Keep Factually independent
Whether you agree or disagree with our analysis, these conversations matter for democracy. We don't take money from political groups - even a $5 donation helps us keep it that way.
What data can ISPs collect about customers and how long must they retain it under U.S. law?
Executive summary
ISPs in the U.S. routinely collect extensive customer data — including web-browsing records, device and app usage, real‑time location, and demographic inferences — and often share or monetize those data through advertising and affiliate programs, according to a Federal Trade Commission staff study and subsequent reporting [1][2]. There is no single federal law that imposes a blanket mandatory retention period for all ISP customer data; retention practices are mostly set by individual ISPs’ business needs, state laws, and discrete federal procedures such as preservation obligations after a government request [3][4].
1. What kinds of data do ISPs collect — “everything that passes through them”
The FTC staff report found many ISPs can access “all of their users’ unencrypted internet traffic” and routinely collect web‑browsing data, app usage, device identifiers, and real‑time location information; they also combine that with other data to create sensitive inferences (race, sexual orientation, political views) used for targeting or categorization [1][5]. Investigative outlets summarized the same finding: ISPs “routinely collect an ocean of consumer location, browsing, and behavioral data” and combine across services to build detailed profiles [2][6].
2. How ISPs use and monetize those data
The FTC staff report documents that ISPs not only collect data but share, transfer, and permit third‑party monetization — including advertising and analytics arms — sometimes hiding details in privacy policy fine print even while publicly promising not to “sell” identifiable information [1][5]. Journalists and privacy commentators have highlighted that opt‑out mechanisms are often cumbersome and that “business purposes” for retention are defined broadly by providers [2][6].
3. Where law fits in: no blanket U.S. mandatory retention period
Multiple reviews and legal analyses in the materials conclude the United States does not have a general, affirmative statute requiring ISPs to retain all customer traffic or metadata for a fixed national period the way some EU or Australian schemes once did; instead, retention is driven by ISP policies, sectoral state laws and federal procedures [7][3]. Privacy advocates and legal summaries explicitly state “there are no mandatory data retention laws in the United States” comparable to the EU directive [3][7].
4. Narrow federal rules and government preservation duties
Although there’s no blanket retention law, federal law and practice create narrower obligations: under the Electronic Communications Privacy Act (ECPA) and related procedures, ISPs are routinely required to preserve records for a limited period (commonly cited as 90 days) when the government requests preservation while it seeks a court order; that is not a general everyday retention mandate but a response obligation [4]. Separately, ISPs may voluntarily retain records for billing, network operations, fraud prevention, or to meet state‑level regulatory or evidentiary expectations [8].
5. Variation across companies and states — a patchwork, not a single standard
Because federal mandatory retention is absent, ISPs set internal retention policies that vary widely (examples reported include some ISPs keeping logs months to more than a year), while states are increasingly adopting their own privacy regimes that can affect retention rules for businesses subject to those laws [8][9]. Recent reporting and guides note an evolving patchwork of state privacy laws and company policies, so practical retention timelines differ by provider and jurisdiction [9][10].
6. What consumers and policymakers disagree about
Privacy advocates and the Electronic Frontier Foundation warn mandatory retention regimes would produce sweeping surveillance risk and centralize sensitive records [11]. Law enforcement and some policymakers argue lack of a standard retention floor hampers investigations — particularly in child‑exploitation and serious crime cases — and have periodically pushed for retention legislation [12][4]. These competing agendas shape why U.S. law remains fragmented rather than setting a national retention rule [12][11].
7. Practical takeaways and gaps in reporting
If you want to know exactly what your ISP keeps and for how long, the available materials recommend checking that ISP’s privacy policy and any applicable state law — there is no single federal retention timeline you can rely on [3][8]. The sources provided do not contain a comprehensive table of individual ISPs’ retention periods; they offer examples, federal study findings, and legal summaries but not uniform retention schedules (not found in current reporting).
Limitations: this summary relies on the FTC staff study and legal surveys provided; those sources report practices, agency findings, and legal landscape but do not substitute for consulting a particular ISP’s policy or current state statutes for precise retention periods [1][10].