Information Technology).
PRIVACY PROTECTIONS IN THE USE OF TELECOMMUNICATION AND UTILITY SERVICES: Policy
Policymakers should ensure that customers’ personal data are secured against unauthorized access, use, or disclosure. This includes information on usage, billing, and payments. A consumer should not have to opt into these protections (see also Chapter 11, Financial Services and Consumer Products—Digital Privacy). Consumers should have a right to redress when their personal data are misused.
Federal policymakers should require telecommunications and utility companies to provide consumers with the opportunity to determine whether their non-publicly available and personally identifiable information should be used or disclosed for purposes other than those for which the information was originally provided.
- require telecommunications and utility companies to protect a customer’s usage, billing, payment, and other personal data from disclosure unless it has been authorized by the customer or is necessary to provide services the customer has requested;
- ensure that consumers are informed about easily accessible and usable avenues for redress if their personal information is inappropriately disclosed or used and that they have the right to correct the listing of their personal information if it is false or inaccurate; and
- establish rules to specify the procedures by which customers can provide authorization for disclosures and be informed of their privacy rights.
Policymakers should build strong privacy protections into any system design prior to deployment to ensure that:
- privacy of customer information is the default setting;
- data collection is limited to only what is necessary for operations, and data are retained only for as long as necessary;
- privacy protections exist throughout the entire life cycle of any personal information collected; and
- affirmative consent from customers is obtained before utilities disclose personally identifiable data to affiliates or third parties for purposes other than account management and billing, and that third parties agree to maintain the same level of privacy of customer data.
Policymakers should develop standards protecting the privacy of mobile device users, including with respect to the collection, transfer, use, and disposal of location data gathered through mobile devices (see also Chapter 11, Financial Services and Consumer Products—Security of Connected Devices).
Privacy disclosures in utility services
Privacy disclosures for utility services should be transparent and understandable. Privacy disclosures should use plain, easily accessible language. Those delivered via mobile devices should be short, meaningful, and easily accessible on smaller screens.