Privacy

Issue Summary

In an increasingly sophisticated data environment, consumers expect companies to safeguard their personal data and manage it responsibly. Businesses must have policies and processes in place to control and protect the collection, processing and sharing of consumer data while responsibly using that data to innovate and improve products and services.

At AT&T, we have a fundamental commitment to safeguard consumer and employee personal data while offering meaningful choice and transparency. We maintain our commitment through our principles of transparency, security, choice and control, and integrity.

Our Actions & Impacts

In 2022, AT&T took the following actions related to privacy:

We expanded the privacy choices offered to customers and updated our Privacy Policy to align with several new state privacy laws. Specifically, we extended the ability to access or delete personal information or request that we not sell data. These options are available to all U.S. consumers, not solely in states where offering these privacy choices is required. In addition, we began offering all U.S. consumers the ability to submit a correction request, appeal a privacy decision we made in response to privacy requests and transfer their data by requesting an access report in a portable format. We also launched a new course for employees to educate them about the updated privacy choices available to customers and courses on multiple domestic privacy laws.
To further equip customers with the tools to control their privacy choices, we launched a new portal to make it easier for consumers to make their consent elections in one dashboard and a new tool to opt out of email marketing. We also featured the AT&T ActiveArmor^SM mobile security app on our Privacy Center to help customers view all their privacy and security resources in one platform. This free app helps customers block spam calls, secure their personal data and more.

Principles & Policies

Our global privacy program is based on the following principles:

Transparency: We’re open and honest about how we use your data.
Security: We use strong safeguards to keep your data confidential and secure.
Choice and control: We give you choices about how we use your data.
Integrity: We do what we say.

Several policies guide our privacy commitments. These include:

Code of Business Conduct: All AT&T employees are responsible for reviewing and adhering to the AT&T Code of Business Conduct, which codifies our core values and lays out the guidelines for how we do business, operate and interact with consumers, suppliers, communities and each other.
AT&T Privacy Policy: Our Privacy Policy explains how we use customer information and keep it safe. It also outlines the choices customers can make at any time about how their information is used. This policy is available in the AT&T Privacy Center.
- The Global Approach section details our compliance with regulations in geographic areas throughout the world. We have identified common elements of numerous privacy laws and extended these to support our products and services around the world. We also account for unique, additional or variant aspects of the laws of each country in which we offer services.
- In 2022, we updated our Privacy Policy to align with several new state privacy laws and to make it easier for customers to choose whether they want to participate in our advertising programs.
Other Policies: Other privacy and security policies that support our core values include the AT&T Security Policy & Requirements and internal privacy guidelines based on privacy-by-design principles. For more information, please visit our Network & Data Security issue brief.

Governance

We have several governance processes in place to manage our privacy program, including:

Technical Review: We incorporate privacy considerations into the development of new services and capabilities. When necessary, AT&T’s Chief Data Office and/or external technical experts review our advanced privacy protections. Their expertise in data de-identification and other key topics helps AT&T set privacy-related guardrails that have a scientific and mathematical foundation.
Performance Evaluation: AT&T has responsiveness targets and assesses our performance based on timely responses to privacy requests. In addition, we test the effectiveness of our privacy controls to help us proactively identify and address any potential weaknesses.
Risk Assessments: Our compliance oversight team conducts an annual risk assessment of the company’s operations relative to privacy control effectiveness and maturity. For more information, please visit our Ethics & Integrity issue brief.
Executive Leadership Updates: The Chief Privacy Officer and Chief Compliance Officer update executive leadership and the AT&T Board of Directors on an ongoing basis about privacy-related topics by presenting to committees of the Board of Directors, such as the Governance and Policy Committee and Audit Committee.
Oversight: The AT&T Chief Privacy Officer reports to the AT&T Chief Compliance Officer and is responsible for ensuring all of the company’s operations adhere to AT&T’s privacy principles, policies and commitments. The Chief Privacy Officer oversees the Chief Privacy Office (CPO) within AT&T.

