If you are in the EU there are pretty extensive data privacy rules. If you are in the US, it is a bit more complicated. It would mostly depend on what the US ISP claimed it was doing. If it did something beyond what it claimed it was doing, it could get in trouble. However, most ISPs are pretty broad with their claimed rights. Still a big problem with the bad ISP idea is that it would be hard to exclude children, and that could cause issues.
