What You Need to Know about Maine’s New Privacy Law

August 15, 2019

States across the U.S. are rapidly passing new consumer privacy laws. This is the second in an ongoing series of articles about these new laws and how they may affect you. This week we are looking at Maine’s new law, the Act to Protect the Privacy of Online Customer Information (Senate Paper 275), which was signed by Governor Janet Mills on June 6, 2019, and goes into effect on July 1, 2020.

In a nutshell

The law was enacted to protect the privacy of customers of broadband internet access services and requires covered providers to obtain opt-in consent before using, disclosing, or selling their customers’ personal information. 

Who must comply?

Providers” who provide broadband internet access service and are operating within Maine.

Who is protected?

Customers,” which are defined as applicants for or current or former subscribers of broadband internet access service, and are:

What data is protected?

This law protects “customer personal information,” meaning the following information about a customer:

How to comply?

To comply, providers must do the following:

Providers must not:

Are there any exceptions?

Yes. Providers can collect, retain, use, disclose, sell and permit access to customer personal information without customer approval for the following purposes:

Penalties for non-compliance

The law does not say who will be entitled to enforce it on behalf of Maine customers and does not specify penalties for non-compliance. The law is silent as to whether it creates a private right of action. Unless the Maine legislature acts to bar private rights of action before its effective date, it will likely be left to the courts to decide whether a private right of action was created by the law.

How does this compare to the CCPA?

This law is more restrictive than the California Consumer Privacy Act (CCPA) in that it requires customers to “opt-in” to the use of their personal information instead of allowing them to “opt-out.” But, unlike the CCPA, this law only applies to internet service providers and does not explicitly provide a private right of action. Further, unlike the CCPA, this law expressly imposes security requirements on impacted providers.

Anything else?

Maine law already requires that each public entity that has a publicly accessible site on the internet provide the following notices on its website:

For more information, contact Melissa Kern, Victoria Beckman, or any other attorney on Frost Brown Todd's Privacy and Data Security team.