Chief Privacy Office

The CPO oversees and implements privacy compliance programs in accordance with evolving international, federal and state legislation. Its purview covers:

Consumer Transparency: The CPO sets requirements and provides oversight to ensure that consumers can exercise their individual rights under applicable privacy laws. This includes compliance with regional consumer privacy regulations like the General Data Protection Regulation in Europe and the California Privacy Rights Act among other new comprehensive state privacy laws. See our Privacy Center, where we provide all consumers with their privacy choices, notices and more information.
Privacy Updates: When new privacy laws are enacted, the CPO works with the business to evaluate whether and how to update affected privacy disclosures, notices and policies. The CPO also partners with the business to provide employee training and awareness about these new laws.
Reviews: The CPO verifies the accuracy of our policies on an ongoing basis by consulting with the business regularly about our representations regarding our collection, use and sharing of consumer data. Similarly, the CPO reviews data use cases submitted by the various business teams to analyze and approve such collection, use, sharing and processing of data to ensure they conform to our privacy policies, regulations and principals before proceeding with projects.
Collaboration: The CPO works with the business to address new and emerging issues in technology and data privacy. For example, AT&T developed and implemented operating guidelines in support of our AI Principles , biometrics, sensitive data and de-identification standards for data usage, which highlights our commitment to the ethical and safe use of data.

Incident Response

While we work hard to protect and safeguard the privacy of consumer and employee information, like all companies, we occasionally confront attempts to gain unauthorized access to our customers’ or employees’ data. We have created an action plan to help us to respond swiftly to these situations:

Oversight: Our Corporate Compliance Office oversees periodic testing of our incident response plans in partnership with stakeholders such as the AT&T Chief Security Office.
Action: The AT&T Incident Response team follows a carefully designed governance structure and response process, investigating suspected breaches and evaluating their potential impact. If we determine that a data breach has occurred, we notify affected consumers and authorities as required by applicable law. We test the incident response process through tabletop exercises to identify improvements, and we work to remain informed about current laws and regulations impacting data privacy so our response process remains compliant.

Employee Training

Our training and awareness programs provide consumer-facing employees the resources they need to support the company’s compliance with all privacy laws. Elements include:

Web Portal: AT&T’s primary training web portal features a hub focused on providing privacy training communications, news, courses and collateral available to all employees across the enterprise on an ongoing basis. This portal also contains resource materials for our business teams, including items such as consent flow diagrams, to assist AT&T workers with understanding the consumer consent requirements under new state privacy laws.
Training: Privacy and security trainings are provided to employees as appropriate. Our annual Ethics@Work compliance training, required for U.S.-based employees, helps to ensure employee awareness of our privacy program.
Awareness Initiatives: Our internal awareness initiatives include a full slate of programs and activities throughout the year. We require employees to complete privacy-specific courses for both domestic and international requirements of our compliance program.

Children's Privacy

AT&T supports and complies with the Children's Online Privacy Protection Act (COPPA) and other laws governing the collection and handling of children’s data. Our approach to children’s privacy includes the following:

Information Collection: On most websites, we do not knowingly collect personally identifiable information from anyone under the age of 13. As defined by COPPA law, personal information may include name, home address, telephone number, username and more. When we do collect a child’s information, we do so in accordance with a legally permitted purpose or exception, or after first obtaining permission from the child’s parent or legal guardian.
Responsible Marketing: Unless we have consent from a parent or legal guardian, we will not knowingly contact a child under the age of 13 for targeted marketing purposes. For more details on how we address children’s privacy, see our AT&T Privacy Policy, in the “Information specific to children” section
Enforcement: We take our responsibility seriously. Failure of AT&T employees to comply with our policies and guidelines governing data use and collection may result in discipline up to and including termination.

