Friday, June 14, 2019

Last week, Maine enacted an internet privacy law requiring broadband internet service providers (ISPs) to obtain a customer’s express, affirmative consent before using their personal information, including browsing history. As the first state to enact such a law, Maine has generated national headlines. But the new law reflects growing interest among state legislatures around the country in protecting the privacy rights of consumers in today’s digital world, given the lack of a comprehensive federal data protection law.

What does the new law do?

The new law, An Act To Protect the Privacy of Online Customer Information (LD 946, to be codified at 35-A M.R.S. c. 94), prohibits ISPs from using, disclosing, selling, or permitting access to the vast majority of the information generated by a customer’s use of internet service. The Act protects a customer’s web browsing history, application usage history, precise geolocation information, device identifiers, the origin and destination internet protocol addresses, personal identifying information, and the content of a customer’s communications.

Before an ISP may use, disclose, sell, or permit access to this customer information, it must obtain the customer’s “express, affirmative consent.” So, rather than giving customers the right to opt out of having their data utilized, the Act prohibits ISPs from utilizing customers’ data unless and until a customer consents.

The Act requires ISPs to provide customers a “clear, conspicuous and nondeceptive notice” of the ISP’s obligations and the customer’s rights.

The Act also prohibits ISPs from refusing to serve customers who withhold consent, and bans ISPs from offering financial or other incentives for customers to opt-in. The Act also requires ISPs to take “reasonable measures” to protect customer information from unauthorized use (i.e., being hacked and stolen).

Notably, the Act applies only to ISPs, but not to other internet actors that collect and use customer information, such as search engines and social networks.

The law resembles regulations that the Federal Communications Commission implemented in 2016. In 2017, however, Congress overturned those regulations, spurring a number of state legislatures, including Maine’s, to explore their own internet privacy rules.

What does the new law mean for businesses that operate in Maine?

The Act only regulates Maine’s approximately 80 broadband internet service providers, and applies only to ISPs serving customers “that are physically located and billed for service received in the State.”

How will the new law be enforced?

Oddly, the Act is silent as to who will enforce the law on behalf of Maine customers or what penalties apply for noncompliance. The Legislature considered, but failed to pass, an amendment that would have placed enforcement authority with the Office of the Maine Attorney General and authorized funds to hire enforcement staff.

The new law is being incorporated into the title of the Maine Revised Statutes that govern public utilities, but neither the Act itself nor existing statutes explicitly authorize the Maine Public Utilities Commission to enforce it.

Nor does the Act specifically authorize lawsuits by internet users against ISPs that fail to comply. Maine courts could read the Act to implicitly create a private cause of action against ISPs, or to provide the standard of care for a negligence claim based on breach of the Act’s requirements. However, unless and until a Maine court affirmatively decides that the Act so creates a private cause of action, this possibility remains theoretical.

What happens now?

The law takes effect on July 1, 2020.

There are at least two grounds on which the law may be susceptible to legal challenges. First, the law may be challenged on the grounds that it imposes unlawful discriminatory restrictions on the ISPs’ First Amendment rights to engage in commercial speech. Second, the law may be preempted by federal law, which also closely regulates telecommunications.

We are not aware of any legal challenges yet filed. In written comments to the Legislature in support of the Act, the Maine attorney general stated that his office believes the law is legally defensible and would vigorously defend it on behalf of Maine’s consumers.

A number of other states have considered, but failed to enact, similar legislation. California recently enacted a sweeping consumer privacy law that applies to a broad swath of for-profit businesses, including ISPs, but the California law provides that ISPs (and other covered businesses) may allow customers to opt out of allowing utilization of their data, rather than require customers to affirmatively opt-in to allowing utilization of such data, as Maine does.