The Maine legislature has passed a bill imposing the nation’s strictest limitations on broadband providers’ use of consumer data. On May 30, 2019, the Maine State Senate approved the House’s amended version of Legislative Document (LD) 946, entitled “An Act To Protect the Privacy of Online Customer Information,” which now awaits Governor Janet Mills’s signature.

The bill would prohibit Internet service providers (ISPs) that collect revenue from Maine residents from selling Maine customers’ personal data without those customers “opting in” to data sharing. These provisions would go into effect on July 1, 2020.

Under the bill, a provider of broadband Internet access is prohibited from “using, disclosing, selling, or permitting access to “customer personal information.” The bill defines “customer personal information” to include a customer’s web browsing history, application usage history, precise geolocation information, financial information, health information, “[i]nformation pertaining to the customer’s children,” the customer’s device identifier (such as IP address or international mobile equipment identity), the content of customer’s communications, and the origin and destination IP addresses. The bill does not define the terms “health information,” “financial information,” or “[i]nformation pertaining to the customer’s children.”

The bill makes a few limited exceptions for the provider’s use of customer personal information. For example, it allows providers to use such information to “comply with a lawful court order[,]” collect payment for Internet service, protect users from fraud, and provide location information to assist in the delivery of emergency services.

Maine’s bill also requires providers to “take reasonable measure to protect customer personal information from unauthorized use, disclosure or access,” taking into account the scope and nature of the provider’s activities, the sensitivity of the data collected, the provider’s size, and the technical feasibility of security measures. “Sensitivity,” “technical feasibility,” and “security measures” are not defined.

The bill specifically applies to “providers operating within [Maine] when providing broadband Internet access service to customers that are physically located and billed for service received in the State.”

Governor Mills will now review the bill. Lawmakers, including the bill’s sponsor, Senator Shenna Bellows of Manchester, Maine, are hopeful that Governor Mills will sign it. If the governor were to veto it, there would be little time for further action, as the Maine legislature adjourns on June 19, 2019.

The bill does not address enforcement. In public testimony before the legislature, Maine Attorney General Aaron Frey stated that his office would “vigorously defend” the statute “on behalf of Maine’s consumers if necessary.” The statute could be enforced by the attorney general under the Maine Unfair Trade Practices Act, which allows the attorney general to bring an action in the name of the state to enjoin practices that appear to be unlawful.

Nevada and Minnesota have enacted similar laws. The Nevada statute (Nevada Revised Statutes section 205.498) makes an Internet provider’s disclosure of confidential information a misdemeanor and provides for a fine between $50 and $500 per violation. The Minnesota law (Minnesota Statutes sections 325M.01–09) requires ISPs to take “reasonable steps to maintain the security and privacy of a consumer’s personally identifiable information” and allows for civil actions by consumers, but not class actions. The Minnesota law prohibits the disclosure of personally identifiable information except as incident to the ordinary course of business of the service provider, in response to a court order, subpoena, or warrant, to another Internet service provider under certain circumstances, or by authorization of the consumer.  Under an exception created by another Minnesota statute, cited in the privacy statute, personally identifiable information may be disclosed to law enforcement if it qualifies as contents of electronic communications “that appear to pertain to the commission of a crime” and that “were inadvertently obtained by the service provider.”

California enacted a similar statute in 2018, applicable not just to service providers but any business that collects a consumer’s personal information. The California statute is broader than the Maine statute with respect to the entities covered. However, the California law requires consumers to request information on data collection and to affirmatively opt out, while Maine’s bill requires customers to opt in for providers to share data. That the Maine bill limits its reach to ISPs was intentional, according to the bill’s sponsor, Senator Bellows, because regulating broader activity would raise potential constitutional questions about Maine’s authority to regulate interstate commerce.