Data Privacy Detective Podcast Episode 43 - What You Need to Know about Maine’s New Privacy Law
Sometimes it seems the United States is more a loose federation than a national government. States have a major role in law-making. Data privacy is no exception. A recent law adopted by the State of Maine differs greatly from the California act that will come into force on January 1, 2020. Maine’s law will be effective on July 1, 2020. This podcast hits the highlights of it.
Melissa Kern, Co-Chair of Frost Brown Todd LLC’s Privacy and Data Security Team explains that the Maine law applies to broadband internet access services – the folks who bring us access to the internet – not website hosts, not everyone holding personal data – but providers like ATT and Spectrum as well as regional internet access providers. If a provider has even one customer in Maine that is billed for service there, the Maine law applies. There’s no safe harbor threshold.
With certain exceptions, the Maine law requires express “opt-in” consent before customer personal information can be used or shared. This is unlike the California Consumer Privacy Act (CCPA), which goes into effect January 1, which requires most users to “opt-out” if they do not want to have their personal information sold.
“Customer personal information” means:
- Personally identifying information including name, billing information, social security number, billing address, demographic data;
- Internet use information including browsing history; application usage history; precise geolocation information; financial information; health information; information pertaining to the customer's children; device identifiers, such as a media access control address, international mobile equipment identity or Internet protocol address; content of the communications; origin and destination Internet Protocol addresses.
In addition to obtaining express consent, providers must:
- Provide clear, conspicuous, and non-deceptive notice to customers informing them of their rights and the provider's obligations both at the point of sale and on the provider's website;
- Allow customers to opt-out of the use, disclosure, or sale of their non-personal information via written request; and
- Take reasonable measures to protect customer personal information from unauthorized use, access, or disclosure.
Providers cannot refuse to serve customers who do not provide consent, charge a customer a penalty for not providing consent, or offer a discount for providing consent.
Exceptions? Yes, providers can collect, retain, use, disclose, sell and permit access to customer personal information without express approval:
- For the purpose of providing the services;
- To advertise or market the provider's communications-related services to the customer;
- To comply with a lawful court order;
- To bill and collect payments for the services;
- To protect users from fraudulent, abusive or unlawful use of or subscription to such services;
- To provide geolocation information about the customer to respond to the customer's call for emergency services or to assist with the delivery of emergency services in response to an emergency.
Oddly – and sure to be clarified through future court cases – Maine’s statute is silent about who can enforce it how. There are no prescribed penalties or fines for non-compliance. It’s silent about whether there’s a private right of action by individuals.
It’s quite different from the new California law that is gathering substantial attention. Maine’s law is more restrictive than the California Consumer Privacy Act (CCPA) by requiring “opt-in.” But, unlike CCPA, Maine’s law only applies to internet service providers and does not explicitly provide a private right of action. Unlike CCPA, Maine’s statute expressly imposes security requirements on impacted providers, though what does “reasonable” mean? It’s probably recognition that decent protection today will be unreasonably lax in the future as quantum computing and other tools give hackers better and better ways to steal personal information. But vague standards like “reasonable” will also lead to litigation when standards are foggy.
Podcast 43 explores Maine’s different state approach to privacy protection. And it makes one wonder - How can a business keep up to date on the checkboard of differing state laws that affect the digital age? With enough complexity from differing state approaches, when will the U.S. Congress act to create nationally binding, preemptive rules that enable interstate and global commerce while providing adequate personal data protection for all U.S. persons? Can we unite around a common code for personal data protection that gives clear guidance and protection on a national basis?
If you have ideas for more interviews or stories, please email firstname.lastname@example.org.