On July 7, 2020, the Maine Attorney General’s Office obtained a victory for consumers in the United States District Court for the District of Maine in the area of broadband privacy law. This ruling, which among other findings held that a Maine statute guarding consumers’ private data from internet service providers is not preempted by federal law, lays the groundwork for other states to potentially enact similar laws in an effort to protect consumers from service providers selling their personal data. Maine Attorney General Aaron Frey applauded the ruling by issuing a statement emphasizing that Maine “has a significant interest in protecting Mainers from practices which may place their personal data at risk.” Attorney General Frey further states that this ruling “is a huge victory for Maine consumers.”
The Maine statute, L.D. 946, “An Act to Protect the Privacy of Online Customer Information” prohibits broadband internet service providers in Maine from sharing a customer’s personal information without that customer’s permission. The law forbids service providers from disclosing, selling, or permitting access to personally identifying information about a customer, such as name, billing information, demographic data, or social security number. It also prevents disclosing a customer’s web browsing history, application usage history, specific geolocation information, financial information, and health information, among other things.
The major telecommunications trade associations challenged the statute based on preemption, First Amendment, and vagueness grounds.
The associations argued that the Maine statute impliedly conflicts with two areas of federal law dealing with internet privacy, thus making it “an unconstitutional exercise of the state’s power.” However, the Maine Attorney General’s Office prevailed on its arguments that Congress has explicitly left this area open to state regulation. Federal District Judge Lance Walker held that one of the areas the plaintiffs argued constituted a federal preemption, a 2017 Joint Resolution vacating the Federal Communications Commission’s (“FCC”) 2016 Internet Service Provider Privacy Order, merely disapproved of and nullified the Privacy Order, allowing the states to regulate in this space. The court declined to “read Congressional tea leaves when deciding whether federal action preempts state law.” Significantly, as privacy law is a traditionally state-regulated area, there is a particularly “strong presumption against implied federal preemption of state law.” Judge Walker also found that the Maine privacy law is not preempted by the FCC’s Restoring Internet Freedom Order, in which the FCC deferred to the Federal Trade Commission to regulate privacy disclosures. Judge Walker explained that the plaintiffs did not demonstrate that the FCC’s “abdication of authority” created any preemptive conflict.
The trade associations also argued that the privacy law violates the First Amendment because Maine does not have an adequate interest in regulating this area and because the law is not designed narrowly enough to allow speech. Judge Walker found that the privacy law regulates commercial speech, but the record was insufficient to decide in the associations’ favor. Finally, the trade associations argued that the privacy law is unconstitutionally vague, but Judge Walker found that they did not adequately demonstrate a danger of chilled speech.
We will monitor whether the telecommunications trade associations appeal this decision, of which they must provide notice within 30 days from the ruling.