What You Need to Know about Maine’s New Privacy Law
States across the U.S. are rapidly passing new consumer privacy laws. This is the second in an ongoing series of articles about these new laws and how they may affect you. This week we are looking at Maine’s new law, the Act to Protect the Privacy of Online Customer Information (Senate Paper 275), which was signed by Governor Janet Mills on June 6, 2019, and goes into effect on July 1, 2020.
In a nutshell
The law was enacted to protect the privacy of customers of broadband internet access services and requires covered providers to obtain opt-in consent before using, disclosing, or selling their customers’ personal information.
Who must comply?
“Providers” who provide broadband internet access service and are operating within Maine.
Who is protected?
“Customers,” which are defined as applicants for or current or former subscribers of broadband internet access service, and are:
- Physically located in Maine; and
- Billed for service received in Maine.
What data is protected?
This law protects “customer personal information,” meaning the following information about a customer:
- Personally identifying information including name, billing information, social security number, billing address, demographic data.
- Internet use information including browsing history; application usage history; precise geolocation information; financial information; health information; information pertaining to the customer's children; device identifiers, such as a media access control address, international mobile equipment identity or Internet protocol address; content of the communications; origin and destination Internet protocol addresses.
How to comply?
To comply, providers must do the following:
- Obtain express, affirmative consent from customers before using, disclosing, or selling their personal information and allow customers to revoke consent at any time.
- Take reasonable measures to protect customer personal information from unauthorized use, access, or disclosure.
- Allow customers to opt-out of the use, disclosure, or sale of their non-personal information via written request.
- Provide clear, conspicuous, and non-deceptive notice to customers informing them of their rights and the provider’s obligations both at the point of sale and on the provider’s website.
Providers must not:
- Refuse to serve customers who do not provide consent.
- Charge a customer a penalty for not providing a consent.
- Offer a discount for providing consent.
Are there any exceptions?
Yes. Providers can collect, retain, use, disclose, sell and permit access to customer personal information without customer approval for the following purposes:
- For the purpose of providing the services.
- To advertise or market the provider's communications-related services to the customer.
- To comply with a lawful court order.
- To bill and collect payments for the services.
- To protect users from fraudulent, abusive or unlawful use of or subscription to such services.
- To provide geolocation information concerning the customer to respond to customer's call for emergency services or to assist with the delivery of emergency services in response to an emergency.
Penalties for non-compliance
The law does not say who will be entitled to enforce it on behalf of Maine customers and does not specify penalties for non-compliance. The law is silent as to whether it creates a private right of action. Unless the Maine legislature acts to bar private rights of action before its effective date, it will likely be left to the courts to decide whether a private right of action was created by the law.
How does this compare to the CCPA?
This law is more restrictive than the California Consumer Privacy Act (CCPA) in that it requires customers to “opt-in” to the use of their personal information instead of allowing them to “opt-out.” But, unlike the CCPA, this law only applies to internet service providers and does not explicitly provide a private right of action. Further, unlike the CCPA, this law expressly imposes security requirements on impacted providers.
Maine law already requires that each public entity that has a publicly accessible site on the internet provide the following notices on its website:
- A description of personal information collected;
- Use and disclosure of information;
- The extent to which the user has a choice whether to provide personal information and the consequences of refusing to give that information;
- The procedures, if any, by which the user may request access to that user's personal information and request correction of that information; and
- The steps taken to protect personal information from misuse or unauthorized access.