Maine’s Act To Protect the Privacy of Online Customer Information (“Maine’s BSP Privacy Act”) was signed by Maine’s Governor June 6, 2019. Maine’s new BSP law prohibits providers of broadband Internet access services from using, disclosing, selling, or permitting access to customer personal information unless the customer expressly consents or an exception applies. The exceptions under which a provider may use, disclose, sell, or permit access to customer personal information include compliance with the law, fraud prevention, provision of services and emergency situations. Maine’s BSP privacy act also prohibits a provider from refusing to serve a customer, charging a customer a penalty, or offering a customer a discount, requires the implementation of security measures and requires notice.
Maine’s BSP Privacy Act is a reaction to the 2017 repeal of FCC’s rules that would have put in place certain internet privacy protections related to ISPs. The rules, which had not yet gone into effect when they were revoked by a republican Congress with the blessing of the Trump administration, would have placed restrictions on what internet service providers could do with consumer data collected. For example, under the FCC’s rules, providers would have needed permission from customers before collecting and sharing data, including user’s health and financial details, web browsing history, app usage and geo-location.
PRACTICE TIP: It is important for privacy professionals to realize that two states, Nevada and Minnesota, have required ISPs to keep private certain information concerning their customers, unless the customer gives permission to disclose the information since the early 2000s. Both states prohibit disclosure of personally identifying information, but Minnesota also requires ISPs to get permission from subscribers before disclosing information about the subscribers’ online surfing habits and internet sites visited. (See, Minn. Stat. §§ 325M.01 to .09 and Nevada Revised Stat. § 205.498)
SUMMARY OF MAINE’S BSP PRIVACY ACT:
Who is regulated (Territorial Scope)?
Maine’s BSP privacy law regulates providers of “broadband Internet access service” operating “within the state” of Maine and providing services to customers physically located in Maine.
(1) Provider of broadband Internet access service
A provider of “broadband Internet access service” (“BSP”) means any mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints, including any capabilities that are incidental to and enable the operation of the service, excluding dial-up Internet access service. (See, Sec. 1. 35-A MRSA c. 94 §9301(1)(A)&(D))
(2) Operating in the state
Only BSPs operating within the state of Maine when providing broadband internet access service to customers that are physically located and billed for service received in the State. (See, Sec. 1. 35-A MRSA c. 94 §9301(7))
What is regulated (Material Scope)?
The use, disclosure, selling, access and protection of personal information by BSPs is regulated. Specifically, BSPs are:
- prohibited from using, disclosing, selling or permiting access to “‘customer” “personal information” without consumer’s consent — but certain exceptions apply (see, Sec. 1. 35-A MRSA c. 94 §9301(2));
- required to put in place measures to protect customer personal information from unauthorized use, disclosure or access (see, Sec. 1. 35-A MRSA c. 94 §9301(5)); and
- required to provide notice (See Sec. 1. 35-A MRSA c. 94 §9301(6))
A “customer” is an applicant for or a current or former subscriber of a BSP that resides in the State of Maine (See, Sec. 1. 35-A MRSA c. 94 §9301(1)(B))
(2) Personal information
Customer “personal information” means:
- personally identifying information about a customer, including but not limited to the customer’s name, billing information, social security number, billing address and demographic data; AND
- information from a customer’s use of broadband Internet access service, including, but not limited to, web browsing history; application usage history; precise geolocation information; financial information; health information; information pertaining to the customer’s children; customer’s device identifier, such as a media access control address, international mobile equipment identity or Internet protocol address; content of the customer’s communications; and origin and destination Internet protocol addresses.
(See, Sec. 1. 35-A MRSA c. 94 §9301(1)(C))
Rights and obligations
(1) Prohibition against use, disclosure, sell, or access.
As a general rule, a BSP may not use, disclose, sell or permit access to customer personal information. (See, Sec. 1. 35-A MRSA c. 94 §9301(2))
Several exceptions apply. Specifically, a BSP may collect, retain, use, disclose, sell and permit access to customer personal information:
- With consent. Consent must be express, affirmative, and specific (to the use, disclosure, sale or access). Consent is revocable at any time. A BSP may not (i) refuse to serve a customer who does not provide consent; or (ii) charge a penalty or offer a discount based on the customer’s decision to provide or not provide consent. (See, Sec. 1. 35-A MRSA c. 94 §9301(3)(A)&(B))
- To provide the service. A BSP may collect, retain, use, and disclose personal information for the purpose of providing the service from which such information is derived or for the services necessary to the provision of such service (See, Sec. 1. 35-A MRSA c. 94 §9301(4))
- To advertise own products. A BSP may collect, retain, use, and disclose personal information to advertise or market the BSP’s communications-related services to the customer (See, Sec. 1. 35-A MRSA c. 94 §9301(4))
- To comply with law. A BSP may collect, retain, use, and disclose personal information to comply with a lawful court order (See, Sec. 1. 35-A MRSA c. 94 §9301(4))
- To collect payment. A BSP may collect, retain, use, and disclose personal information to initiate, render, bill for and collect payment for the service. (See, Sec. 1. 35-A MRSA c. 94 §9301(4))
- To prevent fraud. A BSP may collect, retain, use, and disclose personal information to protect users of the provider’s or other providers’ services from fraudulent, abusive or unlawful use of or subscription to such services. (See, Sec. 1. 35-A MRSA c. 94 §9301(4))
- Geo-location for emergency services. A BSP may collect, retain, use, and disclose personal information geolocation information concerning the customer for responding to an emergency (a customer’s call for emergency services, to a public safety answering point; a provider of emergency medical or emergency dispatch services; a public safety, fire service or law enforcement official; or a hospital emergency or trauma care facility); OR to assist with the delivery of emergency services (the information may be disclosed to a provider of information or database management services solely for the purpose of assisting in the delivery of emergency services in response to an emergency.) (See, Sec. 1. 35-A MRSA c. 94 §9301(4))
- Federal exemption. The Maine BSP Privacy Act expressly exempts Title 16, chapter 3, subchapters 10 and 11 and 18 United States Code, Section 2703. (See, Sec. 1. 35-A MRSA c. 94 §9301(2))
Opt-out rule for non ‘personal data’: A BSP may use, disclose, sell or permit access to information the provider collects pertaining to a customer that is not customer personal information, except upon written notice from the customer notifying the provider that the customer does not permit the provider to use, disclose, sell or permit access to that information. Opt-outs do not restrict the BSP ability to share data under an exception to the general rule other than consent. (See, Sec. 1. 35-A MRSA c. 94 §9301(3)(C))
A BSP shall take reasonable measures to protect customer personal information from unauthorized use, disclosure or access. In implementing security measures required by this subsection, a BSP shall take into account each of the following factors:
- The nature and scope of the provider’s activities;
- The sensitivity of the data the provider collects;
- The size of the provider; and
- The technical feasibility of the security measures.
A BSP may employ any lawful measure that allows the BSP to comply with the security requirements.
(See, Sec. 1. 35-A MRSA c. 94 §9301(5))
(3) Notice required.
A BSP shall provide to its customers a clear, conspicuous and non-deceptive notice at the point of sale and on the provider’s publicly accessible website of the provider’s obligations and a customer’s rights under Maine’s ISP privacy law.
(See, Sec. 1. 35-A MRSA c. 94 §9301(6))
FCC Adopts Broadband Consumer Privacy Rules (FCC news release, Oct. 2016)
Trump signs repeal of U.S. broadband privacy rules (Reuters, April 2017)