Comcast today said it has "no plans" to sell its customers' individual Web browsing histories, but Comcast can still deliver personalized ads based on its customers' browsing history. Comcast, the nation's largest home Internet provider, said it will continue to offer customers a way to opt out of targeted ads.

"We do not sell our broadband customers’ individual Web browsing history," Comcast Chief Privacy Officer Gerard Lewis wrote in a blog post today. "We did not do it before the FCC’s rules were adopted, and we have no plans to do so."

Comcast operates its own advertising network, so it doesn't need to share individuals' browsing history with third parties in order to serve targeted ads. Instead, Comcast can use its customers' browsing history to sell targeted ads. Businesses pay Comcast to have their advertising reach people who are more likely to buy their products, but only Comcast would know exactly who those customers are.

Comcast sells targeted ads on its own websites "and other digital properties," which would include NBC and various regional sports networks.

Comcast doesn't share customer information regarding banking, children, and health "unless we first obtain their affirmative, opt-in consent," Lewis wrote.

"If a customer does not want us to use other, non-sensitive data to send them targeted ads, we offer them the ability to opt out of receiving such targeted ads," Lewis wrote. That "non-sensitive data" includes Web browsing information, a Comcast spokesperson told Ars. But any Web browsing that relates to sensitive data like the topics above would fall under the more stringent opt-in category.

Comcast said that there has been a lot of "misinformation and inaccurate statements... made in the last week," so it is "revis[ing] our privacy policy to make more clear and prominent that, contrary to the many inaccurate statements and reports, we do not sell our customers’ individual Web browsing information to third parties and that we do not share sensitive information unless our customers have affirmatively opted in to allow that to occur."

Comcast also said today that it complies with various federal and state laws regarding privacy and data security.

But Comcast and other ISPs won't have to comply with Federal Communications Commission rules that would have required opt-in consent before using or sharing browsing and app usage history. That's because of House and Senate votes to eliminate the FCC rules, an action likely to be signed by President Donald Trump.

Comcast, other Internet providers, and their lobby groups recently signed a voluntary pledge to require opt-in consent before using or disclosing the most sensitive information, but the pledge only requires opt-out systems for Web browsing history. That's similar to the rules applied to online companies like Google and Facebook, though Democrats in Congress supported the FCC's stricter rules for ISPs because the companies can see each customer's entire browsing history. Democrats also argued that consumers should have a greater expectation of privacy with Internet service because it's a subscription-based offering and difficult to switch Internet providers.

Republicans argued that stricter rules for ISPs would confuse consumers and stifle competition in the advertising market. They said the Federal Trade Commission should regulate ISP privacy instead of the FCC but did not take any immediate action to replace the FCC rules that are being eliminated.

AT&T praises itself for privacy practices

AT&T's public policy chief, Bob Quinn, called Congress' decision to eliminate FCC privacy rules "commendable work" in a blog post today.

"In truth, companies that collect and use the most customer information on the Internet are not the ISPs but other Internet companies, including operating system providers, Web browsers, search engines, and social media platforms," Quinn wrote.

AT&T used to charge fiber Internet customers at least $29 a month extra if they did not opt in to browser history collection and personalized ads, but the company stopped that program shortly before the FCC issued its privacy rules last year. AT&T's privacy policy says that it collects "Web browsing and wireless application information," but it adds, "we will not sell your personal information to anyone, for any purpose. Period."

Quinn praised his company for writing a privacy policy "that communicated our practices to our customers in words that the consumer didn’t need a lawyer to help decipher."

Quinn predicted that the FCC's classification of ISPs as common carriers will be rescinded and that the Federal Trade Commission "will resume regulating consumer broadband privacy, just as it has done since the Internet was created decades ago." Quinn's blog post did not mention that AT&T won a court case in which it argued that the FTC has no authority over any of AT&T's various lines of business. Unless Congress takes further action, the FTC may have no power to regulate AT&T and other phone companies even if the FCC drops its common carrier classification of Internet service.

Elsewhere in the blog post, Quinn criticized others for "untrue" statements.

It is "flatly untrue that the Congressional action eliminated all legal protections governing use of consumer information," he wrote. "For example, AT&T and other ISPs’ actions continue to be governed by Section 222 of the Communications Act just as they were for the nearly two years that passed between reclassification of Internet access as a Title II service and the passage of new rules last fall."

AT&T is a member of CTIA, a wireless lobby group, which claims that "Section 222 cannot be extended to broadband service." Section 222 governs common carriers generally, but it was written for telephone networks in 1996 and makes no mention of Internet service. The FCC rules would have made it clear exactly how Section 222 would be enforced on Internet service, but the rules never took effect.

Since those rules never took effect, Quinn wrote, "We had the same protections in place the day before the Congressional resolution was passed, and we will have the same protections the day after President Trump signs the [resolution] into law."

UPDATE: Verizon today also posted a blog about its privacy policy, saying it does not sell personal Web browsing history but does use Web browsing data to sell personalized advertising. Verizon's privacy policy provides information about opting out of those programs. Charter has also posted a similar blog.

Cox goes one step further, saying it "does not collect the individual Web browsing history of our customers and has no plans to do so."