Maine’s legislature unanimously passed a new law—“An Act to Protect the Privacy of Online Customer Information” (the “Act”)—that will impose strict data protection restrictions on broadband internet service providers (ISPs) when it goes into effect on July 1, 2020. In the absence of federal privacy legislation, states like Maine passed new privacy legislation. The Act, although limited to ISPs, sets a new high-water mark that could spur similar laws in other states.
The Act applies to ISPs serving customers “that are physically located and billed for service received” in Maine. It does not apply to other internet actors that collect customers’ information, such as social media networks and search engines.
The Act forbids ISPs from using, disclosing, selling or permitting access to personally identifying customer information, including:
- Web browsing and application usage history.
- Precise geolocation information.
- Financial and health information.
- Information about the customers’ children.
- Device identifiers.
- The content of the customer’s communications.
- Origin and destination IP addresses.
ISPs also must provide a “clear, conspicuous and nondeceptive notice” of their obligations and of customers’ rights under the Act.
The Act also sets a “reasonable security” requirement. Specifically, an ISP must take “reasonable measures” to protect a customer’s personal information from unauthorized use, disclosure or access. This requirement is similar to other “reasonable security”-type obligations imposed under other state laws like the California Consumer Privacy Act (CCPA). The ISP is directed to take into account the following factors when implementing the required security measures: the nature and scope of the provider’s activities, the sensitivity of the data the provider collects, the size of the provider and the technical feasibility of the security measures.
There are only a few limited exceptions to these restrictions. Notably, only affirmative “opt-in” consent qualifies as an exception, a departure from similar laws that allow for “opt-out” consent. This means that in Maine, all ISP customers will be protected without any action on their part. ISPs are prohibited from incentivizing customers to opt-in, or penalizing those customers that do not. A customer may revoke his or her consent at any time. Other exceptions exist to facilitate compliance with a lawful court order; to provide service to the customer, including billing and collecting payment; to market and advertise ISP services; to protect users from fraud; and to provide geolocation information in emergency circumstances.
There is no explicit enforcement provision in the Act. The Maine Legislature proposed an amendment that would have placed enforcement authority with the Office of the Maine Attorney General and authorized funds to hire enforcement staff. That amendment failed to pass this year. Because the Act will be incorporated into the Maine statute title concerning public utilities, it is possible that the Maine Public Utilities Commission will enforce the Act. It is also possible that Maine courts could read the Act to create a private cause of action for Maine citizens. It thus remains an open question how the Act will be enforced and by whom.