Privacy

Consumers and our employees place more value than ever on their privacy. That’s why we make safeguarding their data and managing it responsibly fundamental to our business. We offer products and services designed with privacy in mind. And we remain committed to our four privacy principles: transparency, choice and control, security, and integrity.

These principles guide us in using data to provide new benefits to consumers and society. That includes developing better, more innovative products and experiences; supporting programs for social good; and preventing fraud, among other important purposes. The results enable us to better protect consumers’ privacy while delivering what matters most to them.

AT&T took a number of steps in 2023 to provide consumers with more privacy choices and controls:

• We offered more privacy choices and controls to all consumers, and not just to consumers in states that required them. These enhanced privacy features included the ability to access or delete personal information, and to request that we not sell data. We also began offering U.S. consumers the ability to request corrections, appeal our privacy decisions and transfer their data. And we trained our employees on these updated consumer-privacy choices, and on domestic privacy laws across the enterprise.
• In December 2023, we revised the AT&T Privacy Notice to make it simpler, shorter and clearer, so that consumers can better understand their privacy rights and choices. The updated Privacy Notice includes new privacy choices for consumers in those states requiring opt-in consent for processing of sensitive data.
• We launched a refreshed Privacy Choices consent portal, which can be accessed from the AT&T Privacy Center or from a customer’s online account, to make it easier for consumers to make their privacy choices and provide consents in a single privacy dashboard, and a new tool for opting out of email marketing. 
• We redesigned our Privacy Choices and Controls page to give consumers a better user experience. 
• We promoted the AT&T ActiveArmor^SM mobile security app on our Privacy Center to help customers view all their privacy and security resources in one platform. This free app helps customers block spam calls, secure their personal data, create a personal blocklist and opt in or out of retaining sensitive data. This app has been so effective that AT&T blocked more than 1 billion spam text messages in July 2023 alone—our highest-ever monthly total. For more information, please visit our Network & Data Security issue brief.

Principles & Policies

Our global privacy program is based on four principles:

• Transparency: We’re open and honest about how we use your data.
• Choice and control: We give you choices about how we use your data.
• Security: We use strong safeguards to keep your data confidential and secure.
• Integrity: We do what we say.

Several policies guide our privacy commitments. These include:

• Code of Business Conduct: All AT&T employees are responsible for reviewing and adhering to our Code of Business Conduct. The Code describes our core values and lays out guidelines for how we do business, operate and interact with consumers, suppliers, communities and each other.
• AT&T Privacy Notice: Our Privacy Notice explains how we use consumer information and keep it safe. It also outlines the choices consumers can make at any time about how their information is used. This policy notice is available in the AT&T Privacy Center. As noted above, we updated our Privacy Notice in 2023 to align with new privacy laws in several states.
  • The Global Approach section of our Privacy Center details our compliance with privacy laws and regulations in geographic areas throughout the world. We extend common elements of numerous privacy laws to our products and services globally while accounting for the unique, additional or variant privacy laws of each country in which we offer services.
• Other Policies: Other privacy and security policies include the AT&T security policies and standards and internal privacy guidelines, which are based on privacy-by-design principles. For more information, please visit our Network & Data Security issue brief and our Policies page.

Governance

We have several governance processes in place to manage our privacy policies and actions:

• Technical Review: We incorporate privacy considerations into the development of new services and capabilities. When necessary, the AT&T Chief Data Office and/or external technical experts review our advanced privacy protections. Their expertise in data de-identification and other key privacy topics helps AT&T set privacy-related guardrails that have a scientific and mathematical foundation. 
• Performance Evaluation: We set targets for timeliness in responding to privacy requests and assess our performance against those targets. We test the effectiveness of our privacy controls to help us proactively identify and address any potential weaknesses.
• Risk Assessments: Our Compliance Oversight Team conducts an annual risk assessment of the company’s operations relative to privacy-control effectiveness and maturity. For more information, please visit our Ethics & Integrity issue brief.  
• Executive Leadership Updates: The Chief Privacy Officer and Chief Compliance Officer update executive leadership and the Governance and Policy Committee and the Audit Committee of the AT&T Board of Directors on an ongoing basis about privacy-related topics.
• Oversight: The AT&T Chief Privacy Officer reports to the General Counsel of AT&T and is responsible for ensuring our company’s operations adhere to the AT&T privacy principles, policies, notices and commitments. The Chief Privacy Officer oversees the Chief Privacy Office (CPO) within AT&T. The AT&T Global Legal Demand Center includes a team dedicated to overseeing, reviewing and responding to requests from law enforcement.  
• Enforcement: We take our responsibility seriously. Failure of AT&T employees to comply with our policies and guidelines governing data use and collection may result in discipline up to and including termination.     

