There’s been a rare win for consumer privacy. The US Federal Communications Commission is to impose new rules on internet service providers, requiring them to obtain explicit consent from customers before selling or sharing sensitive personal data to third parties.

‘Sensitive information’ includes web browsing histories, financial and health information, location data, communications content, children's information, social security numbers, and app usage history. Customers will need to opt-in for an ISP to share this data.

Non-sensitive information covers emails addresses, service tiers, IP addresses, and other similar pieces of data. ISPs must create a method for customers to opt-out of having this information shared or sold.

There are still questions over whether ISPs will just bury the consent forms inside the mass of user agreements that most people agree to without reading. The new rules cover all internet service providers, such as Comcast, as well as mobile carriers. Web companies that use customers’ data – Facebook, Google, etc. – aren’t covered by the FCC’s regulatory jurisdiction.

“Today's vote is a historic win for privacy and free expression and for the vitality of the internet,” said ACLU Senior Policy Analyst, Jay Stanley, in a statement.

Not everyone is happy about the change. The Association of National Advertisers said it was “unprecedented, misguided and extremely harmful,” while a representative from the National Cable & Telecommunications Association called it “regulatory opportunism.”

There does, however, seem to be a loophole in the plan. ISPs are allowed to gather sensitive customer information without consent as long as they de-identify (as in anonymize) it before using it, according to TechCrunch.

It’ll be at least one year before the rules go into effect. Once they’re implemented, make sure to read your ISP’s contracts before clicking agree – assuming you want more privacy and less spam.