Following President Trump’s recent approval of broadband Internet privacy rules in the United States, Internet service providers (ISPs) in the country won’t be required to ask for explicit consent before selling or otherwise sharing user browsing data to third parties as they were supposed to start doing later this year. While all major Internet providers in the U.S. vowed to not take advantage of the controversial bill shortly after it was passed, industry watchers are quick to point out that none of them make it easy for consumers to opt out of programs that sell their browsing data to other parties, and some smaller ISPs don’t even offer the option to do so.
By signing the aforementioned bill into law, President Trump revoked an older statute adopted by the Federal Communications Commission (FCC) under the former Obama administration, which interprets the U.S. Communications Act which prevents ISPs from selling user data without being explicitly allowed to do so. While the contents of the act itself weren’t affected by the repeal of the FCC’s statute, the controversial bill is essentially making their provisions impossible to enforce, meaning every ISP gets to interpret the law as it sees fit, and thus also interpret what “browsing history” actually means, industry experts say.
The Republican Congress that passed the bill argues that ISPs shouldn’t be held to a higher standard than websites that already harvest and sell user data, noting that many Internet providers in the country already promised not to do so earlier this year by signing a voluntary agreement whose contents were similar to the legally binding rules that are now repealed. The problem with that argument is that the remaining agreement is voluntary in nature and only states ISPs promise to provide their customers with an option to opt out of programs that sell their “non-sensitive customer information” to third parties for the purposes of serving targeted advertising on their networks. As it turns out, “non-sensitive” data includes user browsing history, so it can still be sensitive in nature despite not being defined as such.
Finally, the opt-out choice ISPs are technically offering is extremely complicated to actually make. Not a single Internet provider allows users to quickly locate the option of opting out of programs that sell their personal information. Some companies like Comcast have hidden the opt-out command under an ad, while others like AT&T and Charter Communications only allow customers to opt out of programs that deliver targeted advertising, though even that choice has been buried under many of their support pages. The idea behind all of those approaches is to discourage users from opting out of targeted advertising and other programs that sell their data, though even tenacious consumers who manage to do so still can’t prevent their browsing data and app usage history from being shared with unknown parties for profit.
Customer service representatives of some companies like Charter Communications are reportedly even telling their users their ISP currently doesn’t offer the option of opting out of having their personal data sold, which might be true based on how one defines “personal data,” as already outlined above. Likewise, none of the opt-out choices ISPs are actually offering seemingly prevent them from selling user data for the purposes that aren’t directly related to serving third-party ads on their networks, so it seems they’re still able to do so if they have a client looking to buy their customers’ data for building demographic profiles or simply serving ads through other networks.
Naturally, some users might be wondering why should anyone care about any of this seeing how regardless of the issues, ISPs are already legally prevented from selling personally identifiable information and are currently only sharing browsing and similar data with third parties. The problem with that stance is that it’s based on a flawed definition of what “identifiable” actually means in the context of aggregated information. Following years of rapid advancements in big data and related fields, certain industry professionals are often able to re-identify data that Internet providers are defining as anonymous because the current (lack of a) regulatory framework allows them to do so. As things stand right now, there’s not much you can do to prevent carriers from sharing the majority of your personal data that cannot be used to directly identify you, though you can still take a number of more active measures for protecting your privacy.