Internet service providers (ISPs) are under fire for allegedly tracking and selling customers’ browsing data. Critics say this violates customers’ privacy, while ISPs argue that the data is used only to improve the user experience. ISPs have been collecting and selling customer browsing data for years, but the practice has recently come under scrutiny. In March, the European Union’s top court ruled that online companies must get explicit consent from users before collecting their personal data. This ruling followed a similar decision by the US Federal Trade Commission in December. Critics of ISP tracking say that it violates customers’ privacy. For example, one customer who used Google Chrome said that his ISP tracked his every move across the web and sold this information to third parties. ISPs argue that the data is used only to improve the user experience. For example, by understanding which websites are being visited most often, ISPs can create better search results or recommend related content. The practice of tracking and selling customer browsing data has been controversial for years. In 2013, Google was fined $2 billion by US regulators for violating users’ privacy by tracking their online activity without their consent. However, recent rulings by EU courts and US FTC may force ISPs to change their practices sooner rather than later. ..
Are You in the U.S. or Elsewhere?
In fact, around the world, it’s often illegal for ISPs to gather data and sell it to third parties. For example, Canada doesn’t allow it, nor does Australia.
In the United States, however, things are very different. ISPs have been allowed to sell customer data to third parties since 2017, when Congress passed a resolution to eliminate FCC privacy rules that would have banned the practice. Where before an ISP needed to ask you before putting your personal data and browsing history on the market, with the stroke of a pen, this need for permission was revoked.
Instead, ISPs are required to provide customers with an opt-out clause, which usually takes the form of a page on the ISP’s website, where users need to make clear that they don’t want their data sold. The default setting, so to speak, is yes.
The uproar over this change was massive in the media, and VPNs (and VPN review sites) hawked their wares as the best way to respond to this new, intrusive legislation. In response, however, ISPs were quick to pledge not to sell customer data, and enshrined those promises in their privacy policies.
After all, just having the right to do something doesn’t mean that you’ll do it, right?
Checking U.S. ISP Privacy Policies
A tour of the privacy policies of all the major ISPs in the United States shows that all of them promise not to sell your data. However, some of the language used does stand out a little. For example, Comcast Xfinity promises not to sell information that identifies you. While that could just be the legal department hedging its bets, it’s not quite the same as promising not to sell data.
AT&T uses far less fuzzy language: In its privacy policy, under “how we collect your information,” the company makes it clear that it also collects third-party information about you, including your credit report. We would have liked to find out more details, but the company didn’t respond to our queries. AT&T does pledge not to sell any data, although the Electronic Frontier Foundation begs to differ and has sued the company for selling location data.
The FTC’s 2019 Investigation Is Ongoing
In 2019, likely worried about the many reports it was getting about data sales and other privacy violations by the large ISPs, the Federal Trade Commission decided to open an investigation into these practices. It sent out orders to Comcast, T-Mobile, Google Fiber, AT&T, and Verizon as well as the mobile arms of some of these companies.
We reached out to a few of the ISPs that received orders as well as those that confirmed that they had complied with the FTC order. However, the FTC itself told us in an email that it is still looking into the matter. The investigation hasn’t yet resulted in anything.
How You Can Protect Your Privacy
If you’re worried about ISPs accessing and selling your data and you’re not in the U.S., chances are that you don’t have to be—although you might want to search the web for information about the laws and practices in your specific country. If, however, you’re in the United States, then you may want to keep an eye out.
Even if your ISP currently states in its privacy policy that it doesn’t sell data, there’s really nothing preventing them from changing the policy and doing so anyway—if they aren’t already.
Until Congress can be persuaded to change this, all that you can do is sign up to a virtual private network and prevent data from being collected by your internet service provider. However, a VPN isn’t a magic bullet: Despite what many VPN providers will tell you, you’ll also need to use incognito mode more often.
In short, a VPN lets you reroute your internet connection to its own servers, which are shielded from your ISP’s gaze (read our article on how VPNs work). Using one means that your ISP can see that you’re connecting to a VPN, but not what you’re accessing through the VPN. This means that, theoretically at least, your browsing is private and there’s no information for your ISP to profit off of.
If that sounds good to you, then check out ExpressVPN, our favorite VPN service—although, if you want lasting change, we recommend that you give your representative in DC a call or an email.