Skip to Content

Privacy & Data

Setting the Record Straight on Broadband Privacy – Myths & Facts

In March 2017, Congress rolled back the federal broadband privacy rules, leaving internet users without meaningful control over the use and sale of information they share with their broadband providers, such as browsing history and geolocation. In dozens of states, legislators have introduced bills attempting to restore the privacy protections Congress wiped away. In an effort to oppose state privacy legislation, some groups have resorted to making misleading arguments about the bills and about the state of U.S. consumer privacy. CDT has reviewed these misleading arguments –– and set the record straight.

Myth:
Consumers didn’t lose any protections when Congress rolled back the FCC’s broadband privacy rules.
Reality:
While a federal statute (47 U.S.C. § 222) requires broadband providers to protect their customers’ information, the FCC’s broadband privacy rules clarified what providers must do to fulfill that obligation. The rules guaranteed that customers would have control over what happens to their private information. With the rollback of the rules, that clarity is missing. Industry lobbyists have argued that we have simply returned to the status quo, but this was never meant to be the status quo. When the FCC reclassified broadband providers as common carriers in 2015, it promised to write clear privacy rules for the sensitive data – such as browsing history and location information – that broadband providers collect. Broadband users have made it clear that they want meaningful control over what happens to their sensitive information, and it’s not enough to let broadband providers decide how much privacy to give their customers.

Myth:
Broadband providers shouldn’t be treated differently from any other company that collects data.
Reality:
Like a mail carrier, broadband providers are entrusted to transport web traffic across the internet. This role gives them access to information about their customers’ online activities and communications. It also comes with a responsibility to protect the privacy of that information. Just as postal workers aren’t allowed to open your mail and phone companies can’t share your call history, broadband providers shouldn’t be allowed to share your web browsing history or use it to deliver you ads without your permission.

Myth:
State broadband privacy protections are unnecessary because the Federal Trade Commission (FTC) can regulate ISPs under its privacy and data security regime.
Reality:
As industry is well aware, the FTC’s current privacy jurisdiction cannot adequately protect broadband customers for several reasons. First, the FTC’s jurisdiction over broadband providers is unclear. The agency’s authority to enforce against unfair and deceptive business practices exempts common carriers. Broadband providers have argued that the “common carrier exemption” means the FTC cannot regulate their business practices, but now those same providers claim that they should be regulated by the FTC. Second, the FTC’s ability to protect consumer privacy is weaker than the FCC’s. The FTC lacks the authority to write prescriptive rules and can only enforce against privacy violations after the fact. This regime ultimately gives companies the power to decide how much privacy to give their users. All of this means that broadband customers lack meaningful privacy protections from the federal government.

Myth:
If your broadband provider promises not to sell your browsing history without your permission, you don’t have to worry about your privacy.
Reality:
Broadband providers don’t have to sell your individual browsing history to put your privacy at risk. Providers might use your online activities to draw inferences about your lifestyle, your political views, or your shopping habits, and serve you targeted ads based on those inferences. While some customers might want to receive targeted ads based on their sensitive information, it should be a choice. Broadband providers should have to ask permission before using their customers’ sensitive data for advertising.

Myth:
Privacy rules will prevent ISPs from sharing your information with third parties such as 9-1-1 operators in an emergency.
Reality:
Federal law (47 U.S.C. § 222) allows broadband providers to provide customer information to emergency responders, such as 9-1-1 operators, in order to respond to a user’s call for emergency services.

Related Reading

Samir Jain Testimony for House Committee. White document on black background.

CDT VP of Policy Samir Jain Testimony Before U.S. House Energy & Commerce Committee on “Legislative Solutions to Protect Kids Online and Ensure Americans’ Data Privacy Rights”
The CDT logo. A light and dark grey "cdt" alongside "Center for Democracy & Technology" on a white background.

Deprecating third-party cookies: a small step towards a more private web
CDT brief, entitled "Unintended Consequences: Consumer Privacy Legislation and Schools." White and blue document on a grey background

Brief – Unintended Consequences: Consumer Privacy Legislation and Schools