Singapore Markets close in 5 hrs 29 mins

Trump just killed Obama’s internet privacy rules — here’s what that means for you

Jeff Dunn
trump sign

AP Photo/Andrew Harnik

President Donald Trump.

Republicans have made a big decision about the future of your online data — and many people aren’t happy about it.

On March 28, Congress voted along party lines to kill a set of rules passed by the Federal Communications Commission last October that would’ve forced your internet service provider to ask you before it collects certain personal information. In both cases, Republicans voted to repeal the rules, while Democrats voted against.

The joint resolution that enacts those changes, S.J. Res. 34, was presented by GOP senator Jeff Flake of Arizona and co-sponsored by 24 other Republicans.

President Trump quietly signed the resolution on Monday night, turning it into law.

So does this mean your internet provider now has free rein over everything you do online? The answer is yes and no. But notably, the rollback could also ead to a more fundamental change to how the internet is run. Here’s a rundown of what’s happened, and what it means for you.

Read on to learn how repealing the FCC’s privacy rules will affect you — or jump ahead to see how we got here, arguments from both sides of the debate, if your ISP can see/sell everything about you, what ISPs are saying about how they’ll approach privacy, how ISPs could approach your data like Google and Facebook, what you can do to keep your data private, how net neutrality could be affected, and if other laws can be made around privacy.

How did all of this get started?

Let’s take a step back. An internet service provider, or ISP, is a company that, well, provides internet service. This includes firms that sell internet access for your phone (Verizon, AT&T, T-Mobile, Sprint) and/or internet access for your home (Verizon, AT&T, Comcast, Charter, etc.).

In the early 2000s, the US government classified these companies as “information service providers.” That meant they were subject to rules set under Title I of the Telecommunications Act of 1996, which broadly decides how telecommunications companies are governed.

As the internet market progressed, though, many liberals and Democrats in Washington became increasingly concerned with what they saw as potential anti-competitive behavior by those ISPs. This led a fierce argument over “net neutrality,” or the idea that ISPs should be legally required to treat all traffic equally, instead of playing favorites for financial gain.

Democrats tried on multiple occasions to enforce net-neutrality principles over ISPs, but each time their attempts were shot down because ISPs were classified under Title I. The surest way to make net-neutrality laws legally enforceable, they said, was to reclassify ISPs as “telecommunication providers” using Title II of the Telecommunications Act.

So in 2015, after years of fiery debate, the Democrat-led FCC did just that. They then set in place the 2015 Open Internet Order, which legally forces ISPs to not block, throttle, or prioritize the speeds of websites as they see fit. It, in essence, treats the internet as a public utility — i.e., something everyone in America needs, like electricity or running water.

The 2015 Open Internet Order also aggravated many Republican members of Congress and the FCC. They said (and continue to say) the internet was not broken to the point where such laws were necessary, and that Title II would slow down what should be a fast-moving, mostly-free market.

Opponents also argued that reclassifying ISPs under Title II put those ISPs under far greater regulatory pressure and oversight than they had under Title I. In other words, the FCC gained significantly more power over what ISPs can and cannot do.

Which brings us, finally, to the privacy debate that’s transpired.

One of the things the FCC gained with its newfound power, in effect, was authority over ISPs’ privacy policies.

Before the Title II reclassification, the Federal Trade Commission, or FTC, looked over those policies. But by law, the FTC cannot regulate “common carriers” — which, put simply, is another term for companies that provide a utility service. And the internet is now considered a utility after the 2015 Open Internet Order. With that in place, ISPs are common carriers, so their internet privacy policies are exempt from FTC oversight.

This created a “gap” of sorts in regulation. To fill it, the FCC set about creating its own set of privacy rules specifically for ISPs.

Many of those rules took after the guidelines recommended by the FTC prior to the Title II classification. ISPs would’ve been free to use some “non-sensitive” personal data, like email addresses, for advertising purposes without having to ask customers beforehand, but they’d have had to give those customers the option to opt-out of that practice.

