Privacy Scores Again: Maine Passes Strict Internet Privacy Law
Since the passing of the California Consumer Privacy Act (“CCPA”), several states are following in California’s footsteps and adopting privacy bills that would allow consumers to object to the sale of their personal information.
On June 6, 2019, the Maine Governor signed into law LD 946 with title: “An Act To Protect the Privacy of Online Customer Information”.
The law, which will go into effect July 1, 2020, blocks Internet service providers (ISPs) from selling, sharing, or granting third parties access to their customers’ data, unless explicitly given approval by those customers. With the changes, Maine residents now have an extra layer of protection for the emails, online chats, browser history, IP addresses, and geolocation data that is commonly collected and stored by telecommunication and technology sector companies.
So, while the CCPA gives customers the right to opt-out, this new law prohibits ISPs from utilizing customer data unless the customer opts in. This requirement goes further than the CCPA or Nevada law and is relatively unique among US privacy laws, which generally favor opt-out consent. This law will only regulate approximately 80 broadband ISPs in Maine, and only apply to the ISPs serving customers that are physically located and billed for services in the state.
Maine Privacy Law: LD 946 Compliance Requirements
The new Maine law defines “customer’s personal information” broadly to include
- (a) “personally identifiable customer information” about the customer, such as name, billing information and billing address, social security number, and demographic data, and
- (b) information derived from the customer’s use of broadband internet access services, such as web browsing history, application usage history, geolocation, financial and health information, information pertaining to the customer’s children, device identifier (such as IP addresses or international mobile equipment identity), and the content of the customer’s communications.
LD 946 has three main compliance requirements:
- Customer Personal Information – A provider may not use, disclose, sell or permit access to customer’s personal information except as governed by an exception provided in the law. Exceptions include express affirmative customer consent, marketing/advertising, compliance with a lawful court order, billing/payment, fraud protection, and the provision of geolocation information in certain circumstances.
- Security – The law requires providers to implement reasonable measures to protect customer personal information from unauthorized use, disclosure or access. The nature and scope of the activities, the sensitivity of the data collection, the size of the provider and the technical feasibility of the security measures may be taken into account.
- Disclosures – The law requires providers to offer a clear, conspicuous and non deceptive notice on their website and at the point of sale concerning the provider’s obligations and the consumer’s rights under the law.
How to Comply with the Maine Privacy Law?
With three states (California, Nevada and Maine) having adopted statutes that restrict or prohibit the sale, disclosure, or sharing of personal information, in three different ways, with three different definitions of the types of information to be protected and the categories of entities affected, businesses are facing increasing compliance burdens.
Businesses must provide notice, seek express opt-in consent before collecting personal information, and protect personal information.
- Providers must provide notice of its obligations and customers’ rights under the law to its customers at the point of sale and on their publicly accessible website.
- Subject to several exemptions including to provide the service, providers must seek express prior opt-in consent before using, disclosing, selling or permitting access to a customer’s personal information. Any consent given may be revoked at any time.
- Providers must protect personal information as defined by the Law.
It is clear that the second half of 2019 will see other developments, similar to those that have occurred in California, Nevada, and now Maine.
It is essential for companies, even if they have no operations in those three states, to get organized and set aside the necessary budgets to face the likely tide of changes to privacy laws in the next few months, and the significant consequences for their business model and revenue streams.