The Maine privacy law (LD 946), an act to protect the privacy of online consumer information, requires Internet service providers to obtain consent before being allowed to use, disclose or provide access to customer information. This guide is for anyone interested in learning more about this law and their rights under it. This Guide will teach you the following:
- Who the law applies to;
- The law’s definition of personal information;
- The opt-in consent requirement;
- Exceptions to the law; and
- The security and notice requirements.
Table of Contents
Who does this law apply to?
The Maine privacy law applies to providers of Internet access services. Internet access services are defined as “mass-market retail service by wire or radio that provides the capability to transmit or receive data from all Internet endpoints.” In other words, the provider of your Internet. Examples of providers would include companies such as Comcast and AT&T.
This law protects the privacy of customers, which include applicants for service, current subscribers and former subscribers. Finally, LD 946 covers Internet providers in Maine when they provide Internet services to customers that are located in and billed for service received in Maine.
What information does this privacy law protect?
Maine’s LD 946 protects personally identifiable information about a consumer, which includes but is not limited to the following types of information:
- Name;
- Billing information;
- Social security number;
- Billing address; and
- Demographic data.
It also protects the information gained from a customer’s use of the Internet service, including the following examples:
- Web browsing history;
- Application usage history;
- Precise geolocation information;
- Financial information;
- Health information;
- Information pertaining to the customer’s kids;
- Customer’s device identifier (such as IP address);
- Content of the customer’s communications; and
- Origin and destination IP address.
Opt-in consent requirement
The Maine privacy law prohibits the use, disclosure, sale or the provision of access to customer personal information by Internet service providers unless an exception applies. What is interesting about this provision is that it is similar to GDPR where data use is prohibited without an exception. However, Maine’s privacy law still allows for the collection of this information without consent.
Consent exception
A provider may use, disclose, sell or permit access to the customer’s personal information if the customer provides consent for such actions. A customer has the ability to withdraw this consent at any time.
A provider is also not allowed to take the following actions:
- Refuse service to a customer who does not provide his or her consent;
- Charge a customer a penalty for not providing consent; or
- Give the customer a discount if he or she agrees to provide consent.
A provider may use, disclose, sell or permit access to information about a customer that is not personal information, unless the customer provides written notice that he or she does not permit the Internet provider to use, disclose, sell or permit access to this information.
Furthermore, an internet provider may collect, retain, use, disclose, sell and permit access to customer information without customer consent in the following situations:
- To provide the Internet service;
- To advertise or market the provider’s related services to the customer;
- To comply with a lawful court order;
- To bill and collect payment for the service;
- To protect other customers or services from fraud, abuse, or unlawful use of the services;
- To provide geolocation information of the customer to:
- Emergency or law enforcement services;
- Customer’s legal guardian or immediate family member in an emergency situation that involves risk of death or serious physical harm;
- A provider of information or database management services for the purpose of assisting in emergency response.
Security requirements
The law also requires Internet providers to take reasonable measures to protect customer personal information from unauthorized use, disclosure or access. The following factors need to be taken into account when implementing security measures:
- The nature and scope of the Internet provider’s activities;
- Sensitivity of the personal information;
- Size of the provider; and
- Technical feasibility of security measures.
Notice requirements
The Internet provider must provide notice at the point of sale and on the provider’s website of the provider’s obligations and a customer’s rights under this privacy law. The notice must be:
- Clear;
- Conspicuous; and
- Non-deceptive.
It is clear that Internet service providers have an obligation to respect the privacy of their consumers. If you are a business owner with a website and are wondering what your privacy compliance requirements are, read our blog post on what laws require websites to have a Privacy Policy.