With other, “sensitive” personal data — like Social Security numbers, children’s info, financial info, health info, and location data — the FCC would’ve forced ISPs to give customers the chance of opting in before an ISP could collect the data. Again, this is same recommendation — but not mandate — presented in the FTC’s privacy guidelines.

However, the FCC’s privacy rules made the notable exception of including web-browsing and app-usage data in the “sensitive” data category. They would’ve forced ISPs, and only ISPs, to let customers choose whether to opt-in or opt-out before they could share that data with advertisers and other third-parties. This is the main difference between the FCC’s rules and the FTC’s guidelines.

It also outraged the ISPs, some of which are interested in making a bigger play in the digital advertising business. Verizon, in particular, spent billions on AOL and Yahoo to do just that.

But the non-ISP companies it competes with in that space, namely Google and Facebook, still only have to follow the FTC’s privacy guidelines.

That means they can collect data that shows what sites their users browse and what apps they use without having to ask for permission first. In turn, they have less of a chance of their users opting out, and losing revenue.

So, in many ways, this whole thing was a question of default settings.

When ISPs say they want to be regulated under the same FTC guidelines as Google and Facebook, what they mean is they want their data targeting to be opt-out by default (and that they don’t think web-browsing and app-usage data are “sensitive” info). People are less likely to turn off a privacy setting if they have to go out of their way to do it.

The good news for ISPs is that they may now have even more freedom than Google and Facebook, but we’ll get to that in a bit.

In any case, it’s crucial to note that the FCC’s “opt-in” provision had not taken effect yet. It wasn’t scheduled to until early December. So the rollback doesn’t take away any rights you had today. It’s more about ensuring that the status quo stays in place, and letting ISPs move forward with their advertising ambitions, for the foreseeable future.

Many Republicans fell on the side of the ISPs.

Many in the GOP argued it’s unfair to create different sets of privacy regulations for ISPs and “edge providers” — i.e., internet-based companies like Google and Facebook that provide services on the ISPs’ networks.

They said the FTC’s privacy framework has sufficiently protected user privacy over the years. They ultimately want all privacy regulations of ISPs to return to the FTC, but for now, they say any FCC privacy policies should follow the FTC’s framework, which could create more competition in a digital advertising market where Google and Facebook are by far the two most dominant players in the country.

Meanwhile, many Democrats said any imbalance is justified.

Democrats argued that an ISP has the potential to see and collect more about you than an edge provider. You can simply disable location services with an app, for example, but a mobile ISP can always see where phones are connected to its cell towers.

They also argued you have greater choice when it comes to using different websites than different ISPs. It’d be very impractical, but if you really wanted to get around Google and Facebook’s footprint, you could. But in many places, particularly in rural America, there isn’t much choice between ISPs. According to the FCC’s latest Internet Access Services report, for example, only 24% of developed housing areas had at least two ISPs that offered official broadband speeds.

Democrats also noted the difference in business models: With Google and Facebook, there is an implicit handshake that their ad policies are how you “pay” for their sites and apps, most of which are free. If an ISP practices the same policies, though, they’re double dipping — they charge you monthly for internet service, and they collect your data for ad dollars.

Nevertheless, the resolution is now law. And the way Republicans passed it is important.

They used a tool called the Congressional Review Act — or CRA, if you can handle another acronym — which the GOP is using en masse to repeal federal regulations passed late in the Obama administration. It allows them to do so with a simple majority vote.

Beyond just repealing regulations, though, the CRA also prohibits those federal agencies from ever making “substantially similar” rules again. How far that’d go in court is still unclear, but now that President Trump has signed S.J. Res. 34 into law, the FCC cannot ever make another set of rules that make ISPs follow the same privacy guidelines it passed last year.

At the same time, the FCC will remain in charge of ISPs’ privacy policies. That’s because the 2015 net-neutrality order still classifies ISPs as common carriers — a fact many Republicans still loathe — and the FTC is still prohibited for regulating those.

Does this mean my ISP can just see and sell everything about me?

Not quite. But to be clear, this is a glorious result for ISPs like Verizon and Comcast that are banking on digital advertising being a big new revenue stream.

