Can Your Internet Provider Sell Your Browsing History? (Yes, and Here Is Why)

It is a fair question to feel uneasy about. Every website you open, every app that connects, every search that leaves your phone passes through your internet provider first. So can they actually see all of it, and worse, can they sell it? In the United States, the short answer is that they can see a lot, and they are largely free to profit from it. The reason traces back to a single piece of legislation from 2017 that barely made the headlines, even though it stripped away a privacy right you were about to be handed.

What your internet provider can actually see

Your internet service provider sits between you and everything you do online, which gives it a uniquely complete view. Even though most of the web now uses HTTPS, which hides the specific pages you read and the content you send, your provider can still see which sites and services you connect to, how often, and for how long. On mobile, it can also tie that activity to your device and your approximate location.

Stitched together over weeks and months, that pattern is deeply revealing. The pharmacy you visit online, the bank you log into, the health forum you read at 2 a.m., the dating app you open: none of it requires reading the actual content to paint a vivid picture of your life. That picture has real commercial value, and that is exactly the problem.

The 2017 law almost nobody talks about

To understand why your provider has this much freedom, you have to go back to a fight most people never noticed.

In 2015, the Federal Communications Commission reclassified broadband providers as common carriers, which pulled them under Section 222 of the Communications Act, the same privacy duty that had long applied to phone companies. Building on that, in October 2016 the FCC under then-Chairman Tom Wheeler adopted a set of broadband privacy rules. The centerpiece was simple and squarely on the side of consumers. Before an internet provider could use or sell your sensitive information, including your web browsing history, your app usage, and your precise location, it would have to get your explicit opt-in permission first. That requirement was scheduled to take effect on December 4, 2017.

It was killed before that date ever arrived. In early 2017, Senator Jeff Flake of Arizona introduced a resolution, S.J.Res. 34, to repeal the rules using the Congressional Review Act, a rarely invoked procedure that lets Congress overturn a recent agency regulation with a simple majority. A matching measure was introduced in the House by Representative Marsha Blackburn of Tennessee. On March 23, 2017, the Senate passed it on a party-line vote of 50 to 48, with Republicans in favor and Democrats opposed. The House passed it days later, and on April 3, 2017, President Donald Trump signed it into law during his first term. With one signature, the rules that would have required your permission were erased.

In fairness, supporters of the repeal made an argument worth stating. They said the rules were heavy-handed, that the strongest provisions had not taken effect yet, and that providers still answer to the Federal Trade Commission and to a handful of state privacy laws. Those points are not nothing. But strip away the framing and the result is plain: the one specific, enforceable protection that would have put you in control of your own browsing data was deliberately removed, and then made unusually hard to bring back. That is why, years later, your internet activity remains a product your provider can package and sell.

What you can do about it (and what it will not fix)

You are not powerless. You can shrink what your provider sees by sticking to HTTPS sites, turning on encrypted DNS in your browser or device settings, and using a trustworthy VPN, which shifts that visibility away from your ISP. Just remember a VPN moves the trust to the VPN company, so choose one with a real reputation. You can explore more no-cost options on our free privacy tools page.

Here is the honest limit, though. Locking down your internet connection protects what happens from today forward. It does nothing about the personal information that is already out in the open. Your name, current and past addresses, phone numbers, and relatives are very likely already published on dozens of data broker and people-search sites, pulled from public records and old data deals that have nothing to do with your ISP. That is a separate leak, and it is already running.

Cleaning up what is already out there is the harder half of privacy, and it is where good intentions usually break down. Consumer Reports studied how well data removal actually works and found that automated and do-it-yourself methods cleared only about 27 percent of listings, while trained people working the process by hand reached around 70 percent. The gap is not effort. It is the sheer number of sites involved and the discipline to keep coming back as your data reappears. That is the reason we built Privoria around real people instead of a bot.

Frequently asked questions

Can my ISP see what I do on HTTPS websites?

HTTPS hides the specific pages and content, but your provider can still see which sites and services you connect to and when. That metadata alone is enough to build a detailed profile.

Does a VPN completely hide me from my internet provider?

A VPN hides your activity from your ISP, but it routes everything through the VPN company instead. You are trusting that provider rather than your ISP, so the reputation of the VPN matters a great deal.

Is it actually legal for my ISP to sell my data?

At the federal level there is no longer a rule requiring your opt-in consent for most of this, after the 2017 repeal. Providers remain under general FTC oversight, and a handful of states have passed their own protections, but the landscape is a patchwork rather than a guarantee.