Transparency

Consumers can access information on our approach to privacy and data use, along with links to privacy choices and security tips, through the AT&T Privacy Center and AT&T Mexico Comprehensive Privacy Notice. In addition, privacy policies for AT&T’s apps and services are accessible within the apps and on the services’ websites. Through these policies, consumers can learn about their choices for opting out of certain data collection and marketing programs, such as behavioral advertising. Our approach to transparency includes:

Policy Updates & Questions: When we update our privacy policies, we appropriately notify our consumers to provide them with resources to understand the changes made and explain the changes on notices available on our Privacy Center website. Consumers can also send questions or feedback on our privacy policies, either by emailing privacypolicy@att.com or writing us at AT&T Privacy Policy, Chief Privacy Office, 208 S. Akard St., Room 2100, Dallas, TX 75202.
Transparency Report: AT&T publishes a biannual Transparency Report in which we provide comprehensive information about legal demands to which we responded. It includes the number and types of demands, those that were partially or completely rejected, demands for location information, exigent requests and international demands. Our commitment to the law and our privacy principles is reflected in our comprehensive, voluntary reporting of this information to the public.
Consumer Resources: We strive to help consumers learn how to maintain privacy, safety and security in an increasingly connected world. To further equip consumers with the tools to control their privacy choices, in 2022 we launched a new portal to make it easier for consumers to opt out of email marketing. We also featured the AT&T ActiveArmor℠ mobile security app on our Privacy Center to help customers view all their privacy and security resources on one platform. This free app helps consumers customize their robocall protection, manage nuisance calls and create a personal blocklist. For more information, please visit our Network & Data Security issue brief.

Stakeholder Engagement

We work with leading privacy and business organizations to share best practices and ensure that our privacy policies and programs maintain best-in-class status. AT&T believes that an open discussion across the industry—and with privacy advocacy groups, various government organizations and regulatory agencies—is the best way to reach an agreement on consumer protections that ensure the safety of our customers. This approach helps to provide a consistent set of choices and expectations for consumers and avoids the confusion associated with the patchwork of laws based on where consumers reside. Our approach includes:

Collaboration: AT&T has participated in the Freedom Online Coalition’s Advisory Network and the Organisation for Economic Co-operation and Development's Privacy Guidelines Experts Group. We regularly engage groups, including The Conference Board, Information Accountability Foundation, International Association of Privacy Professionals, Future of Privacy Forum, Business Roundtable and more. We are also regular participants in RightsCon, which provides the company with analysis, insights and trends on our privacy policies and initiatives.
Advocacy: AT&T has advocated for the adoption of federal consumer privacy legislation to create a unified regulatory regime for privacy, data security and breach notification consistent with the standards developed and enforced by the Federal Trade Commission. We have participated in discussions convened by the U.S. Chamber of Commerce, the Center for Democracy and Technology, the Information Accountability Foundation and others aimed at reaching an agreement on the principles that should form the foundation of a federal consumer privacy law.
Academic & Tech Partnerships: AT&T’s Chief Data Office cultivates academic and tech partnerships to create the next generation of data and privacy experts. For example, in 2022 we launched the inaugural Data Science Scholars Program in conjunction with Southern Methodist University in Dallas, Texas. Selected students were offered interviews for full-time employment at AT&T following completion of their coursework and internship.

Our Path Forward

In 2023, AT&T will continue to uphold our high privacy standards. We will also continue to monitor and adjust to the evolving privacy environment. We have already started planning how we will address upcoming challenges, including:

The fact that AT&T faces many new state privacy laws with varying requirements, deadlines, enforcement dates and rulemaking. We are working closely with industry groups to meet with state regulators and address their privacy concerns while advocating for the harmonization of state laws.
The ability of multinational companies to export personal data from the EU has been challenged in recent years. AT&T welcomes the U.S. government’s commitments to appropriate data collection and anticipates that the EU-U.S. Data Privacy Framework will stabilize cross-border transfers, making it easier to provide services to our customers. However, the expected EU adequacy decision is not yet final and is likely to be challenged, so there remains ongoing uncertainty for multinational companies operating in the EU.
The Federal Trade Commission has issued an Advanced Notice of Proposed Rulemaking regarding Commercial Surveillance and Data Security. While AT&T complies with all current consumer protection laws and privacy requirements, this rulemaking could signal new federal regulatory requirements for our current privacy program.

Additional Resources

Last Updated: 4/14/2023