What Can You Do to Protect Your Data from ISPs?

When you connect to the internet through a modem, you are using an internet service provider (ISP). These providers are most often cable and telephone companies.

“Basically, everything you do to access the internet goes through their system before it gets to Google or Facebook or wherever you’re going to,” says Michael Bien, an attorney at Rosen Bien Galvan & Grunfeld in San Francisco. “They have 100 percent access to all of your information; every keystroke, every website, every financial transaction, every email that you send.”

While some states have implemented data privacy laws, many Americans still lack comprehensive protections in the absence of federal privacy laws. If you suspect your provider has crossed a line, a consumer lawyer with experience in data privacy and cybersecurity can help you evaluate your options and assert your rights.

What Kind of Data Does Your ISP Collect?

ISPs collect a broad range of personal data from individuals. Consumers typically have limited knowledge and control over what’s collected and how it’s used.

Browsing Habits

The most pervasive data collection is browsing habits. This includes the URLs visited, time stamps of when those sites are visited, visit frequency, and duration of time spent visiting each URL. Using private or incognito mode does not prevent an ISP from tracking this information.

Search Activity

The second most popular type of data collected is search queries. These are the terms entered into search engines. An ISP may also collect the search engine used to make the query, and additional metadata used by the search engine.

Movement and Location

Location data is also collected. This is the IP address each user has when accessing the internet from a device. It can be related to wi-fi triangulation to determine a more accurate location of an internet user. The ISP can track the individual’s movements as they live at home, go to work, travel, and shop. When connecting to a network, the router uses IP addresses to direct traffic between different networks, such as a home network to the internet.

Apps

As more people depend on their mobile devices, ISPs have increased their tracking of app usage and device traffic. They will track which apps are used, for how long, and the type of content consumed on those apps. For many people, this means tracking their social media activity.

Streaming

For individuals who stream content, ISPs will track their watching behaviors. This includes the apps used to stream, the titles of the shows watched, the duration watched, and the time of day they are streamed. Some ISPs may throttle or prioritize certain streaming services, giving them an incentive to track usage.

Shopping

If a consumer shops online, an ISP will track their online purchases, carts, checkouts, and product browsing activity. This information becomes highly valuable to online advertisers and data brokers.

Online Communications

Communication methods are tracked. While the contents of emails aren’t specifically tracked (this would be content, not metadata), email sender and recipient logs can be tracked along with timestamps and message frequency.

Cross-Device Usage

Most recent tracking developments have become more sophisticated, with ISPs tracking across devices. AN ISP will track a MAC address tagged to a specific device, including the operating details and browser information. Then, it will connect this to the user’s profile. This allows ISPs to track a single user’s activity across devices.

How Do ISPs Use Your Personal Data?

With the vast amount of data collected, ISPs create behavioral profiles based on user activity to sell ad space or data to third parties such as retailers, insurance companies, and financial institutions.

ISPs sell raw or processed data to third-party data brokers, who may merge it with credit history, public records, or purchase behavior. The data could also be resold to marketers, employers, or even law enforcement without a warrant. Internally, an ISP may use the data to optimize its own network performance by predicting peak usage times and personalizing the user’s experience.

Your ISP is one of the most powerful data collectors in your digital life. Understanding how they use your data is the first step toward asserting your rights and making informed choices about tools, policies, and advocacy.

“People have gotten used to a lot of invasions of privacy. Any time a government agency or a private entity is collecting mass amounts of information about us, we all should be concerned,” Bien says. “No matter how well-intentioned they are and how wonderful the purpose may be, that information can be accessed by somebody — whether it’s a government entity or private party or a foreign government. Once the information exists, it can be tapped — with or without a court order.”

Practical Tips for Securing Your Internet Activity

Individuals who are concerned about their internet privacy and security have options. However, it’s important to note that ISPs still retain a certain amount of visibility, especially for the domains you access and activity timestamps.

Virtual Private Network

A virtual private network, or VPN service, is one option to protect your internet activity. Essentially, a VPN protects your internet data by acting as a firewall, and it replaces your IP address with that of the VPN provider. “They have their own risks,” says Bien. “It’s not a perfect solution, but it does provide some protection.”

A VPN server can provide privacy by encrypting your internet traffic and hiding your IP address. It prevents the ISP from seeing specific sites that you visit or the content you consume on those sites. If using a public wi-fi network, a VPN is essential for creating a layer of security from ISPs and prying eyes. It protects devices from malware and anyone looking to tap into your device while connected to the network.

Delete Cookies and Cache

Another simple method of protecting privacy is to regularly delete cookies and clear the browser cache. Tracking cookies and cached data can be used to build long-term behavioral profiles.

Enable settings to clear cookies on exit, or use private/incognito modes when needed. Consider privacy extensions that work with your web browser.

Use HTTPS

Another method of securing data is to enable HTTPS everywhere. Use browser extensions that automatically switch websites to secure, encrypted versions (HTTPS). This prevents ISPs from seeing the full contents of pages you visit, although they may still know the domain name.

Most modern websites use HTTPS by default, but this adds an extra layer of certainty. You may see an SSL certificate error for websites that do not have their HTTPS configured correctly.

DNS Requests

Use DNS over HTTPS (DoH) or DNS over TLS (DoT) to encrypt traffic and prevent your ISP from logging it. DNS queries (translating URLs into IP addresses) are often unencrypted by default. Look for DNS servers that balance privacy with user speed.

You can prevent an ISP from collecting data by using a browser that has more robust built-in privacy features. Look for a browser that blocks trackers or routes traffic through multiple layers of encryption and relays, hiding both user identity and location. Firefox and Tor are examples of browsers that come with more robust security features.

Independent Email Server

When communicating through email, use an email address that is not ISP-provided. These often come with less robust spam and privacy controls. It also makes ISP tracking harder.

Firewall

Use tools to get real-time alerts on outbound connections. Install software firewalls to monitor which applications are sending or receiving data. These help block suspicious traffic and reduce unintentional data exposure.

Separate Home Network

Smart TVs, appliances, and assistants frequently send background data to manufacturers and through your ISP. Disable features like voice control, automatic updates, or location sharing where possible. Set up a separate internet connection for IoT devices to isolate them from your main browsing activity.

Federal Laws Protecting Your Information

Several federal and state laws are in place to protect internet users:

• The Children’s Online Privacy Protection Act (COPPA) requires parental consent before collecting data from children under 13. It applies to ISPs, apps, and websites that are directed at or knowingly used by children.
• The Health Insurance Portability and Accountability Act (HIPAA) protects personal health data, especially when accessed through telehealth platforms or health-related apps. While HIPAA doesn’t apply directly to ISPs, the data they transmit in healthcare contexts may fall under it.
• The Gramm-Leach-Bliley Act (GLBA) governs how financial institutions handle customer data. ISPs may interact with this law if offering bundled services or partnering with financial services.

The Federal Trade Commission (FTC) enforces against “unfair or deceptive practices,” which include misusing or misrepresenting data handling. While the FTC can fine companies or require consent decrees, it lacks rulemaking power for broad privacy standards.

State Laws Protecting Your Information

Several states have enacted their own data privacy protections. While the laws vary, there are some commonalities. For example, many empower users to know what information is collected, including a right to access, correct, or delete personal data. Users have a right to opt out of targeted advertising and data sales.

These laws generally apply to companies meeting certain revenue, data volume, or consumer thresholds.

Find Experienced Legal Help

If ever you feel your rights are being violated or an internet provider is doing something illegal, it never hurts to reach out to an experienced and reputable attorney.