On June 7, 2019, Maine Gov. Janet Mills signed into law the Act to Protect the Privacy of Online Consumer Information, which prohibits broadband Internet access service providers from using, selling, distributing or permitting access to customer personal information for purposes other than providing services, unless the customer expressly consents to that use, disclosure, sale, or access. The new law, which applies only to broadband providers operating within Maine when providing services to individuals physically located in Maine, becomes effective as of July 1, 2020.
The term “customer personal information” includes two types of information: (a) “personally identifiable customer information” about the customer and (b) information derived from the customer’s use of broadband internet access services, which includes a wide range of information, for instance, web browsing history, application usage history, geolocation, financial and health information, device identifier, IP address, and the content of the customer’s communications.
There are several exceptions to the general prohibition, where the use, sale, disclosure, or sharing of personal information is permitted without prior express, affirmative consent. Those range from information necessary to provide the service to handling emergencies, collecting payment, or protection against fraud.
The new statute also requires the service provider to take reasonable security measures to protect the personal information from unauthorized use, disclosure, or access, and to provide clear and conspicuous notice of the customer’s right.
Since the passage of the California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.) several states have evaluated adoption of bills that would allow consumers to object to the sale of their personal information. While a dozen states are in the early stages of this process, Nevada amended its existing consumer privacy statute in May (see GT Alert, Nevada Passes Opt-out Privacy Law, Effective October 1, 2019) to grant consumers a right to opt out of the sale of their personal information.
There are significant differences between the Maine law and those of California and Nevada. For example, both California and Nevada provide for an opt-out right (in most instances), while Maine requires a more restrictive opt-in (with limited exceptions). The range of protected information is very wide in Maine and California, but limited in Nevada. The Maine law is very short and does not provide much detail on how to implement its provisions; the California law is lengthy and detailed.
With three states having adopted statutes that restrict or prohibit the sale, disclosure, or sharing of personal information, in three different ways, with three different definitions of the types of information to be protected and the categories of entities affected, businesses are facing increasing compliance burdens. In the meantime, while interest in the creation of a national privacy law increases, there is no clear prospect that a law that harmonizes the different positions will pass in a foreseeable future, or before existing state laws enter into effect.
While legislators and industry groups are arguing about the issues and the scope of a potential national law, businesses may wish to take steps to understand their collection, use, and sharing of personal information; take time to acquire a better appreciation of the role of personal information in their business; and evaluate how to balance their needs with those of their registered and non-registered users in order to anticipate the potential consequences of a change in the legal landscape.
Over the past 20 years, consumers’ awareness of the value, and concern with the uses, of personal information has significantly increased, and so has their understanding of the benefits and dangers of the uses of personal information in today’s information society. It is clear that the second half of 2019 will see other developments, similar to those that have occurred in California, Nevada, and now Maine. It is essential for companies, even if they have no operations in those three states, to get organized and set aside the necessary budgets to face the likely tide of changes to privacy laws in the next few months, and the potential significant consequences for their business model and revenue streams.