A lot has been made of late about what your ISP knows about you and what it should legally be allowed to know.

Let’s try to clear up some of the confusion by going over five things you need to know about ISP privacy:

1. ISPs can’t sell data on individuals.

Under the US Telecommunications Act of 1996, a carrier can only use individually identifiable customer information to provide its service, unless it gets customer permission or is required by law (say a warrant).

2. ISPs do have explicit authority to sell aggregated information.

The same Telecommunications Act we just mentioned says a carrier “may use, disclose, or permit access to aggregate customer information…” Although lots of research has shown how anonymized aggregate data can be de-anonymized.

3. ISPs might not have legal authority to sell browser history.

The Wiretap Act makes it illegal to “intercept or endeavor to intercept, any wire, oral, or electronic communication” except under “color of law.” The courts disagree over whether URLs are the contents of the communication.

SEE: Nine ways to disappear from the internet (free PDF) (TechRepublic)

4. ISPs have to disclose what they do with your data.

Under the part of the 2010 open internet rules that were upheld in a federal appeals court (different than the 2015 open internet guidelines), ISPs are required to disclose their network management practices, performance characteristics, and terms and conditions. The FCC used this provision to fine Verizon for secret cookie tracking of its customers last year.

5. ISPs target demographics not individuals.

ISPs want to use aggregated data to sell ads. AT&T was doing this when it gave customers a discount in exchange for permission to scan browsing history to deliver ads. AT&T ended that program in September 2016 but it’s free to bring it back.

This all may or may not change the way you feel about ISPs and privacy but at least you have a few more facts in your arsenal.

For more about ISPs, check out the following articles: