Several internet service provider (ISP) industry groups have joined together in bringing suit against the state of Maine in response to its new privacy law, LD 946 “An Act To Protect the Privacy of Online Customer Information,” asserting that the new rules run afoul of their free speech rights and constitute discrimination against their industry. According to Maine’s Governor Janet Mills, the law, which is set to go into effect on the 1st of July, requires ISP’s to obtain customers’ opt-in consent before using, disclosing, selling or permitting access to customer personal information, and prohibits ISP’s from refusing to serve a customer, charging a customer a penalty, or offering a customer a discount if the customer does or does not consent to the use, disclosure, sale or access of their personal information.
Lawyers for the ISP’s contend that the new law violates their constitutional right to free expression. According to the lawsuit, the law impermissibly prevents “ISPs from advertising or marketing non-communications-related services to their customers; and prohibits ISPs from offering price discounts, rewards in loyalty programs, or other cost-saving benefits in exchange for a customer’s consent to use their personal information,” which violates the first amendment because it “excessively burdens ISPs’ beneficial, pro-consumer speech about a wide variety of subjects, with no offsetting privacy-protection benefits.”  The lawsuit also asserts that much of the data being restricted is neither sensitive in nature nor personally identifying.
The ISP’s further argue that the law is discriminatory because it targets only their industry subset, while “ignoring” other companies who are using or selling customer personal information in connection with services provided over the internet or through brick-and-mortar retail outlets. Absent any evidence or legislative findings that justify targeting ISP’s, they argue, Maine’s privacy law constitutes discrimination against similarly situated speakers forbidden by the first amendment. They also claim that the law is unconstitutionally vague, and is in any case preempted by federal legislation which repealed and prohibited ISP-specific federal privacy rules, and furthermore thwarts the ability of ISP’s to comply with several mandatory federal reporting requirements.
These arguments potentially raise colorable challenges to the efforts of state lawmakers to regulate privacy on a state-by-state basis. The United States Constitution’s guarantee of free speech offers a unique avenue for American companies to push back against the slew of new privacy laws being enacted by California (California Consumer Privacy Act – CCPA) and other U.S. states. In addition, the fact that Congress has declined to enact comprehensive federal privacy legislation – coupled with the Federal Communication Commission’s current posture that disclosure, competition, and federal oversight is the best way to regulate and promote internet consumer privacy – may weigh on the enforceability of the growing patchwork of state privacy laws in light of the supremacy of federal law. Will federal courts interpret these facts as limitations on the authority of each State to enact its own privacy laws?
State legislatures will likely be paying close attention to the outcome of this case. If the industry groups’ argument against ISP-specific legislation gains traction, that may support a trend towards more broadly-written privacy laws that aim to generally cover all personal data use rather than focusing on a specific industry sector. But in a larger sense, the industry groups’ assertion that federal laws and regulations substantially preempt state efforts to regulate online consumer privacy represents an important skirmish in the ongoing struggle over efforts to fill the void left by Congress’ decision to refrain from passing a comprehensive federal privacy law. Unless and until such a federal law is passed, federal court decisions are likely to set the tone for both the pervasiveness and scope of potential privacy laws produced by state legislatures across the country. If legal challenges to state laws are successful, the result could be a simplified and streamlined legal landscape instead of a menagerie of sector-specific privacy laws among the 50 states, which would certainly be far simpler for RIM professionals from a compliance perspective. If lawsuits like this one are not successful, we can expect to see a lot more privacy legislation and complexity on the horizon.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.