A businessman throwing money around.
Dean Drobot/Shutterstock.com

When you’re shopping for a VPN or otherwise looking into your privacy, you’ll quickly run into claims that your internet service provider is collecting your data and selling it. Is that even true, though? What are the rules that govern what ISPs can and cannot do with your data?

Are You in the U.S. or Elsewhere?

Whether or not your data is being sold largely depends on your location. If you’re in a country that’s a member of the European Union, for example, you don’t have to worry. The General Data Protection Regulation expressly forbids your ISP from even collecting your data without your express permission, let alone selling it.

In fact, around the world, it’s often illegal for ISPs to gather data and sell it to third parties. For example, Canada doesn’t allow it, nor does Australia.

In the United States, however, things are very different. ISPs have been allowed to sell customer data to third parties since 2017, when Congress passed a resolution to eliminate FCC privacy rules that would have banned the practice. Where before an ISP needed to ask you before putting your personal data and browsing history on the market, with the stroke of a pen, this need for permission was revoked.

Instead, ISPs are required to provide customers with an opt-out clause, which usually takes the form of a page on the ISP’s website, where users need to make clear that they don’t want their data sold. The default setting, so to speak, is yes.

The uproar over this change was massive in the media, and VPNs (and VPN review sites) hawked their wares as the best way to respond to this new, intrusive legislation. In response, however, ISPs were quick to pledge not to sell customer data, and enshrined those promises in their privacy policies.

After all, just having the right to do something doesn’t mean that you’ll do it, right?

Checking U.S. ISP Privacy Policies

A Comcast sign outside a company building.
Joshua Rainey Photography/Shutterstock.com

A tour of the privacy policies of all the major ISPs in the United States shows that all of them promise not to sell your data. However, some of the language used does stand out a little. For example, Comcast Xfinity promises not to sell information that identifies you. While that could just be the legal department hedging its bets, it’s not quite the same as promising not to sell data.

AT&T uses far less fuzzy language: In its privacy policy, under “how we collect your information,” the company makes it clear that it also collects third-party information about you, including your credit report. We would have liked to find out more details, but the company didn’t respond to our queries. AT&T does pledge not to sell any data, although the Electronic Frontier Foundation begs to differ and has sued the company for selling location data.

T-Mobile, however, has gone another route this year and announced that, starting in April of 2021, it will target customers of their mobile plans with ads based on their browsing behavior. Customers can, of course, opt out of having T-Mobile sell their data as per the law, but it remains to be seen how many will do that.

The FTC’s 2019 Investigation Is Ongoing

In 2019, likely worried about the many reports it was getting about data sales and other privacy violations by the large ISPs, the Federal Trade Commission decided to open an investigation into these practices. It sent out orders to Comcast, T-Mobile, Google Fiber, AT&T, and Verizon as well as the mobile arms of some of these companies.

We reached out to a few of the ISPs that received orders as well as those that confirmed that they had complied with the FTC order. However, the FTC itself told us in an email that it is still looking into the matter. The investigation hasn’t yet resulted in anything.

How You Can Protect Your Privacy

If you’re worried about ISPs accessing and selling your data and you’re not in the U.S., chances are that you don’t have to be—although you might want to search the web for information about the laws and practices in your specific country. If, however, you’re in the United States, then you may want to keep an eye out.

Even if your ISP currently states in its privacy policy that it doesn’t sell data, there’s really nothing preventing them from changing the policy and doing so anyway—if they aren’t already.

Until Congress can be persuaded to change this, all that you can do is sign up to a virtual private network and prevent data from being collected by your internet service provider. However, a VPN isn’t a magic bullet: Despite what many VPN providers will tell you, you’ll also need to use incognito mode more often.

In short, a VPN lets you reroute your internet connection to its own servers, which are shielded from your ISP’s gaze (read our article on how VPNs work). Using one means that your ISP can see that you’re connecting to a VPN, but not what you’re accessing through the VPN. This means that, theoretically at least, your browsing is private and there’s no information for your ISP to profit off of.

If that sounds good to you, then check out ExpressVPN, our favorite VPN service—although, if you want lasting change, we recommend that you give your representative in DC a call or an email.

Our Favorite VPN


Read How-To Geek's Full Review

A VPN prevents your internet service provider from even seeing your browsing traffic. (The VPN can see it instead.) We’ve trusted ExpressVPN for years.

Profile Photo for Fergus O'Sullivan Fergus O'Sullivan
Fergus is a freelance writer for How-To Geek. He has seven years of tech reporting and reviewing under his belt for a number of publications, including GameCrate and Cloudwards. He's written more articles and reviews about cybersecurity and cloud-based software than he can keep track of---and knows his way around Linux and hardware, too.
Read Full Bio »