They have an absolute treasure trove of user data that advertisers would love to see: They know your name, they know where you are, they could track what places you visit on the road, and they can see every site you visit over their network. Much of this data is stuff they need to provide you with internet service in the first place.

Pair that with the amount of content these guys are buying, and you have the makings of some immense businesses.

Just last week, Bloomberg reported that Verizon is working on a Sling TV-style live TV streaming service. Let’s say it’s good: That creates a scenario where you could pay a monthly fee for Verizon’s mobile internet, pay another monthly fee for its FiOS home internet (and/or cable) service, pay another monthly fee for its live TV service, watch a bunch of ad-supported videos on AOL, or Yahoo, or Oath (or, in a different life, go90), and implicitly pay the company through its beefed-up, deregulated ad network.

Those ads can potentially be super personalized to you because it can follow every URL you visit on its network, and, especially if you stream its video apps, the kind of content you like. This would ostensibly make you more likely to click through the ads, thus attracting a bigger premium for Verizon’s ad space.

Now let’s say the net-neutrality order gets repealed, and Verizon is able to charge companies for faster internet access on its network (while exempting its own services, because it is allowed to do that now).

There’s a lot of hypotheticals in that, per usual with this line of argument, but it’s not that far from being a reality. 

All that said, the data ISPs can collect isn’t omnipotent.

Again, the FCC still has authority over ISPs’ privacy practices. While it now cannot enforce the Obama privacy rules, it can still regulate particularly unjust violations of privacy by ISPs on a case-by-case basis via the Communications Act, the 1930s-era (!) set of laws upon which the Telecommunications Act is based.

So, for example, your ISP can’t take your specific browsing history, tie it to your name and address and Social Security number, then sell that little package to the highest bidder. No amount of angry fundraising will let you buy Congress’ internet data.

Aside from being asinine business, that would violate Title II, Section 222 of the Communications Act, which says common carriers cannot permit access to “individually identifiable” customer data in all but a few specific instances (like when required by law).

The FCC has punished ISPs for data-tracking policies it’s found unreasonable in the past. Last year, for example, it went after Verizon for inserting advanced ad-tracking “supercookies” into its users’ mobile traffic without their consent.

It fined the company $1.35 million, and applied a three-year compliance plan that requires Verizon to obtain opt-in consent before sharing that “supercookie” data with third-party advertisers, and, more leniently, to give an opt-out option when using that data for its own ad networks. That compliance plan is still in place today.

If you take them at their word, groups representing the big ISPs pledged in January that, if the Obama privacy rules were killed, they’d voluntarily follow privacy guidelines that mostly take after the FTC’s framework.

In a notice sent out through one of their biggest trade groups, the CTIA, the ISPs said they’d “follow the FTC’s guidance regarding opt-in consent” for sensitive information “as defined by the FTC.”

That, in all likelihood, means they’ll let you give explicit consent before they share your location data, children’s info, health info, and so on with advertisers.

What the CTIA did not say it make “opt-in” by default, though, is your web-browsing and app-usage data. Earlier in March, the CTIA explicitly argued in a petition to the FCC that such data wasn’t “sensitive.” Nothing in the Communications Act says anything about that, either.

Instead, the CTIA’s January notice says the ISPs will let you opt-out of policies that collect that and other “non-sensitive” customer data — for third-party marketing.

For first-party marketing, the CTIA’s letter only says it will rely on “implied consent” to use customer data. This suggests that, when data tracking is used for its own services or ads, an ISP may not give you an opt-in or opt-out choice, and instead assume the fact that you are using its service means you’re okay with it collecting that data.

This isn’t particularly new or surprising, but the larger point is that you have to take ISPs at their word now.

Yes, the FCC has punished intrusive ad-tracking without strong privacy regulations in place before, but that was under the previous chairman, Tom Wheeler, who took an unusually critical eye to ISP activities.

But the current chairman, Ajit Pai, is his predecessor’s polar opposite: extremely hands-off, and a proponent of ending Title II regulation of ISPs altogether. 

