Maine: Internet privacy law advances consumer privacy protection and fills a federal-level regulatory void
On 1 August 2020, the Maine Attorney General ('AG') will begin enforcing Maine's new internet privacy law, an Act to Protect the Privacy of Online Customer Information1 ('the Act'), which officially went into effect on 1 July 2020. The Act, which governs the use and disclosure of customer information by broadband internet access service ('BIAS') providers, is the first such state law to take effect since a similar federal privacy rule ('the FCC Privacy Rule'), promulgated by the Federal Communications Commission ('FCC'), was repealed by the United States Congress in 2017. Peter Guffin and Ariel Pardee, Partner and Associate respectively at Pierce Atwood LLP, analyse the Act against the backdrop of the broader privacy landscape marked by the repeal of the FCC Privacy Rule and the enactment of several other state consumer privacy laws, discuss challenges to the constitutionality of the Act, and address uncertainties as to how the Act will be enforced.
The Act applies to fixed and mobile BIAS providers operating within Maine when providing BIAS to customers who are physically located in Maine and physically billed for those services within Maine. Modelled after the FCC Privacy Rule, the Act requires BIAS providers to, among other things, present customers with notice, implement reasonable data security measures, and obtain customers' opt-in consent before using, disclosing, selling, or permitting access to 'customer personal information.' As a result, the Act has received nationwide attention as being among the most protective consumer-oriented state privacy laws enacted in the United States to date.
Not surprisingly, given the stakes, the Act is currently being challenged on constitutional grounds in the Federal District Court ('the Court') in Maine by members of the BIAS industry ('the Litigation'). Specifically, the plaintiffs allege that the Act constitutes an unlawful regulation of BIAS providers' speech under the First Amendment, is unconstitutionally vague, and is preempted by federal law. The pleadings filed to date in the Litigation shed light on how the Maine AG construes and will enforce the Act. In an order dated 7 July 20202 ('the Court Order'), the Court denied the plaintiffs' motion for judgment on the pleadings with respect to each of its claims, and it granted the Maine AG's cross-motion for judgment on the pleadings with respect to the plaintiffs' preemption claims. Left remaining in the Litigation for the Court's consideration are the plaintiffs' First Amendment and void for vagueness claims.
As noted above, the genesis of the Act can be attributed to the 2017 congressional nullification of an FCC Privacy Rule that, had it been permitted to take effect, would have federally regulated the use and disclosure of customer information by BIAS providers. The FCC Privacy Rule would have required BIAS providers to comply with certain notice and data security obligations, and, perhaps most importantly, would have required the implementation of a 'sensitivity-based customer choice framework.' More specifically, and subject to certain limited exceptions, BIAS providers would have been required to obtain customers' opt-in consent for the use and disclosure of certain 'sensitive' information, while the use and disclosure of all other 'non-sensitive' information would have been permitted so long as the providers effected a mechanism through which customers could opt out. Information that had been de-identified was exempt from either consent requirement.
Although at the time the FCC Privacy Rule was deemed a landmark information privacy law by many, it was also heavily criticised as singling out BIAS providers for expensive-to-implement regulation, while leaving web-based 'edge providers' to collect, use, and share consumer information subject only to case-by-case enforcement by the Federal Trade Commission ('FTC'). As readers may recall, Congress's ultimate decision to overturn the FCC Privacy Rule in 2017 provoked an outcry from consumer privacy advocates, and in the months that followed approximately half of all states – including Maine – had introduced their own privacy bills to fill the regulatory void that Congress had (for better or worse) created.
Although the Act was clearly inspired by the framework of the FCC Privacy Rule, it also contains a number of nuances that not only distinguish it from the FCC Privacy Rule, but also distinguish it from other consumer privacy frameworks like the California Consumer Privacy Act ('CCPA') and the Nevada Privacy of Information Collected on the Internet from Consumers Act ('the Nevada Privacy Act'). Most of these nuances are found in the Act's implementation of three fundamental privacy principles: transparency, consumer choice, and data security; the last, though, involves a conundrum of much curiosity – the Act's missing enforcement mechanism.