Chief Privacy Office (CPO)

The CPO oversees and implements privacy compliance programs in accordance with evolving international, federal and state legislation. Its purview covers:

• Consumer Transparency: The CPO sets requirements and provides oversight to ensure that consumers can exercise their individual rights under applicable privacy laws. This oversight includes compliance with consumer-privacy laws and regulations such as the General Data Protection Regulation in Europe and the California Consumer Privacy Act, among other comprehensive state privacy laws. For more information, visit our Privacy Center.
• Privacy Updates: When new privacy laws are enacted, the CPO works with the business to evaluate whether and how to update affected privacy disclosures, policies and notices. The CPO also partners with the business to provide employee training and promote awareness of these laws.
• Reviews: The CPO reviews data use cases submitted by various business teams to analyze and approve the proposed collection, use, sharing and processing of data. This review process is completed before proceeding with projects to ensure that data use cases conform to our privacy policies and notices, regulations and principles. Insisting on data minimization and limited data retention is a key element of this process. The CPO also verifies the continued accuracy of our policies and notices on an ongoing basis by regularly consulting with business units across AT&T about our representations regarding our collection, use and sharing of consumer data.   
• Collaboration: The CPO works with the business to address new and emerging issues in technology and data privacy. For example, AT&T developed and implemented data de-identification standards, as well as operating guidelines for the use of biometric and other sensitive data. These efforts highlight our commitment to the ethical and safe use of data.

Incident Response

We work hard to protect and safeguard the privacy of consumer and employee information. But like all companies, we are faced with attempts to gain unauthorized access to our customers’ or employees’ data. We have an action plan to swiftly respond to these situations: 

• Response Process: The AT&T Incident Response team follows a carefully designed governance structure and response process, investigating suspected breaches and evaluating their potential impact. If we determine that a data breach has occurred, we notify affected consumers and authorities as required by applicable law. We test and improve the incident response process through tabletop exercises and keep up with current data-privacy laws and regulations to ensure our response process remains compliant.
• Oversight: Our Corporate Compliance Office oversees periodic testing of our incident response plans in partnership with stakeholders such as the AT&T Chief Security Office.

Employee Training

Our training and awareness programs provide all employees with resources to support the company’s compliance with all privacy laws. These resources include:

• Training: Privacy and security trainings are provided to employees annually and as necessary. Our annual Ethics@Work compliance training, required for U.S.-based employees, helps to ensure employee awareness of our privacy program. For more information on Ethics@Work, visit our Ethics & Integrity issue brief.
• Web Portal: AT&T’s primary privacy training web portal features a hub focused on privacy-related communications, news, courses and collateral, available to all employees across the enterprise. The portal also contains materials such as consent flow diagrams to help our business teams understand consumer consent requirements under new state privacy laws. In 2023, we added an entirely new section on artificial intelligence (AI) governance, policies, procedures and training to the portal, available to all employees.
• Awareness Initiatives: As part of our wide range of ongoing internal awareness initiatives, we require employees to complete privacy-specific courses for both domestic and international requirements of our compliance program. We also hold company-wide privacy awareness events featuring experts and leaders from both AT&T and other companies, underscoring the importance of privacy compliance. And we provide “tone at the top” messaging materials for distribution throughout the business.

Children's Privacy

AT&T supports and complies with the Children's Online Privacy Protection Act (COPPA) and other laws governing the collection and handling of children’s data. Our approach to children’s privacy includes the following:

• Information Collection: We do not knowingly collect personally identifiable information from anyone under the age of 13 without first obtaining any legally required parental consent. As defined by COPPA, personal information may include name, home address, telephone number, username and more. When we do collect a child’s information, we do so in accordance with a legally permitted purpose or exception, or after first obtaining any legally required permission from the child’s parent or legal guardian. 
• Responsible Marketing: Unless we have consent from a parent or legal guardian, we will not knowingly contact a child under the age of 13 for marketing purposes. For more details on how we address children’s privacy, see the AT&T Privacy Notice, in the “Information specific to children” section. 

