AT&T just sent me an email that violates federal law.
I’m an AT&T wireless customer. This means that AT&T has access to lots of information about how much I use my phone, what numbers I call, and how much they charge me for it. This information is called “customer proprietary network information” (or “CPNI”) in telecommunications law, and the FCC has issued rules to protect users’ privacy in it.
AT&T would like to charge me even more by selling me more services. It thinks that it can make better-targeted offers by looking through my CPNI. The FCC rules allow AT&T to do this. They don’t even require AT&T to get my affirmative consent first. All they require is that AT&T give me notice and the ability to opt out. So AT&T sent me an email yesterday with the required notice. It explains what CPNI is in stilted and legalistic prose, gives instructions for opting out, and says that I have 33 days to do so.
There’s just one problem: the opt-out doesn’t work. Here’s what the email says:
If at any time you would prefer that AT&T not use your CPNI to offer you additional products and services, you may:
Click here to submit your request electronically
Call 1.800.315.8303 24 hours a day, 7 days a week and follow the prompts
Call 1.800.288.2020 and speak to a service representative
“Here” is a hyperlink. Clicking on it loads the webpage
http://clicks.att.com/OCT/eTrac?EMAIL_ID=1547226065&finalURL=http://www.att.com/ecpnioptout
This is a simple click-tracker. The AT&T website is designed to record the fact that I clicked on a link in this email, then redirect me to the finalURL at
http://www.att.com/ecpnioptout
And indeed that webpage is a form to opt out of having my CPNI used for marketing. When I click on the link in the email, though, I don’t end up at the form. I end up at the main AT&T webpage, i.e.:
https://www.att.com/
In other words, AT&T’s click-tracker is broken. It doesn’t properly redirect users to the the intended webpage. But this means that the online opt-out is broken: clicking “here” does nothing. I’m sure that some AT&T subscribers clicked that link to opt out and assumed they were done. This is a violation of the FCC CPNI rules. They require that the notice “must advise the customer of the precise steps the customer must take in order to grant or deny access to CPNI.” Telling a customer to click on a non-working link is a clear failure to advise the customer of the precise steps required.
(Sidenote: The CPNI rules also say, “Carriers must allow customers to reply directly to e-mails containing CPNI notices in order to opt-out.” But the email from AT&T says, “PLEASE DO NOT REPLY TO THIS MESSAGE All replies are automatically deleted. For questions regarding this message, refer to the contact information listed above” Make that two violations in one email.)
This would have been easy to get right. AT&T didn’t have to use a click-tracker; it could have embedded the final URL in the message rather than using a redirection. The reason to track clicks is that it allows AT&T to collect more information about its subscribers: which emails do they read and respond to? In other words, the corporate instinct to gather data, hoard it, and use it for marketing—the same instinct that led AT&T to want to use my CPNI in the first place—led directly to the violation. AT&T may say that “[t]he protection of our customers’ privacy is of utmost importance to the employees and management of the AT&T family of companies” but its actions show just what it thinks of privacy. It can’t stop grasping for information, even when trying to comply with a rule that limits the information it is allowed to use.