Transparency, choice and data security
First, with regard to transparency, the Act's notice requirement is, perhaps surprisingly, far less prescriptive than what many of us have come to expect in a consumer privacy law. While BIAS providers must present a 'clear, conspicuous and nondeceptive' notice to customers at the point of sale and on their websites, that notice is only required to contain an explanation of providers' obligations under the Act and the rights that the Act bestows upon customers. When compared to the notice requirements in the CCPA or the Nevada Privacy Act, each of which requires fairly detailed explanations of businesses' information privacy practices, the Act's notice seems to fall somewhat short of requiring BIAS providers' transparency. Even the FCC Privacy Rule would have required some detail about BIAS providers' information collection and sharing practices to be included in providers' notices. It is conceivable, however, that prescriptive notice requirements are simply unnecessary in this statute. After all, BIAS providers are required to obtain customers' opt-in consent before using, disclosing, selling or providing access to personal information (discussed below) and, consequently, BIAS providers may find themselves having to be considerably more transparent about their privacy practices (e.g., what information they collect, for what purposes, and with whom they plan to share it) than they are required to be, if only to convince customers that BIAS providers can be trusted with their personal information.
Moving on to the Act's customer choice framework, the Act obligates BIAS providers to, subject to certain limited exceptions, obtain customers' opt-in consent prior to the use or disclosure of customer personal information. It also requires BIAS providers to allow a customer to opt out of the use or disclosure of all other information that pertains to the customer. This tiered customer choice framework is reminiscent of the FCC Privacy Rule's 'sensitivity-based customer choice framework,' but is distinguishable in two ways. First, the scope of the Act's opt-in requirement is broader, and second, the Act is missing any express exception to the consent requirement for information that is sufficiently de-identified.
With regard to the former, the Act requires BIAS providers to obtain customers' 'express, affirmative consent' – in other words, opt-in consent – for the use, disclosure, or sale of, or the provision of access to, all 'customer personal information.' By definition, customer personal information encompasses a broad array of information including customers' names, billing information, social security numbers, billing addresses, demographic data, precise geolocation information, financial information, health information, children's information, web browsing and application usage histories, device identifiers or IP addresses, origin and destination IP addresses, and the content of the customers' communications. This definition tracks the FCC Privacy Rule's definition of 'sensitive' information, except that it adds a few categories of information (specifically, 'name, billing information […] billing address, [and] demographic information') explicitly covered by the Act's opt-in requirement. Importantly (but not unlike other privacy laws that have come before), the Act's definition of customer personal information is expressly non-exhaustive, and therefore it remains to be seen what other pieces of information may fall within the ambit of the term. While the Act's broad definition of customer personal information seems to follow the trend set by the CCPA, the opt-in requirement for the providers' use of that information goes above and beyond the CCPA, and is more in line with the opt-in requirements of Illinois's Biometric Information Privacy Act of 2008 or the federal Video Privacy Protection Act.
BIAS providers are permitted by the Act to use, disclose, sell, or provide access to information that 'pertains to a customer' but that does not fall within the above definition of 'customer personal information' unless and until a customer provides written notice to the BIAS provider that he or she does not consent to such use, disclosure, sale, or provision of access – i.e. the customer opts out. What constitutes information that 'pertains to a customer' (but that is not 'customer personal information') is not entirely clear; the Act does not provide a definition or any examples of what such information could be. This omission, coupled with the non-exhaustive definition of 'customer personal information,' seems to muddy the water for BIAS providers as to precisely which information requires customers' opt-in consent and which information does not. Notably, in an effort to bring clarity, the Maine AG, in his pleadings filed in the Litigation, offered a "limiting construction" of what constitutes information that "pertains to a customer" (but that is not "customer personal information"). As stated by the Court in the Court Order, the Maine AG has construed the latter bucket of information as "refer[ring] to the same category of ['non-sensitive' information] expressed in the [FCC Privacy Rule]."
Which leads us to the second factor that distinguishes the Act's customer choice framework: the missing exception for de-identified information. Without stepping into the debate about what constitutes sufficient de-identification of information – meaning that the information can no longer be reasonably linked to a particular individual – it's worth noting that many consumer privacy laws of the modern era, including the CCPA, contain an exception for the use and disclosure of information that has been sufficiently de-identified.
But the Act does not expressly account for de-identified information, and consequently, without more, we are left to speculate where such information fits into the Act's consent framework, if at all. Attempting to rectify the Act's failure on this point, the Maine AG has stated in his pleadings filed in the Litigation that information that is both de-identified and aggregated falls outside the scope of protection under the Act. Thus, it appears that BIAS providers are free to use and disclose as they please customer information that has been sufficiently de-identified and aggregated.
