Due to COVID-19, Maine’s attorney general agreed to delay until August 1, 2020 enforcement of the state’s new internet privacy law, “An Act to Protect the Privacy of Online Customer Information” (Act), which officially went into effect on July 1, 2020.
An analysis of the requirements of the Act, as well as an understanding of the key arguments made by the internet service provider industry to block its enforcement, together provide an excellent lesson book for examining some of the legal hurdles that states, not just Maine, must be prepared to overcome if they wish to enact legislation designed to protect consumer online privacy.
Despite the sweeping nature of its official title, the Act does not regulate all businesses operating within the internet ecosystem, but rather it regulates only one particular (albeit important) category of businesses – fixed and mobile broadband internet access service (BIAS) providers. BIAS providers play a unique role as gatekeepers of the internet, serving as essential onramps to the internet. Whenever a person uses an online service – whether reading a webpage, watching a video, or playing a game – a BIAS provider necessarily handles that individual’s data.
Among other things, the Act requires BIAS providers to present customers with notice, implement reasonable data security measures, and perhaps most importantly, obtain customers’ opt-in consent before using, disclosing, selling, or permitting access to “customer personal information.” Opt-in consent represents a significant feature that sets the Act apart from most other consumer-oriented state privacy laws, especially given the broad array of personal information for which such consent is required.
For example, the definition of customer personal information includes not only information traditionally considered “personal information” such as customer name, address, and social security number, but also billing information, demographic data, precise geolocation information, web browsing and application usage histories, device identifiers, and IP addresses, including origin and destination IP addresses. The Act further restricts the use of information the BIAS providers collect pertaining to a customer that is not customer personal information, if a customer opts out.
The Act advances the privacy of consumers on the internet in ways that go beyond what any other state or federal privacy law requires, including the California Consumer Privacy Act (CCPA). The Act, which was modeled after a similar privacy rule promulgated by the Federal Communications Commission (FCC) in 2016, essentially attempts to fill a void in federal privacy regulation created by the repeal of the FCC privacy rule by the United States Congress in 2017. An analysis of the Act’s key requirements, including some of the fascinating nuances that distinguish it from the FCC privacy rule and other consumer privacy frameworks such as the CCPA, is outside the scope of this alert but can be found in an Insights article recently authored by Peter Guffin and Ariel Pardee and published by OneTrust DataGuidance.
Although the Act has been lauded by consumer privacy advocates, not all persons affected by its enactment are celebrating. Earlier this year several BIAS industry associations united to bring suit against the Maine attorney general in federal district court challenging the legality of the Act on a number of grounds. Specifically, the plaintiffs allege that the Act constitutes a facially unconstitutional violation of the First Amendment, is unconstitutionally vague, and is preempted by federal law. In an order dated July 7, 2020, and after considering not only the arguments of the parties, but also the arguments of a number of amici, the court denied the plaintiffs’ motion for judgment on the pleadings with respect to each of their claims, and granted the Maine attorney general’s cross-motion for judgment on the pleadings with respect to the plaintiffs’ preemption claims. Left remaining in the litigation for the court’s consideration are plaintiffs’ First Amendment claim and void for vagueness claims.
Looking first at the plaintiffs’ First Amendment claim, the court in its July 7 order made the presumption that the BIAS providers’ marketing of customer data, like the prescriber-identifying data in Sorrell, is protected by the First Amendment. It then determined that, as a matter of law, the Act is a regulation of commercial speech subject to intermediate scrutiny. In making such determination, the court observed that “expression related solely to the economic interests of the speaker and its audience” is ordinarily accorded less First Amendment protection than is accorded other forms of constitutionally guaranteed expression. The court rejected plaintiffs’ argument that Sorrell requires strict scrutiny for any speaker- or content-based speech regulation, commercial or otherwise. Rather, according to the court, “Sorrell holds that ‘heightened scrutiny’ applies when regulations discriminate on the basis of the speaker or the content. But what level of ‘heightened’ scrutiny is, in turn, determined by the type of speech being regulated.”
Applying the intermediate scrutiny standard, the state has the burden to establish that (1) the Act directly advances a substantial government interest and (2) the restrictions contained in the Act are not more extensive than are necessary to serve that interest. With regard to the former, the state will have to demonstrate that the privacy harms being addressed by the Act are “real” and not merely conjecture, and that the Act will alleviate the risk of such harm to a material degree. As to the latter, the state must “affirmatively establish” a reasonable fit between the Act and its goal. According to the court, “[t]his inquiry does not require ‘that there be no conceivable alternative’ to the government’s approach, or that the government’s regulation be the least restrictive means of advancing its asserted interests.” In addition, said the court, the state is afforded “considerable leeway in determining the appropriate means to further a legitimate government interest.” The plaintiffs argue that the state will be unable to demonstrate that first, the harms posed by BIAS providers are real; second, the Act mitigates that harm; and third, the Act is not unreasonably restrictive as compared to its purpose.
Turning to the void-for-vagueness claim, the plaintiffs argue that the Act is unconstitutionally vague in two respects. First, because the Act’s definition of “customer personal information” is expressly non-exhaustive (i.e., it “include[s] but [is] not limited to” certain enumerated categories of information), the plaintiffs contend that BIAS providers are left to guess what other types of information might require customers’ opt-in consent. Further muddying the BIAS providers’ determination of what information constitutes “customer personal information” and what does not (so they argue) is the Act’s requirement that BIAS providers allow customers to opt out of the use, sale, and disclosure of information that is not “customer personal information” but that “pertain[s] to a customer.” Although the Act provides no additional information as to what might constitute information that would be subject to the opt-out provision, the state argued in its brief to the court that the non-exhaustive nature of the definition of “customer personal information” reflects the need for the Act to be flexible and nimble in order to “remain relevant, promote fairness, and – above all – protect customer privacy as technology evolves.”
Second, the plaintiffs contend that the geographic scope of the Act is also unconstitutionally vague. The Act expressly applies to BIAS providers that are “operating within the State when providing [service] to customers that are physically located and billed for service received in the State,” which the plaintiffs’ argue is unclear as to whether it would apply to non-Maine residents who are billed for mobile broadband services that they use while visiting Maine, and therefore the Act deprives the providers of “fair warning” as to what the Act prohibits. The state argued in its opposition to the plaintiffs’ motion for judgment on the pleadings that the Act’s applicability provision should be read as applying to only BIAS providers that operate in the state and provide service to customers who are both “physically located in the State, and physically billed for those services within the State.”
With the July 7, 2020 court order behind them, the parties in the litigation are focused on conducting discovery. This stage of the litigation will give the state an opportunity to develop the factual record in support of its arguments that the Act is not an unconstitutional regulation of BIAS providers’ speech or impermissibly vague. It likewise will give the plaintiffs an opportunity to sharpen their case as to why the Act is so vague that it must be rendered unconstitutional.
In addition to what happens in the litigation, the way in which the Maine attorney general decides to go about enforcing the Act after August 1, 2020 will be instructive. Through its enforcement actions, the Maine attorney general may have an opportunity to justify and clarify some of the provisions in the Act that are in contention in the litigation.
The bottom line is that many questions about the Act remain unanswered, not the least of which is whether it will survive the current court challenge. Separately, another key question is whether other states will follow with similar legislation. As we continue to keep an eye on the Act and its enforcement, as well as the efforts of other state legislatures to regulate consumer privacy in this space, we will keep you posted on any significant developments.