The ISP, as a technical necessity, has to know that you (an identified & billable account at a known IP address) sent a data packet to a particular known website or other data service. That’s the whole POINT of an ISP. The particular _user_ may not be personally identified (me? wife? kids?), but enough information can be gleaned for practical marketing purposes (frequent visits to MatildaJane.com from a particular MAC address operating under the account of Mr. CTDonath are clearly Mrs. CTDonath at a known postal address and can be cross-referenced to glean oodles of additional PII - valuable information to marketers of women’s & children’s clothing).
It’s that pesky “metadata” problem. Encryption & anonymization is great (and strong/robust/ubiquitous implementation thereof is vital), but given the enormous amount of traffic being monitored, a great deal can be gleaned just by what data packets travel from where to where.
I’m actually working on a “single sign-on” service for app users for a major ISP. The whole point is we can confidently log you into other services with few/no instances of you manually entering ID & password - largely because we can identify you from numerous other metadata.
Disagree that PII can be gleaned from a browsing history. Navigating to a site leaves my IP and MAC but purchase history is encrypted (HTTPS) so not viewable and is stored in a different segment of long-term memory so not collectible in the same data grab as browsing history. Metadata is up to whomever architects the website, probably updated constantly to meet changing market demands, but will NEVER contain PII as it is embedded in the CSS or XML, not on the client side.
I like single sing-on and we use (what is supposed to be) SSO for our corporate site. This does not protect a user from browsing history unless the ISP spoofs the MAC or generalizes/anonymizes either the MAC or IP.
In either case, PII is not part of the problem and the author of the news piece conflated the two. Meaning they have no technical expertise to write intelligently on the subject and is guilty of spreading incorrect information to the public.
Use an encrypted VPN to a proxy. Then your ISP can’t see anything.