The Arizona Democratic Party is putting Republican Congresswoman Martha McSally under the spotlight as a national conversation unfolds about internet privacy and the unauthorized sharing of user data.
"Congresswoman Martha McSally voted to let companies sell your internet data to the highest bidder without your consent. Then she got paid $42,000 by the very corporations she allowed to sell your personal info," claimed the Arizona Democratic Party on a marthamcsally.forsale website.
The website lists different types of personal information "exposed by Rep. McSally," including Social Security number, credit card numbers, children’s information, smartphone app data and internet browsing history.
McSally is vying for the Senate seat vacated by Sen. Jeff Flake, who is retiring when his term ends early January 2019. Other Republicans also running are Sheriff Joe Arpaio and former Arizona state senator Kelli Ward. The primary election is Aug. 28.
Did McSally vote "to let companies sell" internet data without users’ consent and "got paid $42,000" by the corporations allowed to sell such data? The Arizona Democratic Party’s claim has some elements of truth, but it ignores critical facts that would give a different impression.
McSally voted to repeal internet data rules that had not taken effect. Her vote was not "to let" companies sell data (they were already legally allowed to do that); it was to halt new rules requiring companies to seek users’ explicit consent before doing so.
Companies don’t generally sell internet data, they rather sell access to users by allowing advertisers to target specific demographics, telecommunications experts told PolitiFact.
McSally "got paid $42,000" by corporations allowed to sell users’ personal information? The Arizona Democratic Party bases this claim on campaign contributions McSally received after the March 28 vote. Federal Election Commission data shows that political action committees for telecommunications companies and their employees donated about $42,000 to McSally’s campaign or an affiliated political action committee.
McSally’s campaign spokeswoman Torunn Sinclair called the Arizona Democratic Party’s claim "absurd and offensive."
"This rule favored organizations like Facebook. It gave them more access to data than other companies, and did nothing to protect Arizonans' information from them," Sinclair said.
Congress, including McSally, in March 2017 voted to get rid of internet privacy rules the Federal Communications Commission created during the Obama administration. They were scheduled to take effect December 2017 under the Trump administration.
The rules were intended to give consumers more control over how internet service providers (ISPs), such as Verizon or Comcast, used their data. They required ISPs to obtain explicit information from their customers before using and sharing their web browsing history and other "sensitive information," such as Social Security numbers, precise geolocation data and financial or health information. (Facebook is not an ISP, so the new rules didn’t apply to Facebook.)
Arizona’s Flake challenged the rules under the Congressional Review Act of 1996, arguing that Obama’s FCC went too far and that internet privacy issues have been under the FTC’s purview, not the FCC’s.
The vote removed the FCC’s authority to regulate the sale of consumer data, said Nicol Turner Lee, a fellow at the Center for Technology Innovation at Brookings Institution.
This part of Arizona Democratic Party’s claim ignores several key facts. Before the vote, companies were already legally allowed to sell internet data, but were not doing so to begin with, experts said.
"The new privacy rules for broadband internet access service providers hadn’t gone into effect so, practically speaking, data collection practices remained the same," said Brent Skorup, a senior research fellow in the Technology Policy Program at the Mercatus Center at George Mason University.
The main issue involved "de-identified" browsing data (data that cannot reasonably be linked to a particular consumer, computer, or device) and whether it was considered sensitive when broadband internet access service providers had it, Skorup said.
"The Obama FTC in 2012 said no, de-identified browsing data isn’t sensitive; the Obama FCC in 2016 said yes, it is sensitive," Skorup said. "Congresswoman McSally’s vote was, effectively, a vote to restore the Obama FTC’s privacy policies and halt the Obama FCC’s proposed policies."
Skorup emphasized that ISPs cannot and could not collect sensitive user data — such as health information, financial information, children’s information, Social Security numbers, and geolocation information — without express consumer consent.
The vote caused Americans to lose whatever potential privacy rights they would have and should’ve had, said Jeff Chester, executive director of the Center for Digital Democracy, a nonprofit advocating for consumers on digital privacy and consumer protection issues.
Yet internet service providers aren’t selling or giving users’ data to advertisers, Chester said. They keep the data and use it to deliver targeted ads, he said.
"It’s not about selling your data, it’s about selling access to you," Chester said.
Information generally isn’t sold by ISPs, but rather those seeking to advertise could go to ISPs with a demographic they are hoping to target, and ISPs could then use either aggregate or otherwise anonymized data to send advertisements to the right groups of people, said Doug Brake, director of telecom policy at Information Technology and Innovation Foundation, a nonpartisan think tank.
"The FTC has detailed guidelines on the types of consent that are necessary for different types of data, with more sensitive data requiring express opt-in consent. … From what we know, ISP policies are all consistent with FTC guidelines, and they remained in place through the passing and repeal of the Obama-era FCC rules," Brake said.
(Cox Communications and other internet providers, issued statements after the vote saying they do not sell personally identifiable information or web browsing history.)
The Arizona Democratic Party based this claim on contributions made after the March vote to McSally’s campaign by political action committees tied to telecommunications companies and their employees. (Federal law generally prohibits corporations from making contributions to candidates for federal offices.)
The Arizona Democratic Party pointed to a March National Journal article citing data from the Center for Responsive Politics, which tracks campaign finance data at OpenSecrets.org.
"Over the course of her career, McSally has taken nearly $100,000 in campaign contributions from sources such as AT&T, Verizon, and Cox Communications, all of whom provide internet services," the article said.
Specifically after the vote, Federal Election Commission filings show McSally received $37,000 in such contributions and that Comcast contributed an additional $5,000 to a political action committee affiliated with McSally, the National Journal reported.
Contributors to McSally for Congress since the March vote include Cox Enterprises PAC, Verizon Communications Inc. Political Action Committee, and Comcast Corporation & NBCUniversal Political Action Committee.
The Arizona Democratic Party launched a website that claimed, "Congresswoman Martha McSally voted to let companies sell your internet data to the highest bidder without your consent. Then she got paid $42,000 by the very corporations she allowed to sell your personal info."
McSally’s vote did not allow companies to sell internet data — that was already legally allowed. Still, experts said companies generally don’t sell data to third parties such as advertisers, rather use the data to deliver companies’ ads. McSally’s campaign received about $42,000 after the March vote from political action committees tied to telecommunications companies. McSally also received contributions from those groups prior to the vote.
We rate Arizona Democratic Party’s statement Mostly False.