The new Maine data privacy law, that went into effect on July 1, 2020 stands to be one of the nation’s strictest for Internet Service Providers (ISP).. The law was upheld, despite formal complaints filed by ISPs in Bangor’s federal court, alleging that the impending rule violates their freedom of speech. U.S. District Court Judge Lance Walker ruled on Tuesday, July 7 that four industry associations failed to show how Maine’s internet privacy law violates the First Amendment and he rejected the argument that it conflicts with existing federal law.
What is the Controversy?
Given the limited enforceability of the law on paper, this data breach law has caused significant friction.
“The statute’s speech restrictions are… too vague to comply with due process because they force ISPs to guess at the boundaries of those restrictions,” according to the complaint filed by ISPs. “The statute’s amorphous, broad, and open-ended restrictions will, therefore, chill ISPs’ protected First Amendment speech.”
US Telecom – a telecom lobby, which represents AT&T, Verizon, Comcast, and others – objected Maine’s law, fearing that it will become part of a “patchwork” of laws regulating ISP actions. They fear the rules will confuse consumers who are used to buying internet connections in multiple states.
What Will LD 946 Do?
The new law – LD 946, or “An Act To Protect the Privacy of Online Customer Information” does the following:
- Prohibits ISPs from using, selling, disclosing, or giving access to customer web browsing information.
- Protects browsing history, app usage history, geolocation data, device identifiers, and content.
- Requires express, affirmative consent for data utilization, rather than an opt-out.
- Requires ISPs to take “reasonable measures” to protect hacking or stealing of customer information.
- Bans ISPs from refusing to serve customers who withhold consent.
- Limits ISPs from advertising and marketing loyalty or cost-saving programs as opt-in incentives.
ACLU Maine Advocacy Director Oamshri Amarasingham praised the bill, declaring, “Today, the Maine legislature did what the U.S. Congress has thus far failed to do, and voted to put consumer privacy before corporate profits.”
How is Maine’s Opt-In Privacy Law Different From the CCPA?
One of the most-discussed consumer protection laws passed in recent years is the California Consumer Privacy Act (CCPA). The Maine Opt In Data privacy law is different from the CCPA in several notable ways:
- This law only applies to 80 broadband internet service providers. The CCPA affects any business with more than $25 million in annual revenue, over 50,000 consumer records, or whose principal business involves data.
- It affects companies physically located and billed for service in Maine. CCPA affects companies that may be located outside of California, but who are conducting business with consumers within California.
- Maine requires an opt-IN to allow data sale. In California, it is an opt-OUT rule.
What Happens if a Maine ISP Breaks the Law?
Currently, it is not clear how the law will be enforced. The Legislature considered, but failed to pass, an amendment that would have given the Office of the Maine Attorney General the authorization to hire enforcement officers. Though the law will be incorporated into the statutes governing public utilities, the Maine Public Utilities Commission has not been granted jurisdiction to enforce the law either. Maine Courts could allow private causes of action against ISPs, but it will take a precedent to set the tide of mass torts in motion.
Other states have debated but failed to enact similar legislation. The recent ruling in favor of Maine’s privacy law will likely impact how other states wade through the waters of consumer data privacy in the coming years.