MAINE PRIVACY LAW AND ISP DISPUTE
On July 1, 2020, Maine will start regulating online data as well. However, unlike California’s new legislation, the Maine privacy law called “An Act to Protect the Privacy of Online Customer Information” focuses entirely on user data collected by Internet Service Providers (ISPs).
Signed by the governor in June 2019, LD 946 says that ISPs “may not use, disclose, sell, or permit access to customer personal information,” unless the customer gives “express, affirmative consent.” The consent can be revoked at any time, the ISP cannot refuse service if consent is not given, and there can be no penalty or discount related to consent.
Sharing or selling of non-personal information is fine but sharing or selling personal information requires consent, unless the customer notifies the ISP in writing against doing so. Although the law doesn’t specify, the implication is that non-personal information can be data such as average transmission speeds in a neighborhood or customer loads at certain times of day. ISPs can use personal or non-personal information to fulfill their own service obligation to the customer, without explicit consent.
For example, it requires consumers to opt in rather than opt out of allowing their data to be sold to, distributed to, or accessed by third parties. That means, in Maine, ISPs will be required to seek affirmative consent from customers before selling personal information to third parties.
The Act requires ISPs to provide customers a “clear, conspicuous and non-deceptive notice” of the ISP’s obligations and the customer’s rights.
The Act also prohibits ISPs from refusing to serve customers who withhold consent, and bans ISPs from offering financial or other incentives for customers to opt-in. The Act also requires ISPs to take “reasonable measures” to protect customer information from unauthorized use (i.e., being hacked and stolen).
The Act is silent as to who will enforce the law on behalf of Maine customers or what penalties apply for noncompliance. The Legislature considered, but failed to pass, an amendment that would have placed enforcement authority with the Office of the Maine Attorney General and authorized funds to hire enforcement staff.
The new law is being incorporated into the title of the Maine Revised Statutes that govern public utilities, but neither the Act itself nor existing statutes explicitly authorize the Maine Public Utilities Commission to enforce it.
Nor does the Act specifically authorize lawsuits by internet users against ISPs that fail to comply. Maine courts could read the Act to implicitly create a private cause of action against ISPs, or to provide the standard of care for a negligence claim based on breach of the Act’s requirements. However, unless and until a Maine court affirmatively decides that the Act so creates a private cause of action, this possibility remains theoretical.
ISPs Sue Maine
Named as plaintiffs are: ACA Connects, America’s Communication Association; CTIA, the Wireless Association; NCTA, the Internet & Television Association; and USTELECOM, the Broadband Association.
Named as defendants are: Maine Attorney General Aaron Frey and the three members of the Maine Public Utilities Commission: Philip Bartlett, Bruce Williamson and Randall Davis.
A 32-page complaint, filed in U.S. District Court in Portland, says Maine’s law violates First Amendment protections by, among other things, restricting ISPs from advertising or marketing services to customers or from offering discounts or rewards in loyalty programs.
“Maine cannot discriminate against a subset of companies that collect and use consumer data by attempting to regulate just that subset and not others,” the complaint reads. “Maine’s decision to impose unique burdens on ISPs’ speech – while ignoring the online and offline businesses that have and use the very same information and for the same and similar purposes as ISPs – represents discrimination between similarly situated speakers that is impermissible under the First Amendment.”
The complaint further alleges that “the statute thus excessively burdens ISPs’ beneficial, pro-consumer speech about a wide variety of subjects, with no offsetting privacy-protection benefits,” and that “customer personal information” is too broadly defined and includes data that would not be considered sensitive.
The complaint asks the court for “an injunction prohibiting defendants in their official capacities – as well as defendants’ officers, agents, employees and all persons acting in concert with them who receive actual notice of the injunction – from enforcing or threatening to enforce the statute and any implementing regulations.”
If you have any questions about this Memo, please email us at firstname.lastname@example.org.
Disclaimer: The information on this page is being provided for information purposes only and is drafted entirely on the basis of public resources. Information contained on or made available herein is not intended to and does not constitute legal advice, recommendations, mediation or counseling under any circumstance. This information and your use thereof do not create an attorney-client relationship. You should not act or rely on any information provided herein without seeking the advice of a competent attorney licensed to practice in your jurisdiction for your particular business.