Your mobile carrier knows which websites you visited this morning.

Not in some vague, aggregated sense. They have a record of the domains your phone connected to, the apps that sent requests, and depending on which programs you haven’t opted out of, your physical location derived from cell towers rather than your GPS. Turning off location on your phone doesn’t touch that.

The good news is you can do something about it. The bad news is that most of the settings you’d instinctively reach for don’t address the problem. I’ll show you below what settings you need to tweak and the one tool that ISPs wish you wouldn’t use.

Why Carrier Tracking Is Different

When you use incognito mode or clear your cookies, you’re affecting what gets stored on your device and limiting some cookie-based tracking. Your ISP operates independently of all of that.

AT&T, for example, states in its privacy notice that when it collects web browsing information as an internet service provider, it “works independently of your web browser’s cookie and private browsing settings.” What your browser knows and what your carrier knows are separate data streams.

The same applies to device location settings.

Your phone’s location toggle controls what apps can access. Your carrier can collect location data from the network itself, derived from which cell towers your phone is connecting to, without involving your device’s GPS at all.

This isn’t a loophole or a gray area. It’s how these programs are designed to work. And it’s all legal.

Share

How We Got Here

In 2016, the FCC passed broadband privacy rules that would have required ISPs to get affirmative opt-in consent before using or sharing your browsing history and other sensitive data. Congress repealed those rules in 2017, largely along party lines, and President Trump signed the repeal into law. Because the repeal used the Congressional Review Act, the FCC is also blocked from issuing any substantially similar rule without future legislation specifically authorizing it.

That leaves a genuine regulatory gap. The FTC nominally handles privacy for most industries, but its jurisdiction over ISPs, which are classified as common carriers, is legally complicated. The practical result is that the major mobile carriers operate opt-out advertising programs, and customers are enrolled by default.

What Each Carrier Actually Does

Verizon runs two tiers. The Custom Experience program, which all consumer smartphone customers are enrolled in by default, uses information about websites you visit and apps you use to build interest profiles. Custom Experience Plus, which requires an opt-in, adds device location obtained from the Verizon network and Customer Proprietary Network Information, including call details. Your device location settings have no effect on it. The carrier doesn’t need your GPS because it uses the towers your phone is already connecting to.

AT&T runs a similar structure. The base “Personalized” program is on by default and uses demographic data, general location, and account usage to tailor ads. “Personalized Plus” requires an opt-in and is where AT&T collects web browsing data as your ISP, adds precise location, and shares it with third parties. Per AT&T’s own policy, both programs operate independently of your browser’s private mode and cookie settings.

T-Mobile runs the Magenta Advertising Platform. Its Do Not Sell or Share page states directly: “We may sell or share your personal information on this website or app.” T-Mobile’s Privacy Dashboard contains multiple toggles that are on by default, and the Do Not Sell toggle doesn’t automatically cover advertising programs you may have previously opted into. Those require separate action.

Then there’s Starlink, which until recently was the exception. As a satellite provider with a simpler business model, it had stayed out of the ad profiling game. On January 15, 2026, Starlink updated its global privacy policy to allow the use of customer data to train AI models, including sharing with third-party collaborators for their own independent purposes, unless customers opt out. Starlink clarified afterward that individual browsing history and destination IP addresses are not included. Account data, contact information, and usage metrics are.

What “We Don’t Sell Your Data” Actually Means

All three major carriers use some version of this language. Verizon states it doesn’t sell information from its Custom Experience programs to others for their own advertising.

What they do is build interest profiles and then use those profiles to power their own advertising platforms, which brands pay to target against. The data doesn’t move to a third party. The targeting capability does. That distinction matters considerably to the lawyers who drafted those privacy policies. It matters less to you as a subscriber.

While the 2017 repeal didn’t create this business model, it did clear the path for it.

Here’s What the Opt-Out Menus Don’t Tell You

Opting out of these programs stops the ad-tier profiling. It doesn’t affect the data your carrier collects to actually provide service. Call records, billing data, network diagnostics, the cell towers your phone touched today, all of that continues regardless of your privacy settings. What these opt-outs address is the separate commercial layer built on top of operational data.

There’s also a timing problem.