OTW Legal has gotten some questions about Internet privacy since March, when U.S. lawmakers overturned regulations that had been set to go into effect later this year. The regulations were supported by prominent and knowledgeable people like the former head of the U.S. Federal Communication Commission. But they hadn’t gone into effect yet — what U.S. lawmakers actually did was make sure that nothing changed.
The regulations in question mainly concerned the ability of your Internet service provider (ISP) to sell your data to third parties. The data we’re talking about here is theoretically anonymized, which means it shouldn’t be linkable to you personally. The proposed regulations would have restricted ISPs’ ability to sell that data. But with the repeal of the proposed regulations, ISPs will continue to have the ability to sell aggregated data. This data is supposed to result in more effectively targeted advertising, as we’ve all probably noticed as we browse the Internet. What makes the data valuable is that the ISP can tell market researchers something like, “People who spend a lot of time on AO3 tend to overall also buy a lot of Brand X product.” Some people like that market researchers can do this and some people don’t.
To be clear, the kind of aggregated data that ISPs can sell only identifies general trends among many people, and not what an individual person did. Selling “individually identifiable” data remains illegal in the U.S. under a separate statute that hasn’t been affected by these regulations being repealed. So ISPs are not now, nor have they ever, been allowed to sell data that can be traced back to a specific person.
So the law doesn’t change the status quo, but it doesn’t mean that any data is 100% safe, either. Hacks do happen, and anonymized data can easily be de-anonymized if you have enough data points to extrapolate from (especially since location is often one of the data collection points). We can’t say that no hack will ever happen that might reveal individual activity on websites, because we have no control over how ISPs are securing the data they’re collecting on you.
What does all of this mean for U.S. fans? So far, the major U.S. ISPs (such as AT&T, Comcast, Verizon) maintain privacy policies and have vowed not to sell your data to third parties. The overturned regulations would have required them to maintain these privacy policies and forbade them from selling your data to third parties (at least without your permission). The effect of the recent law is basically that now we’re in a world where they can change their minds.