“One of the big questions will be whether the FCC decides to enforce some of these restrictions,” said Julie Brill, co-head of privacy firm Hogan Lovells and former FTC commissioner under Barack Obama. “That’s going to be up to the commissioners and the staff to decide how and whether they move forward.”

What do the ISPs say about how they’ll approach privacy?

In any case, we asked Verizon, AT&T, Sprint, Comcast, T-Mobile and Charter to clarify how they’ll go about their privacy policies after the repeal.

Comcast, T-Mobile, and Charter did not reply to requests for comment. The other three referred us back to the CTIA — instructive in Sprint’s case, since it’s not formally listed on the January notice — while Verizon and Sprint linked us back to their current privacy policies.

For what it’s worth, Sprint’s main mobile advertising program is currently opt-in, while most programs on Verizon’s page are opt-out, with others opt-in. Charter and T-Mobile both provide opt-out options for their targeted ad programs, as well.

Comcast also pointed to the CTIA’s notice in a blog post last Friday, reaffirming that it will let customers opt-out of sharing their web-browsing history in the process. The company said it will continue to let customers opt-out of receiving targeted ads, too, and that it won’t sell its customers’ “individual browsing history” to third parties.

As Ars Technica notes, though, Comcast still runs its own ad network. It sells targeted ads for other businesses, and uses the data it has on its customers to better reach those ads’ potential audience. So you’re still likely to see targeted ads. But, in this case, Comcast has some incentive to not share its users’ history, since its particular ad business depends on outside advertisers needing Comcast to best serve their ads.

AT&T also put out a blog post touting its privacy policy last Friday, and said it “will not sell your personal information to anyone, for any purpose. Period.” What the company defines as “personal information,” though, is slightly vague. When asked to clarify, an AT&T rep pointed to the company’s privacy policy FAQ page.

There, AT&T defines it as “information that directly identifies or reasonably can be used to figure out the identity of a customer or user,” like a name, address, phone number, or e-mail address. So it wouldn’t tell advertisers outright that I’m Jeff Dunn, for instance — which, again, it probably cannot do by law.

But the company leaves the door open for sharing “anonymous information,” which it calls info that cannot “reasonably be used” to identify you directly. It also doesn’t say anything about not sharing “aggregate information,” where it lumps customer data into anonymized groups.

Verizon made it clear that it does the same in its own statement last Friday. The company reiterated it will not share directly identifiable info with advertisers, but it will still collect personal data, then de-identify or aggregate it before selling it for targeted ad purposes.

Comcast did not reply to a request to specify what it defines as “individual browsing history.”

In each case, though, it’s unclear if web-browsing and app-usage data would fall under “personal” or “anonymous.” But given that the CTIA’s letter deems such data as “non-sensitive,” just as the FTC does, it’s likely to be the latter.

Much of the time, learning about the privacy policy of your ISP means finding it, doing a good chunk of scrolling and reading to actually figure out what the ISP is doing, and, sometimes, calling up the ISP to decide how you want your data treated. In the future, you may have to wait and keep a lookout for whatever policy updates they make (though AT&T is promising to notify customers of any revisions in advance).

This was part of the point of ISPs’ cries against the opt-in mandate for browsing data: Many people just won’t go through this much trouble to stop ISPs from taking the data they want. You can lament this laziness all you want, but there’s a reason this has become a national issue. That lack of motivation is money.

So will ISPs do anything different than Google and Facebook?

Possibly. But ISPs could face both advantages and disadvantages in the digital ad market.

Given their pledges to follow the FTC’s guidelines, ISPs are likely to approach your data the way Google and Facebook do.

Chances are they’ll make a profile of you that won’t use your specific name, but will give you an random, anonymous identifier, then collect your location, browsing history, app usage data, gender, and probably other info about your demographic.

ISPs can then sell those de-identified profiles to advertisers. Those advertisers can plug that info into computerized programs, which can put personalized ads on the apps and webpages you visit. The ISPs aren’t selling you so much as they’re selling the idea of targeted advertising, monetizing the gobs of info they have on their customers’ habits.