Transparency

Consumers can access information on our approach to privacy and data use, along with links to privacy choices and security tips, through the AT&T Privacy Center and AT&T Mexico Comprehensive Privacy Notice. In addition, privacy policies and notices for AT&T’s apps and services are accessible within the apps and on the services’ websites. Through these policies and notices, consumers can learn about their choices for opting out of certain data collection and marketing programs, such as behavioral advertising. Our approach to transparency also includes:

• Policy Updates & Questions: When we update our privacy policies and notices, we notify consumers as required, and we explain the changes to privacy policies and notices available on our Privacy Center website to help them understand the changes. Consumers can also send questions or feedback on our privacy policies and notices, either by emailing privacypolicy@att.com or writing us at AT&T Chief Privacy Office, 208 S. Akard St., Room 2901, Dallas, TX 75202.
• Transparency Report: AT&T publishes a biannual Transparency Report in which we provide comprehensive information about legal demands to which we responded. It includes the number and types of demands, those that were partially or completely rejected, demands for location information, exigent requests and international demands. The AT&T Global Legal Demand Center provides oversight of such demands from law enforcement. This comprehensive, voluntary reporting to the public reflects our commitment to the law and to our privacy principles.
• Consumer Resources: We strive to help consumers learn how to maintain privacy, safety and security in an increasingly connected world. As described above, we launched a new online tool to make it easier for consumers to opt out of email marketing and promoted the AT&T ActiveArmor^SM mobile security app to help customers view all their privacy and security resources. 

Stakeholder Engagement

We work with leading privacy and business organizations to share best practices and ensure that our privacy policies, notices and programs maintain best-in-class status. AT&T believes that an open discussion across the industry—and with privacy advocacy groups, government organizations and regulatory agencies—is the best way to ensure we have the best consumer protections for the safety of consumer data . This approach also helps to provide a consistent set of choices and expectations for all consumers regardless of where they reside to avoid the confusion associated with a patchwork of state laws. Our approach to stakeholder engagement includes:

• Collaboration: AT&T has participated in the Organisation for Economic Co-operation and Development’s Privacy Guidelines Experts Group. We also regularly engage The Conference Board, Information Accountability Foundation, International Association of Privacy Professionals, Future of Privacy Forum, Business Roundtable, Center for Democracy & Technology and more.
• Advocacy: AT&T has advocated for the adoption of federal consumer-privacy legislation to create a unified regulatory regime for privacy, data security and breach notification consistent with the standards developed and enforced by the Federal Trade Commission. We have participated in discussions convened by the U.S. Chamber of Commerce, Center for Democracy & Technology, Information Accountability Foundation and others, aimed at reaching an agreement on the principles that should form the foundation of a federal consumer-privacy law.
• Academic & Tech Partnerships: AT&T’s Chief Data Office cultivates academic and tech partnerships to create the next generation of data and privacy experts. For example, in 2022, we launched the inaugural Data Science Scholars Program in conjunction with Southern Methodist University in Dallas, Texas. Selected students were offered interviews for full-time employment at AT&T following completion of their coursework and internship.

In 2024, AT&T will continue to uphold our high privacy standards. We will also continue to monitor and adjust to the evolving privacy environment. Here are some of the upcoming challenges for which we’ve begun planning:

• There are many new state privacy laws with varying requirements, deadlines, enforcement dates and rulemaking. We are working closely with industry groups to meet with state regulators and address their privacy concerns while advocating for the harmonization of state laws.
• The ability of multinational companies to export personal data from the European Union (EU) has been challenged in recent years. We welcome the U.S. government’s commitments to appropriate data collection and anticipate that the EU-U.S. Data Privacy Framework will stabilize cross-border transfers, making it easier to provide services to our customers. However, the expected EU adequacy decision is not yet final and is likely to be challenged, which means multinational companies operating in the EU face ongoing uncertainty.
• The Federal Trade Commission issued an Advanced Notice of Proposed Rulemaking regarding commercial surveillance and data security. While we comply with all current consumer protection laws and privacy requirements, this rulemaking could signal new federal regulatory requirements for our current privacy program.