Earlier this month, Maine’s legislature enacted a new statute granting broad privacy rights to internet users in the state. Hailed as “the strictest consumer privacy protections in the nation,” the statute places among the toughest burdens on regulated entities to protect the data of their consumers.
The statute applies only to broadband internet service providers (ISPs), defined as any “mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints.” According to the sponsor of the original bill, state Senator Shenna Bellows, the statute is intended to target companies with mass amounts of consumer data, such as Verizon and Xfinity. It excludes large technology companies such as Google and Facebook, which are still avoidable by consumers if they choose to do so. Sen. Bellows noted that the prioritization of ISPs was due to the fact that, “you can use the internet without using Facebook, [but y]ou can’t use the internet without using your internet service provider.” She has stated that she does intend to introduce more general privacy legislation in the future.
The statute divides consumer-related data into two categories: customer personal information and other customer information. The statute defines customer personal information to include personally-identifying information such as a consumer’s name, billing data, or social security number. Customer personal information also includes information about an individual’s internet activity, including browsing history, application usage, geolocation, health and financial information, IP addresses or other device identifiers, communications content, or origin and destination IP addresses.
For the disclosure of customer personal information, the statute creates an “opt-in” scheme under which an ISP may not use, disclose, sell, or permit access to this information without the express, affirmative consent of the individual to whom it pertains. The statute also prevents retaliation against a consumer who fails to give his consent for the use of his information, requiring that companies refrain from refusing service or charging penalties to any individual that does not provide such consent. In addition, the statute requires that this information be protected from unauthorized disclosure in a reasonable manner.
The statute does apply a narrow set of exceptions to the non-disclosure requirements for customer personal information. These exceptions include processing to bill customers or to provide the services required by an ISP, to comply with court orders, to prevent unlawful subscription practices, or to advertise the ISP’s communications-related services to the customer.
For the disclosure of information that is not customer personal information, the statute creates an “opt-out” scheme. ISPs are permitted to use or share information that does not fall under the customer personal information umbrella, unless an individual provides written notice that he or she does not want his data to be shared.