Background of the Maine Privacy Law
In 2019, Maine became the first state in the nation to specifically regulate ISPs’ use of their customers’ personal information. Maine passed “An Act to Protect the Privacy of Online Customer Information” to salvage the endeavor of the FCC to regulate consumer privacy after the Trump administration ditched the FCC proposal. The Maine privacy bill, sponsored by Sen. Shenna Bellows, was approved unanimously by the Maine Senate in 2019.
Bellows noted proudly that the law makes Maine “first and best in the nation in protecting consumer privacy online.”
History of the 2017 FCC Measure
The Maine law was modeled in the spirit of a former Federal Communications Commission (FCC) Broadband Consumer Privacy measure that sought to control what companies can do with data such as browsing history, app usage, and location data.
The Trump administration vetoed the Broadband Consumer Privacy Proposal privacy law of the FCC. Since the repeal, Internet service providers (ISP) like Comcast, AT&T, and Verizon were legally allowed to sell browsing histories and other consumer-generated data directly to marketers that would profit from this information without consumers’ consent.
Maine Privacy Law Compared to Other State Privacy Acts
Like many states, Maine is still very much in the process of capturing the full scope of challenges to consumer privacy in the age of Big Data and social media. To date, Maine has enacted only targeted reforms designed to establish consumer privacy protections that apply to internet service providers and other pinpointed areas like drone use and K-12 education. This stands in contrast to the more impactful sweeping consumer privacy acts enacted by California, Virginia, Colorado, Utah, and Connecticut.
Maine swiftly reacted to Congress’ dissolution of the FCC’s broadband privacy rules by introducing a state law to establish ISP control in Maine. Besides the Maine data privacy laws, both the state and federal governments have let go of the targeted focus on ISP control. Instead, legislative bodies are now focused on hammering out far more comprehensive privacy legislation that would provide consumer data protection across the internet.
The Need for the Maine Privacy Law
The average consumer requesting access to the internet via their smartphone, computer, or tablet will need to set up an account with an ISP (internet service provider). Subsequently, they will need to provide the ISP with their details, in addition to consumer-generated information like geolocation and browsing history.
Despite the complete dependency individuals have on internet accessibility, surprisingly few laws governed what internet service providers were able to do with the data they were supplied with. Internet providers lawfully generated revenue by selling consumer data, upholding a definition of privacy that does not consider browsing history or app usage data to be sensitive and protected.
The Maine Privacy law put a stop to that source of revenue by regulating all consumer-generated information.
Who is Bound By the Maine Privacy Law?
The law covers broadband internet service providers (ISPs), defined as any “mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints.”
The law excludes Big Data companies such as Google and Facebook, which consumers can choose to ignore if they choose to do so. Sen. Bellows noted that the bill targeted ISPs because, “you can use the internet without using Facebook, but you can’t use the internet without using your internet service provider.”
The bill’s provisions apply to providers operating within the State when providing broadband Internet access service to customers that are billed for service received in the State and are physically located in the State.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
Guide to Maine Privacy Law
Under the law, consumer geolocation data, web surfing patterns, and mobile application usage are legally protected. Additionally, the law mandates that when providing services to a specific customer, internet service providers must give Maine residents “a clear, conspicuous and nondeceptive notice at the point of sale and on the provider’s publicly accessible website of the provider’s obligations and a customer’s rights.”
The act requires that ISPs
- obtain consumers’ consent before using, disclosing, or selling their personal information
- take reasonable security measures to protect consumers’ personal information
- provide consumers notice of their rights and the ISPs’ obligations
The law prohibits ISPs from:
- using disclosing, selling, or permitting access to customer personal information unless the customer expressly consents to that us.
- refusing to serve a customer, charging a customer a penalty, or offering a customer a discount if the customer does or does not consent to the use, disclosure, sale, or access.
The bill covers information that is not traditionally categorized as sensitive and is not even personally identifiable information.
For example, “customer personal information” includes two categories:
- personally identifiable information about a customer: This includes but is not limited to the customer’s name, billing information,” and similar identifying information
- information from a customer’s use of broadband Internet access service. The information in this category is not necessarily linkable to a specific consumer. It essentially prohibits ISPs from using any information that a customer generates unless the customer provides express consent or for which there is an exception.
Exceptions to the Prohibitions
- Under the law, ISPs are given the right to use, disclose, sell, and permit access to customer personal information without consent when needed to provide the service for which the information is supplied.
- They can also use the information to advertise or market the ISP’s “communications-related” services, process transactions for broadband services, and protect users from fraud and abuse. But ISPs cannot advertise other types of services to their consumers based on their behavior history.
Maine Stepped Up When Feds Stepped Down
Gigi Sohn, a former adviser at the FCC, applauded the Maine data privacy law when it passed successfully. “The bipartisan passage of Maine’s broadband privacy bill demonstrates that when legislators listen to their constituents rather than big corporations, the public wins,” Sohn said. “The cable and broadband industry sent a parade of high-powered and highly-paid Washington, DC-based lawyers to Augusta in an effort to defeat this bill, using the same arguments they used to kill the FCC’s sensible and popular 2016 broadband privacy rules.”
“When the federal government stands down, the states must step up, and that is what Maine has done here,” she added.
Centraleyes State Privacy Law Tracking
Centraleyes has you covered on the latest updates to state privacy policies.
Check out our other articles on pertinent laws like California’s CPRA, Colorado’s CPA, Utah’s UCPA, and Virginia’s VCDPA.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days