Maine -- Governor Janet Mills signed the state’s tough new consumer privacy act into law June 6, requiring internet providers to obtain a consumer’s express consent before using, selling or distributing their personal information.
Hailed by some as the strictest privacy law in the U.S., technology and communications companies, including Verizon and AT&T, testified that it may be in violation of Federal Communications Commission regulations, the First Amendment, and the Interstate Commerce Clause.
LD 946, which takes effect July 1, 2020, will also prohibit a provider from refusing to serve a customer, charging a customer a penalty, or using discounts to reward or punish customer consent decisions. Legal challenges are a certainty.
[Editor’s Note: The law is silent on enforcement, with no mention of fines or direct actions. We are checking with the sponsor of the bill to see if regulations are forthcoming or whether other existing regs apply.]
According to The Press Herald, the law is modeled after an Obama-era FCC rule – later overturned by President Trump – barring ISPs from selling personal data. “The [Maine] law is unlike any in the nation, as it requires an ISP to obtain consent from a consumer before sharing any data,” The Press Herald reports. California requires businesses to disclose data collection-and-sharing practices with consumers, who have the right to request their data be deleted and to opt out of data programs.
The Maine Bill is unique in that it attacks ISP pay-for-privacy schemes in which ISPs charge customers more – or offer discounts – based on the customer’s decision to allow their data to be sold to or access by third parties. Such schemes are just one example of how the adage, "if you’re not paying, you’re the product," applies to consumers, including those consumers outside Maine. Yet unlike the Maine bill, the California Consumer Privacy Act includes an exemption allowing pay-for-privacy incentives.
Nevada -- Six days after the Maine legislation became law, the Nevada legislature passed SB 220. Like California’s law, the Nevada law gives consumers opt-out rights. Not covered by the law, however, are financial institutions covered by Gramm-Leach-Bliley Act, organizations subject to the Health Information Portability and Privacy Act (HIPAA), and certain automakers and auto repair services. Nevada residents do not get a private right of action, but the state’s attorney general may impose fines of $5,000 per violation or seek injunctive relief.
Nevada is yet another example of how disparate state privacy laws are presenting increasing challenges to firms with a national presence. For example, Nevada limits its definition of a “sale” of information to the exchange of covered information for monetary consideration, whereas California includes non-monetary consideration. And Nevada has fully exempted companies subject to GLBA and HIPAA, whereas California only exempts information collected pursuant to those laws without broadly exempting the institutions subject to them.
New York --The state Senate Consumer Protection Committee is considering that state’s proposed law, New York Privacy Act, S5642, which also would give consumers substantial control over the use of their personal data, such as the right to demand review, and corrections and/or deletions of their information. As was tried in California, but without success, the New York bill would give consumers authority to bring civil actions against companies. The tech industry immediately called the proposed law “unworkable.”