Since the passage of the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.) (“CCPA”), several states are following in California’s footsteps and adopting privacy bills that would allow consumers to object to the sale of their personal information.
On June 6, 2019, Maine Governor Janet Mills signed into law the “Act to Protect the Privacy of Online Consumer Information.” Unlike the CCPA, the new statute applies only to broadband providers in Maine that provide services to individuals physically located in Maine. With certain exceptions, the statute prohibits broadband providers from using, selling, distributing or permitting access to customer personal information for purposes other than providing services, unless the customer expressly consents to that use, sale, disclosure, or access. The new statute includes limited exceptions for provider’s use of customer personal information, where the use, sale, disclosure, or sharing of personal information is permitted without the customer’s prior express, affirmative consent. These exceptions allow providers to use such information to (a) provide the service from which the customer personal information is derived or for the services necessary to the provision of such service, (b) advertise or market the provider’s communications-related services to the customer, (c) comply with a lawful court order, (d) collect payment for Internet service, (e) protect users from fraud, and to (f) provide location information to assist in the delivery of emergency services.
While the CCPA provides for an opt-out right, Maine’s new statute requires a more restrictive opt-in, subject to limited exceptions. Moreover, these heightened requirements apply asymmetrically to only certain players in the online ecosystem. It imposes burdensome requirements on broadband providers without recognizing the fact that other parties have just as much access (if not more) to “customer personal information.” Similar to the CCPA, Maine’s new statute covers a wide range of information and impacts the operations of a global Internet. Even though one state may have authority to regulate activities within that state, a building patchwork of overlapping and competing state and federal law requirements may threaten the innovation of Internet-based technologies and services. Indeed, these concerns are at the heart of the preemption debate on Capitol Hill over omnibus federal privacy legislation.
The new Maine statute defines “customer personal information” broadly to include (a) “personally identifiable customer information” about the customer, such as name, billing information and billing address, social security number, and demographic data, and (b) information derived from the customer’s use of broadband internet access services, such as web browsing history, application usage history, geolocation, financial and health information, information pertaining to the customer’s children, device identifier (such as IP addresses or international mobile equipment identity), and the content of the customer’s communications.
Under the statute, customers may revoke consent at any time and providers are prohibited from refusing to serve a customer who does not consent to the use, sale, disclosure, or sharing of their customer personal information. Providers are also prohibited from charging a customer a penalty or offering a customer discounts based on the customer’s decision to provide or not provide such consent. The law also has certain basic disclosure and information security requirements.
Though the new statute does not address enforcement, the statute could be enforced by the attorney general under the Maine Unfair Trade Practices Act, which allows the attorney general to bring an action in the name of the state to enjoin practices that appear to be unlawful.
The law will become effective as of July 1, 2020.