For example, let’s say I frequently visit websites about the Red Sox and use MLB’s streaming app all the time. If I don’t opt-out of its data-collection policies, my ISP could signify my traffic is coming from a mid-20s male that is located in New Jersey and likes baseball.

The ISP could then make money by helping some advertiser’s algorithms understand that they have a better chance of getting my attention by serving up, say, an ad for tickets to upcoming baseball games. All of this happens within seconds.

The advertiser doesn’t know I’m Jeff Dunn, but it can get a good idea of my online interests, since my ISP can see wherever I go on its network.

You’ve seen this before: It’s called behavioral targeting, and Google, Facebook, and others make lots of money off it today. What’s new is the sheer amount of data an ISP could see compared to those companies, and thus the level of personalization they could achieve.

Remember that “supercookie” tiff above? What Verizon did there was stick its customers with unique identifiers on a network level. It was able to track your habits — and share that data with advertisers — any time you used its network, wherever you went online. You can opt-out now, but before, there was effectively no way to dissociate yourself from the tracking.

Theoretically, the fact that an ISP controls a network gives it the ability to reach further than an internet company. For instance, the fact it can see your location whenever you’re connected to its network gives it a better chance of seeing how effective targeted ads are. It can more easily tell if I went to Yankee Stadium after seeing that baseball ticket ad.

With Google, its apps need permission to see where I am. An ISP knows it by default. If they ever build out their ad networks further, and if they can get people watching their content services (which will be zero-rated), ISPs will ostensibly have the most powerful tools for advertisers to work with.

You’ll notice I keep using qualifiers like “could” and “theoretically,” though. Aside from some ISPs’ own promises to not sell personal info, any advantage those ISPs have with data collection isn’t that much greater right now than what Google and Facebook have.

Those two have already built massive ad and content networks that, practically speaking, are difficult for an average denizen of the internet to escape from. According to Nielsen, for instance, Facebook and Google ran the eight most popular apps in the country in 2016.

And stepping outside of their ad networks isn’t as simple as just not visiting Google- or Facebook-owned websites. They can’t reach everywhere the way an ISP could, but they do have their tracking code on many major sites.

Google Analytics, for instance, is used by numerous companies to track people who visit their sites. Facebook has also been found to buy personal, offline information — like loan history — from data brokers to target their ads further. If the two aren’t a duopoly in digital advertising, they’re at least something close to it.

Beyond that, more and more websites are getting encrypted. If you see a “HTTPS” in front of a site’s URL, that means it’s using a secure layer on top of the standard HTTP web protocol.

It also means that an ISP cannot see exactly what sites you visit beyond the base URL of that site. An ISP could know that you visit WhiteHouse.gov, for instance, but it couldn’t see if you visited, say, the Legislation page of the White House’s site.

The ISP can still glean a good amount by seeing every site you visit in the first place — and that encryption won’t matter much if it runs the site you’re visiting — but it does provide you with some sort of buffer. 

However, it’s worth noting that this isn’t entirely foolproof: There are techniques to get more specifics on what people are searching, and the US Department of Homeland Security has discovered tools that can weaken the security of the encryption. 

Meanwhile, the trade-off of Google and Facebook’s services being free is that you let them more easily see the specific things you do on those sites. And because many of those sites are very popular, they’re able to suss out a good chunk of personal info that can be used for ad purposes. You can see why some ISPs are so eager to build content businesses.

According to Brian Wieser, a senior advertising analyst at Pivotal Research Group, this should keep Google and Facebook from feeling too threatened in the online ad industry.

“Importantly, Google and Facebook have different kinds of data, and potentially more valuable data,” Wieser said, “Google has ‘intent’ data from searching histories. It also knows what kinds of YouTube videos a consumer watches. An ISP will not have this data. Facebook knows what your personal attributes are based on what you have provided Facebook with, and also based on who is in your social network. An ISP will not have this data. Both are better-positioned with respect to cross-device-based data, as consumers can be logged in across devices.”

