The US state of Maine is violating internet broadband providers’ free speech by forcing them to ask for their customers’ permission to sell their browser history, according to a new lawsuit.
The case was brought this month by four telco industry groups in response to a new state-level law aimed at providing Maine residents with privacy protections killed at the federal level by the FCC just days before they were due to take effect.
ACA Connects, CTIA, NCTA and USTelecom are collectively suing [PDF] Maine’s attorney general Aaron Frey, and the chair and commissioners of Maine’s Public Utilities Commission claiming that the statute, passed in June 2019, “imposes unprecedented and unduly burdensome restrictions on ISPs’, and only ISPs’, protected speech.”
How so? Because it includes “restrictions on how ISPs communicate with their own customers that are not remotely tailored to protecting consumer privacy.” The lawsuit even explains that there is a “proper way to protect consumer privacy” – and that’s the way the FCC does it, through “technology-neutral, uniform regulation.” Although that regulation is actually the lack of regulation.
If you’re still having a hard time understanding how requiring companies to get their customers’ permission before they sell their personal data infringes the First Amendment, the lawsuit has more details.
It “(1) requires ISPs to secure ‘opt-in’ consent from their customers before using information that is not sensitive in nature or even personally identifying; (2) imposes an opt-out consent obligation on using data that are by definition not customer personal information; (3) limits ISPs from advertising or marketing non-communications-related services to their customers; and (4) prohibits ISPs from offering price discounts, rewards in loyalty programs, or other cost saving benefits in exchange for a customer’s consent to use their personal information.”
All of this results in an “excessive burden” on ISPs, they claim, especially because not everyone else had to do the same. The new statute includes “no restrictions at all on the use, disclosure, or sale of customer personal information, whether sensitive or not, by the many other entities in the Internet ecosystem or traditional brick-and-mortar retailers,” the lawsuit complains.
This is discrimination, they argue. “Maine cannot discriminate against a subset of companies that collect and use consumer data by attempting to regulate just that subset and not others, especially given the absence of any legislative findings or other evidentiary support that would justify targeting ISPs alone.”
We’ll leave the idea that customers are suffering by not receiving marketing materials from companies that ISPs sell their data to alone for now and focus on the core issue: that if Google and Facebook are allowed to sell their users’ personal data then ISPs feel they should be allowed to as well.
Which is a fair point, although profoundly depressing in a broader context. The basic argument appears to be that we should only provide the minimum protections that are available. Nothing above minimum is legal.
If you look at what the statute actually does, it was clearly written in users’ own interests. It prevents companies from refusing to serve customers that do not agree to allow it to collect and sell their personal data and it requires ISPs to take “reasonable measures” to protect that data. Those companies are still allowed to use the data to market their own products; just not to sell it to others to sell theirs.
But because the ISPs successfully managed to get the FCC to kill off its own rules on similar protections, it argues that the scrapping of rules is the legal precedent here. “The Statute is preempted by federal law because it directly conflicts with and deliberately thwarts federal determinations about the proper way to protect consumer privacy,” the lawsuit argues.
The solution of course is federal privacy protections. But despite overwhelming public support for just such a law, the same ISPs and telcos fighting this law in Maine, have flooded Washington DC with lobbying money and campaign contributions to make sure that it doesn’t progress through Congress. And if this Maine challenge is successful, next in the ISPs’ sites will be California’s new privacy laws.