In June 2019, Maine’s state legislature passed the country’s first privacy law specifically regulating Internet Service Providers (“ISPs”) operating within the state. The law was introduced in response to the Trump Administration repealing an Obama Administration rule from 2017 that governed ISPs’ use of customer data. The Maine law, An Act to Protect the Online Privacy of Consumer Information, was passed with bipartisan support and closely replicates the repealed federal provisions. The law went into effect on July 1, 2020.
State senators sponsoring the law explain that its purpose is to protect Maine residents from the vast inferences that ISPs can make from a user’s complete Internet usage and browsing history information. Without the controls provided by the Maine law, an ISP could theoretically access a customer’s records to learn everything that the customer searched, every Internet site that customer visited, and how, where, and from what device the customer accessed the Internet. This could potentially provide access to geolocation information, financial information, medical information, private messages sent via the Internet, device identifiers, and more. The Maine law aims to address the fear that an ISP can piece together a Maine resident’s entire public and private life from such information.
Maine’s new privacy law protects customers’ “personally identifiable information” and their “broadband Internet access service.” The statute defines both terms to include information such as a person’s name, financial information, Social Security number, and Internet and application usage history. It also states that these phrases include, but are not limited to, these categories as defined in the statute. This phrasing makes the exact scope of the law unclear for ISPs. As lawsuits start trickling in under this law, we will have a better idea of its scope and applicability.
The law prevents ISPs from using, selling, disclosing, or permitting access to these categories of customer information without the customer’s express, written consent. Thus, by adopting an opt-in consent requirement, Maine’s law provides customers greater control over their personal information, similar to the European Union’s General Data Protection Regulation (“GDPR”), which also has an opt-in consent requirement. This is a notable distinction from most current U.S. state privacy laws (such as the California Consumer Privacy Act), which require opt-out consent (i.e., a business can use and share a customer’s personal information unless the customer expressly opts out).
Looking ahead, there are two key developments to monitor regarding Maine’s privacy law. First, ISPs in Maine have filed a lawsuit challenging the constitutionality of the law as vague, chilling First Amendment free speech, and preempted by federal law. Second, the statute does not on its face provide an enforcement mechanism or penalties if an ISP violates the law. Thus, it is uncertain how the law will be enforced in court and whether customers may enforce its provisions under common law counts, such as negligence, and/or if a state administrative body will enforce the law.
Ultimately, Maine’s new privacy law serves as a potential framework for future regulation of ISPs and may prompt other states to adopt similar regulations on a state-by-state basis until a federal privacy law is passed. For more information on Maine’s and other states’ upcoming privacy laws, listen to Knobbe Martens’ Privacy Webinar series here.