Peter Guffin, visiting professor of practice at the University of Maine School of Law, recently co-authored an article in the Maine Lawyers Review with Kyle Noonan, an associate at Pierce Atwood. The article which is titled, “Maine’s New Internet Privacy Law in Brief,” explains the new law, what it means for business, and how it will be enforced.
Below is an excerpt from their article:
Earlier this month, Maine enacted an internet privacy law requiring broadband internet service providers (ISPs) to obtain a customer’s express, affirmative consent before using personal information, including browsing history. As the first state to enact such a law, Maine generated national headlines. But the new law reflects growing interest among state legislatures around the country in protecting the privacy rights of consumers in today’s digital world, given the lack of a comprehensive federal data protection law.
What does the new law do?
The new law, An Act To Protect the Privacy of Online Customer Information (LD 946, to be codified at 35-A M.R.S. c.94), prohibits ISPs from using, disclosing, selling, or permitting access to the vast majority of information generated by a customer’s use of internet service. The Act protects a customer’s web browsing history, application usage history, precise geolocation information, device identifiers, the origin and destination internet protocol addresses, personal identifying information, and the content of a customer’s communications. Before an ISP may use, disclose, sell, or permit access to this customer information, it must obtain “express, affirmative consent.” So, rather than giving customers the right to opt out of having their data utilized, the Act prohibits ISPs from utilizing customers’ data unless and until a customer consents. The Act also requires ISPs to provide customers a “clear, conspicuous and nondeceptive notice” of the ISP’s obligations and a customer’s rights.
Furthermore, the Act also prohibits ISPs from refusing to serve customers that withhold consent and bans ISPs from offering financial or other incentives for customers to opt-in. And the Act requires ISPs to take “reasonable measures” to protect customer information from unauthorized use (i.e., being hacked and stolen). Notably, the Act applies only to ISPs, and not to other internet actors that collect and use customer information, such as search engines and social networks.The law resembles regulations that the Federal Communications Commission implemented in 2016. In 2017, however, Congress overturned these regulations under the Congressional Review Act, spurring a number of state legislatures, including Maine’s, to explore their own internet privacy rules.
At Maine Law, Guffin serves as co-director of the Information Privacy Law Program. He teaches courses and practicums in information privacy law and cybersecurity. He also heads Pierce Atwood’s Privacy & Data Security practice, where he counsels clients on compliance with state, federal, and international laws and regulations relating to privacy and data protection, including cross-border data transfers.