That last bit is also significant. Saying an ISP can see everything you do only makes sense when you’re on its specific network.

If you, say, subscribe to T-Mobile for phone service and Comcast for home internet, the two won’t cross — Comcast can’t see what you do over mobile data, and T-Mobile can’t see what you do on your home WiFi. Companies like Verizon and AT&T that offer both are in a better position, but that’s not guaranteed either.

These are all speedbumps that Google and Facebook can more readily circumvent since their services and ad networks are popular across device types.

But again, the rollback potentially not giving ISPs as big of a business advantage doesn’t do much to keep your data private. While they may not share your most outright personal info, they can get close, just as Google and Facebook can today.

More importantly, the ball is in effectively in their court when it comes to their ability to collect that data in the first place. That separation between home and mobile internet may also change as 5G becomes prominent, and mobile ISPs make a bigger play for the home.

Also worth noting: Google and Facebook are happy about this.

Even though the FCC’s privacy rules didn’t apply to them, internet companies like Google and Facebook are still breathing a sigh of relief that they’re off the books. Yes, it means they have some newly-empowered competition, but their trade groups asked Congress to kill the rules earlier this year all the same.

What they feared was the precedent the Obama rules could’ve set: If ISPs were the only ones that had to ask customers for permission before they chomped up web-browsing and app-usage data, they probably would’ve made a stink about it.

It doesn’t take much to see how that could’ve led to rules that’d level the playing field again — only in that case, it would’ve had the side effect of bolstering online privacy on all sides.

And that’s really the big loss for privacy-conscious consumers: The FCC’s privacy rules could’ve set a legally enforceable baseline for how all tech companies collect your data.

Instead, Trump and the GOP have effectively decided that far-reaching data collection and more targeted ads should be the norm. You’ll still be able to opt-out of the creepy stuff, but the rollback deprioritizes online privacy as a concept.

If you don’t want big tech companies to peek at and sell what you do online — in whatever form — you have to go out of your way to change it. And, because the resolution uses the CRA, it’s probably going to stay that way for a good while.

Is there anything I can do now to keep my data private?

Yes, but none of them are perfect. We’ve already noted the slight benefits of using encrypted sites, but the most common suggestion is to use a virtual private network, or VPN. These are services that allow you to run your internet connection through another company’s remote server.

They can hide whatever you do over that connection from an ISP — and are often used to get around regional blackout policies for certain streams — but they’re usually slower than doing things the normal way, and setting them up is a process.

Plus, it’s not really hiding your data completely — you’re just shifting your trust from your ISP to whatever company is running the VPN. And while there are tons of free VPN services out there, they can’t really to be trusted. To find something worthwhile, you have to pay another monthly fee. 

Alternatively, you could try using the Tor browser, which aims to anonymize the traffic of its users. But again, it’s not foolproof, and it’s notably slower than a Chrome or Safari. This, again, is what’s most disheartening for consumers: To ensure your privacy on the internet, you have to accept a lower-quality experience and/or pay extra.

It’s not out of the question for ISPs to try monetizing “enhanced” privacy protections, either.

“We anticipate the return of ‘pay-for-privacy,’” said Fatemeh Khatibloo, principal analyst at Forrester, in an email. “[That is,] tiered pricing models that would effectively make privacy a privilege for those who could afford to pay more for these services every month.”

AT&T did something like this with a now-defunct Internet Preferences program for its GigaPower broadband service. That made its entry-level plan cheaper, but in return scanned its customers’ web-browsing data to serve up targeted ads. It more or less necessitated a VPN to avoid having your data collected. To get a plan without Internet Preferences, you had to pay at least another $29 a month. AT&T shuttered the whole thing last fall.

Whether or not any ISP brings back a similar service is pure speculation for now, but the lack of clear legal barriers to it would seem to at least open the door. For what it’s worth, there’s no mention of these kind of programs in the CTIA’s letter from January, and none of the major ISPs we asked about the possibility of enacting such programs would comment on the matter directly.

Does this affect net-neutrality?

