Telecommunications companies

AT&T Inc.

Rank: 3rd
Score: 40%

Headquartered in the United States, AT&T offers voice, data, and pay TV services to more than400 millionusers in the U.S. and Mexico. It is the world’s largest telecommunications company by revenue.

AT&T made modest policy improvements since the 2020 RDR Index, but not enough to challenge Vodafone for second place in our ranking. Following one of our recommendations from the 2020 RDR Corporate Accountability Index, the company improved its process for human rights impact assessments and clarified its handling of government demands to restrict content or accounts.It also decided to end its domestic zero-rating program in order to comply with California’s 2018 net neutrality law.

Telcos often retain data about their customers, which can be accessed by law enforcement. A fall 2021 public records request revealed that AT&T retains such data for seven years after it is generated, longer than other American telcos, many of which kept this data for two years or less. Nevertheless, AT&T has not published a policy on data retention. Following the U.S. Supreme Court decision overturning federal abortion rights, AT&T declined to clarify how its policy on government demands for user information would be applied to abortion-related cases. Still, it admitted to receiving over 100,000 requests for data from law enforcement officials in the second half of 2021. The U.S. continues to lack a federal privacy law, but RDR has endorsed the proposed American Data Privacy and Protection Act, introduced in the U.S. Congress in June, for its strong protections.

In 2022, AT&T sold its primary advertising division, Xandr, to Microsoft, though it held onto some advertising operations. AT&T still fails to assess the human rights impacts of the targeted advertising operations it has retained or to clearly explain how it regulates ads.

Key takeaways

  • AT&T published a new policy called “Additional Information on AT&T’s Commitment to Digital Rights.” This policy makes new, concrete commitments to human rights and outlines AT&T’s due diligence process, including for algorithmic development. However, this process does not extend to deployment or explicitly address targeted advertising.
  • The company showed engagement with civil society, but it was not a member of any multi-stakeholder organization committed to human rights, such as the Global Network Initiative.
  • AT&T had relatively strong disclosures on privacy, but still provided insufficient information about how it handles data breaches and other threats to users’ information.

Key recommendations

  • Improve human rights due diligence. AT&T should expand its impact assessments to examine targeted advertising and how the company enforces its terms of service.
  • Clarify handling of user information. AT&T should clarify what types of user information it collects, infers, and retains, and for what purposes.
  • Protect users from the impacts of data breaches. AT&T should clearly commit to addressing the impact of data breaches on users, rather than simply notifying users when they occur.

Services evaluated:

  • AT&T (Prepaid mobile)
  • AT&T (Postpaid mobile)
  • AT&T (Fixed-line broadband)

The 2022 Telco Giants Scorecard covers policies that were active on June 1, 2022. Policies that came into effect after June 1, 2022, were not evaluated for this scorecard.

Scores reflect the average score across the services we evaluated, with each service weighted equally.

  • Lead researchers: Zak Rogoff, Anna Lee Nabors

Changes since 2020

  • The company published a new “Additional Information on Commitment to Digital Rights” policy document, broadening its previously minimal commitment to human rights impact assessments by stating that it assesses freedom of expression and privacy risks associated with its development of algorithmic systems. It also described its due diligence process for government content restriction requests and private user information requests.
  • AT&T released a new, difficult to understand “Consumer Services Agreement,” which grants the company an overbroad privilege to restrict users’ service “for any reason,” while reducing the company’s commitments to notifying users of policy changes.
  • AT&T removed a document explaining how it uses algorithmic systems to identify behavior that violates the company's rules, leaving users in the dark about its use of this quickly evolving technology.
  • The company edited its “Issue Brief on Privacy,” removing language that explained how it responds to data breaches.

Scores since 2017

100%0%2017201820192020202248%49%48%37%40%
Most companies’ scores dropped between 2019 and 2020 with the inclusion of our new indicators on targeted advertising and algorithmic systems. To learn more, please visit our Methodology development archive.
Governance65%
Freedom of expression28%
Privacy39%

We rank companies on their governance, and on their policies and practices affecting freedom of expression and privacy.

Governance 65%

AT&T made a full commitment to board-level oversight of digital rights issues (G2). The company conducted some assessments (G4) of the human rights impacts of government regulations on freedom of expression and privacy (G4a) and of its use and development of algorithmic systems (G4d). Yet it failed to provide any evidence of due diligence with regard to the human rights impacts of its policy enforcement (G4b), targeted advertising (G4c), and zero rating (G4e).

Freedom of expression 28%

AT&T received the most credit of any company on the availability and accessibility of its terms of service (F1a) and ad-targeting policies (F1c), but none for its ad-content (F1b) or algorithmic-use policies (F1d), which it failed to provide. The company made a full commitment to net neutrality and ended its zero-rating programs (F9), but disclosed very little about its process for responding to government demands to shut down or restrict services (F10).

Privacy 39%

AT&T was one of very few companies we rank that disclosed anything about what user information it infers (P3b), though it shared nothing about how long it retains this information (P7). It was the only company that received full credit for its process for responding to government demands for user information (P10a). It was also one of the most transparent companies we rank on government demands for data (P11a). As with all companies we rank, with the exception of MTN, it published no data about private requests for user information (P11b). AT&T’s disclosure about its response to data breaches failed to explain how it would mitigate the harm done to users when it experiences a breach (P15).