The Federal Communications Commission (FCC) proposed in 2016 a new policy that put stronger restrictions on what Internet service providers such as Comcast, Verizon, and AT&T can do with customer data. The goal of the proposal was to ensure that customers have the information they need to make informed decisions about how and whether their data is used and distributed by their internet providers.
Internet providers handled all online traffic. They had a clear view of all unencrypted online activity, easily tracking what websites users visited, how often, how long they were on a site, location, and more. This differed from relationships with websites and apps, where users could instantly cut contact by switching sites. Even when data was encrypted, service providers had enough access to analyze online activity to determine private information such as financial hardships and medical conditions.
The FCC’s proposed regulations would have set service providers apart from data collecting social media sites like Facebook or Google. Sites like those are only regulated by the Federal Trade Commission (FTC), which has a limited amount of authority to regulate and control how private information is handled.
The FCC’s 2016 Broadband Consumer Privacy Proposal revolved around three principles: choice, transparency, and security. First, a consumer should have the right to make a meaningful and informed decision over what data their provider uses and what the provider is able to do with that data. Second, consumers should know how the data is being used, so providers would need to supply their privacy practices in a way that any customer would be able to understand. Third, it would be the responsibility of providers to protect the data of its customers across their networks.
The FCC formally adopted the Broadband Privacy Rules in October 2016. However, in March 2017, Congress used the Congressional Review Act to repeal the rules before they took effect — the first time the CRA had been successfully used to block a major FCC regulation. The repeal eliminated the opt-in consent requirements for ISP use of sensitive data and returned ISPs to the pre-rule status quo, regulated only by the FTC’s general authority under Section 5 of the FTC Act.
The 2017 repeal sparked significant debate about the appropriate regulatory framework for broadband privacy. Critics argued that ISPs occupy a uniquely powerful position in the data ecosystem — they see all of a user’s unencrypted traffic regardless of which websites or apps the user visits, and unlike websites, users cannot easily switch to a competing network. Defenders of the repeal argued that ISPs should be regulated under the same framework as edge providers (websites and apps), and that the FCC’s rulemaking had created an uneven competitive landscape.
As of 2024, broadband providers in the United States are not subject to sector-specific federal privacy regulations. The framework governing ISP data practices is a patchwork of:
The FTC has general authority under Section 5 of the FTC Act to prohibit unfair or deceptive trade practices. In the ISP context, this means the FTC can act against an ISP that represents it will not share customer data and then shares it, or that collects data in ways consumers would not reasonably expect. But the FTC cannot promulgate sector-specific regulations governing ISP data practices — its authority is limited to enforcement in individual cases of deception or unfairness.
Several states have enacted privacy laws that apply to ISPs. The California Consumer Privacy Act (CCPA), enacted in 2018 and significantly expanded by the California Privacy Rights Act (CPRA) in 2020, gives California consumers the right to know what personal information is collected about them, the right to delete it, and the right to opt out of its sale. ISPs operating in California must comply with the CCPA/CPRA. Other states with comprehensive privacy laws as of 2024 include Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana, among others.
In 2022, as part of the Infrastructure Investment and Jobs Act, Congress required the FCC to develop a “broadband consumer label” — a standardized disclosure format that allows consumers to compare ISP plans. The FCC adopted rules for broadband nutrition labels in 2024, requiring providers to disclose speeds, data allowances, monthly prices, and introductory rates in a standardized format. These labels do not directly regulate data privacy but do increase transparency about the terms of broadband service.
The FCC, under the Biden administration, attempted to reinstate broadband privacy rules and reclassify broadband as a Title II telecommunications service — a classification that would have restored the FCC’s authority to impose sector-specific privacy regulations on ISPs. The FCC restored Title II classification in 2024, but court challenges and the subsequent change in administration have created ongoing uncertainty about the durability of that reclassification.
The ongoing regulatory uncertainty around ISP privacy has practical implications for both consumers and businesses:
Businesses navigating internet privacy compliance — whether in the ISP sector or in the broader online economy — benefit from counsel that understands both the regulatory framework and the technical environment. Revision Legal’s internet lawyers advise clients on privacy compliance, data collection disclosures, and terms of service that accurately reflect their data practices. Contact us at 855-473-8474 or complete the contact form on this page.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?