Potentially, very much so. As noted above, Pai and the GOP ultimately want to return privacy regulation of internet providers to the FTC. But the FTC cannot look over the privacy policies of ISPs so long as they are “common carriers” under the Title II classification.

The Title II classification is what gives the FCC the ability to legally enforce the current net-neutrality rules, though. And now it’s unclear if the FCC can ever impose new privacy regulations onto ISPs again.

Complicating this is an appeals-court decision from last year that said the FTC cannot regulate common carriers in any field, be it for their common carrier business (i.e., providing internet, or telephone, service) or anything else.

GOP representative Bob Latta of Ohio said he plans to introduce legislation that would get around that ruling, but that wouldn’t change the fact that Title II and the FTC having privacy jurisdiction over ISPs are incompatible.

All of this is to say that an attack on the 2015 Open Internet Order is coming into the crosshairs next. White House press secretary Sean Spicer said as much last week, and FCC chairman Ajit Pai seems ready to take action as well.

“We need to put America’s most experienced and expert privacy cop back on the beat,” Pai said in a statement on Monday, referring to the FTC. “And we need to end the uncertainty and confusion that was created in 2015 when the FCC intruded in this space.”

How exactly Pai or the GOP will go about repealing the net-neutrality rules is still unclear. Those rules were created in 2015, long enough ago to be untouchable by a Congressional Review Act. That means the GOP would need to get some Democrats on the side of whatever new rules it proposes. Considering not one Democrat voted in favor of rolling back the privacy, though, that could be a hard sell.

Pai could try to make a more direct change through the FCC itself, but then he’d have to prove that the Title II order has done enough damage to ISPs to warrant its reversal, since the order was upheld in court just last year. Based on his recent statements, his likely line of attack will be to say that Title II has created too much “uncertainty” for internet providers, thus harming their willingness to invest in new networks.

But, while ISP’s spending on network infrastructure has taken a slight decline on the whole since 2015, it’s hard to say that’s a direct result of Title II. The industry is in a time of transition anyway as it prepares to roll out 5G tech, and in some cases, investment has actually gone up over the past two years.

Can any other laws be made for the privacy rules specifically?

Theoretically, Congress could create the consistent framework many Republicans want by creating its own set of rules for how ISPs and internet companies treat customer data. Given the GOP’s repeated desire to return privacy regulation to the FTC, though, that seems unlikely.

On the FCC level, Pai says he wants to create a privacy framework for ISPs that effectively puts them back in line with the FTC rules that govern Google, Facebook, and the like. How far he could go in doing that after the CRA is unclear, though. Since the sections of the Communications Act that still allow the FCC to look over privacy policies make no mention of web-browsing and app-usage data, those provisions likely cannot be made opt-in by default.

Where things might get complicated for ISPs is on a state level. As The New York Times reported last week, a handful of states have started considering legislation that would require ISPs to get opt-in consent before sharing web-browsing, app-usage, and other personal information. One such bill has been approved by Minnesota’s House and Senate already. If things like this get far enough, it could pressure more ISPs into making opt-in the norm across the country to avoid the headache.

Throughout it all, though, the biggest concern here is the one that drives most internet-regulation debates: There just isn’t much competition among ISPs.

The privacy rules rollback wouldn’t be as big of a deal to people if they had a choice between one ISP that collects data en masse, and one that makes it a selling point to not serve you targeted ads. But in wide swaths of the country, particularly when it comes to wired internet, that choice simply does not exist.

It’s the same deal when it comes to the net-neutrality debate.

Without other companies to push them, and without a federal body that can provide clear privacy rules for them, there isn’t much incentive for ISPs to make life harder for themselves. You could say that the new ad revenue will help ISPs lower the prices of their core services, but again, that assumes they’d have a competitor that gives them reason to do so in the first place.

We will have to wait and see how ISPs go about their privacy policies without the Obama rules hanging over them. The thing is, that’s all you can really do from here on out.

The post Trump just killed Obama’s internet privacy rules — here’s what that means for you appeared first on Business Insider.