AT&T Inc.
Headquartered in the United States, AT&T offers voice, data, and pay TV services across the U.S. and Mexico, with more than 100 million users in the United States.
AT&T recorded the largest score decline among all telecommunications companies assessed by RDR this year, with a drop of more than two points. As a result, the company fell from third place in the previous ranking to joint sixth place this year, tied with Telenor. The score decline was largely driven by weaker governance disclosures of AT&T: the company updated its human rights webpage, and the revised webpage provided less detail regarding the company’s human rights governance structure and its due diligence processes.
In recent years, AT&T faced a series of public trust challenges stemming from multiple data breaches. In June 2025, a court in the U.S. approved a settlement intended to resolve lawsuits related to several data breaches that occurred in 2024. In April 2024, data associated with approximately 109 million user accounts was reported to have been unlawfully downloaded. Earlier that year, in March, AT&T stated that it was investigating a dataset for sale on the dark web containing customers’ sensitive information, such as names, addresses and social security numbers. In its privacy policy, AT&T pledged to notify affected users and relevant authorities after a data breach. However, the company did not clearly disclose what measures it would take to mitigate the impacts of such data breaches.
Moreover, AT&T was targeted, alongside Verizon, another U.S. telco operator, in Salt Typhoon, a cyber espionage operation allegedly linked to China. Following the incident, both companies said they had notified affected individuals.
Amid the growing adoption of artificial intelligence, AT&T expanded its use of artificial intelligence, including a large language model-based system designed to identify and automatically disconnect spam calls. The company published overarching AI Guiding Principles, but did not explain how it oversees or governs the development and deployment of AI across its operations. AT&T reported that it blocks more than two billion spam calls each month[1]. Beyond this disclosure, however, the company failed to provide data on other forms of content or account restrictions, such as blocked messages or banned advertisements.
The 2026 RDR Index: Telco Giants Edition covers policies that were active on August 31, 2025. Policies that came into effect after August 31, 2025 were not evaluated for this ranking.
Scores reflect the average score across the services we evaluated, with each service weighted equally.
We rank companies on their governance, and on their policies and practices affecting freedom of expression and privacy.
AT&T saw the largest decline in governance transparency this year, alongside Telefónica and Vodafone, which also experienced declines in this category. While AT&T retained its baseline governance disclosures, many details were removed following webpage updates or were no longer current. The company continued to describe a top-down oversight structure for human rights (G2) and reported conducting risk assessments related to its products (G4a) and algorithmic systems (G4d). Moreover, it provided remedies for user complaints (G6a). Yet these disclosures lacked the clarity and specificity seen in the previous ranking. AT&T also remained silent on whether it conducts due diligence related to the enforcement of its own policies (G4b) or targeted advertising practices (G4c).
AT&T explained briefly about how its targeted advertising operates and disclosed certain restrictions on targeted advertising practices (F1c, F3c). However, the company did not publish an advertising content policy clarifying which types of advertising content are prohibited (F1b, F3b). Its transparency report included some data on websites blocked following government orders (F6), but the company did not publish any data on the enforcement of the company’s own policies, such as blocked spam messages or banned illegal advertisements (F4a, F4b, F4c). AT&T was one of the three companies that committed to network neutrality (F9), however, it provided scant details on how it would handle potential network shutdown orders (F10).
AT&T did not commit to limiting the collection and inference of user information to what is necessary for specific purposes (P3). Although users were able to download their data in a structured format (P8), the company’s privacy policy did not clarify what information users could delete, or whether inferred data used for targeted advertising could be removed (P7). The company also did not disclose how long it retains user information or whether it deletes data after account termination (P6). On a more positive note, AT&T’s transparency report made detailed disclosures regarding government requests for user information (P10a, P11a). The company also provided relatively clear information about its security practices, including internal and external security audits (P13), bug bounty program (P14), and data breach reporting (P15).
[1] This information was not taken into account in evaluation this time because the blog was published after the policy cutoff date.