One final nuance to note about the Act's consent framework before we move on is that similar to the CCPA's non-discrimination provision, the Act categorically prohibits BIAS providers from either refusing service to someone who does not give their consent, or penalising or offering a customer a discount based on the customer's decision to give or withhold consent. Further, opt-in consent may be revoked by the customer at any time.
With regard to the third privacy principle – that of data security – the Act's provision is relatively vanilla. Like the FCC Privacy Rule before it, the Act requires BIAS providers to implement 'reasonable measures to protect customer personal information from unauthorized use, disclosure or access,' taking into account the nature and scope of the provider's activities, the sensitivity of the data the provider collects, the size of the provider, and the technical feasibility of the security measures. Unlike the FCC Privacy Rule, however, the Act does not require BIAS providers to comply with any particular set of data breach notification procedures. Although Maine has a more generally applicable data breach notification statute3, that statue is only triggered in the event a breach affects unencrypted 'personal information' – and the term 'personal information' is defined much more narrowly in the data breach notification statute than 'customer personal information' is defined in the Act.
Lastly, the Act is (rather conspicuously) missing an enforcement mechanism. This was not by mistake; the Legislature contemplated an express provision for enforcement by the Maine AG, but that provision never made it across the finish line. Consequently, nobody knows for sure how the Act will be enforced – but there are plenty of theories. Some say the fact that the Act is located in the title of the Maine Revised Statutes that governs public utilities means that the Act should be enforced by Maine's Public Utilities Commission (this despite the fact that BIAS providers are not public utilities); others think perhaps the Act contains an inferred private right of action – a theory that is highly unlikely to be upheld in Maine courts. Perhaps the most viable theory is that Maine's AG will enforce the Act under the Maine Unfair Trade Practices Act4 ('MUPTA'), but even that theory is not without doubt. As has been astutely pointed out by legal commentators before, Section 207 of MUPTA provides that courts construing MUPTA will be guided by the FTC's interpretations of the Federal Trade Commission Act ('FTC Act'). But because the FTC Act does not provide for any restrictions on the use or disclosure of customer information by BIAS providers, it could be challenging for the AG to convince a court that this enforcement mechanism is viable.
One could say that Maine has embraced its responsibility as a 'laboratory of democracy,' and the Act is its experiment. After all, although the Act seems to draw inspiration from a number of privacy frameworks that have come before – it is also not quite like any of the others. Most obviously, instead of relying heavily on transparency and 'market competition,' as so many privacy frameworks do, it relies almost exclusively on the power of consumer control. At a high level, this decision seems to reveal a shift in how U.S. regulators respond to information privacy concerns, and more specifically, how regulators balance the value of protecting consumers' privacy against the commercial value of consumers' information to businesses. Furthermore, the Act's broader scope of 'personal information' that is subject to a heightened standard of consumer choice also reflects a growing consensus among privacy experts and regulators that, given advancements in technology, including Big Data, consumer information is not easily separated into varying, discrete degrees of sensitivity or identifiability, and therefore much more information about consumers and collected and derived from their transactions should be subject to more privacy-protecting measures.
Of course, many questions about the Act remain unanswered, not the least of which is whether the Act will survive the current court challenge. Separately, another key question is whether other states will follow with similar legislation. We'll be keeping an eye on the Act and its enforcement, as well as the efforts of other state legislatures to regulate consumer privacy in this space.
1. §9301 of Chapter 94 of Part 7 of Title 35-A of the Maine Revised Statutes, available at: http://legislature.maine.gov/statutes/35-A/title35-Asec9301-3.html
2. Available at: https://www.govinfo.gov/content/pkg/USCOURTS-med-1_20-cv-00055/pdf/USCOURTS-med-1_20-cv-00055-0.pdf
3. §1348 of Chapter 210-B of Part 3 of Title 10 of the Maine Revised Statutes, available at: https://legislature.maine.gov/statutes/10/title10sec1348.html
4. §205-A et seq of Chapter 10 of Title 5 of the Maine Revised Statutes, available at: https://legislature.maine.gov/statutes/5/title5ch10sec0.html