Congress Just Killed ISP Privacy Rules — Here's What Your Provider Knows About You

President Trump just signed legislation killing the FCC's broadband privacy rules before they ever took effect. Your internet service provider — Comcast, AT&T, Verizon, Charter, whoever — can now legally collect your browsing history, app usage data, location information, and other sensitive details, and sell it to advertisers without your explicit permission.

This is a real change with real consequences. Let's walk through what happened, what your ISP knows about you, and what you can do about it.

What the Rules Would Have Done

The FCC adopted the privacy rules in October 2016 under then-Chairman Tom Wheeler. They were set to take effect at the end of 2017. The rules required broadband providers to:

1. Get explicit opt-in consent before using or sharing sensitive customer information, including web browsing history, app usage history, location data, financial information, health information, and the content of communications.

2. Provide opt-out for less sensitive information like email addresses and service usage.

3. Disclose data collection practices in clear language.

4. Notify customers of data breaches within 30 days.

5. Take reasonable steps to secure customer data.

These were standard privacy protections — essentially requiring ISPs to ask permission before monetizing your personal data. They were also stronger than the privacy rules that apply to websites like Google and Facebook, which prompted complaints from ISPs about an uneven playing field.

The Republican-led Congress used the Congressional Review Act to repeal the rules. The CRA is a procedural tool that allows Congress to overturn recent agency regulations with simple majority votes in both chambers. The vote was 215-205 in the House and 50-48 in the Senate, almost entirely along party lines.

Crucially, when Congress repeals a rule under the CRA, the agency is barred from issuing a "substantially similar" rule in the future without specific congressional authorization. So the FCC can't just rewrite the privacy rules. They're gone, and they're staying gone unless Congress changes its mind.

What Your ISP Actually Knows

Here's the part that should make you uncomfortable. Your internet service provider sees everything you do online. Not metaphorically — literally everything that passes through your home connection.

Every website you visit. Even if a site uses HTTPS encryption, your ISP can see the domain name. They know you visited webmd.com or pornhub.com or politicalcandidate.com, even if they can't see exactly which pages you read.

The apps on your phone using your home Wi-Fi. Apps phone home regularly. Your ISP can see which services your devices connect to, often revealing what apps you use.

When you're home and when you're not. Your usage patterns reveal your daily schedule. Heavy traffic in the evening, nothing during the day — your ISP can infer when you're at work, when you're sleeping, when you're on vacation.

Who lives in your household. Multiple devices with different usage patterns reveal household composition. Children's tablets, parents' work laptops, gaming consoles — they all paint a picture of your family.

Your interests, health concerns, political views, financial situation. Aggregated browsing data reveals an enormous amount about who you are. Researchers have shown that even anonymized browsing history can be linked back to individuals with high accuracy.

Smart home device usage. If you have smart thermostats, doorbells, lights, or other connected devices, your ISP sees that traffic too.

This is the data ISPs can now legally collect, package, and sell without asking permission.

How ISPs Plan to Use It

The big ISPs are moving aggressively into advertising. Verizon spent $4.4 billion to acquire AOL in 2015 and another $4.5 billion to acquire Yahoo in 2016. The company's stated strategy is to combine its mobile and broadband subscriber data with AOL and Yahoo's content properties to compete with Google and Facebook in digital advertising.

AT&T's pending acquisition of Time Warner is partly motivated by similar logic — combining ISP data with content production gives the company unique advertising capabilities.

Comcast already operates an advertising business through NBCUniversal. The privacy rules would have limited what data Comcast could feed into that business from its broadband operations. Without the rules, Comcast can use its broadband subscribers' data however it wants.

The pitch to advertisers is straightforward: ISPs see all of a user's internet activity, not just the activity on a single platform. Google sees what you search for. Facebook sees what you post. Your ISP sees everything you do across all sites and services. That breadth makes ISP data valuable to advertisers in ways that platform data isn't.

What You Can Do

Privacy protection is now your responsibility. Here are the realistic options:

Use a VPN. A virtual private network encrypts all your internet traffic between your device and a VPN server elsewhere on the internet. Your ISP sees only that you're connected to the VPN — not what sites you're visiting or what data you're transferring. Reputable VPN services cost $5 to $12 per month. ExpressVPN, NordVPN, and Private Internet Access are among the better-known options.

The catch with VPNs: you're shifting trust from your ISP to your VPN provider. Choose carefully. Avoid free VPNs, which often monetize your data the same way ISPs do. Read privacy policies. Look for providers based outside the U.S. with no-logs policies that have been independently audited.

Use HTTPS Everywhere. This browser extension from the Electronic Frontier Foundation forces HTTPS connections wherever possible. It doesn't hide which sites you visit from your ISP, but it does prevent your ISP from seeing which specific pages you read or what data you submit.

Use Tor for sensitive browsing. The Tor network routes your traffic through multiple encrypted hops, making it extremely difficult for your ISP (or anyone else) to track what you're doing online. Tor is slower than normal browsing and overkill for everyday use, but useful for sensitive activities.

Use a privacy-focused DNS service. Your DNS queries — the lookups that translate domain names to IP addresses — reveal which sites you visit even when other traffic is encrypted. Services like Cloudflare's 1.1.1.1 (when it launches) and OpenDNS offer alternatives to your ISP's DNS server.

Push for state-level privacy laws. Congress killed the federal rules, but states can pass their own privacy laws. Several states are already considering legislation. Contact your state representatives.

Vote. This rollback was a partisan move. It happened because Republicans controlled Congress and the White House and prioritized telecom industry interests over consumer privacy. Elections have consequences.

The Uneven Playing Field Argument

ISPs and their allies in Congress argued that the privacy rules created an uneven playing field — Google and Facebook can collect your data freely, so why should ISPs face stricter rules?

There's a kernel of truth here. Google and Facebook do collect enormous amounts of user data with relatively little restriction. The privacy framework for online services in the United States is genuinely weak.

But the answer to that imbalance isn't to weaken ISP privacy protections to match. It's to strengthen privacy protections across the board. By killing the FCC rules, Congress made the imbalance worse, not better — and they did it on behalf of an industry that didn't want to ask its customers for permission to monetize their data.

Your internet provider is supposed to deliver internet service, not surveil you for advertising purposes. The fact that this is now a question we have to debate tells you something about whose interests are being protected in Washington.

Take steps to protect yourself. Until the legal framework changes, your privacy is up to you.