Internet service providers gobble up a disconcerting amount of information about you—your browsing history, your geolocation information, your financial information, and a lot (a lot) more. There have been many attempts to pass state-level bills that prevent ISPs from selling this type of data—since Republicans in Congress eliminated federal protections in 2017—but nearly all of them have failed, which makes the passage of a bill in Maine a significant milestone for privacy advocates.
The Maine Senate voted unanimously in favor of the bill, LD 946, which requires ISPs to get consent from customers before they can use, disclose, sell or permit access to their personal information, with only a few exceptions. Having already passed the Maine House in a 96-45 vote, the bill now goes to Governor Janet Mills for her signature.
According to the legislation, this personal information includes their name, billing information, Social Security number, demographic data, web browsing and app usage history, precise geolocation information, financial information, health information, and information on their children. And that’s not an exhaustive list of the personally identifying information, or PII, ISPs need consent to hand over to a third party.
The bill also states that ISPs can’t penalize customers who don’t give them this consent, prohibiting them from refusing a customer service or charging them a penalty for failing to do so. Alternately, a provider is also not allowed to try to entice a customer with a discount in return for their consent, according to the bill.
There are a few instances in which a provider can disclose a customer’s data without their consent—when it’s required to provide a service, to advertise its own communications services to the customer, to comply with a court order, to manage payments for their service, and to protect a user from misconduct involving the use of their services. What’s more, the bill states that ISPs can disclose a customer’s geolocation information if they are responding to a call for emergency services, whether that’s from the customer, an emergency responder, a law enforcement official, or a legal guardian. This also applies to a data management service, only in the event that they are helping in an emergency situation.
As mentioned, this type of bill—one that protects the intimate data of those paying for internet services—has been drafted in a number of states across the country with no success. California did pass a similar bill last year, but overall these attempts have been largely quashed, affording ISPs sweeping power to do with their customers’ personal information what they please. “Taken together, this data could paint an intimate picture of a person’s religion, medical conditions, and even their hobbies,” ACLU Maine wrote in a blog post, adding that the data providers collect “is increasingly being used by advertisers to discriminate against certain communities.”
Once enacted into law, Maine’s rules will change that, putting some power back into consumers’ hands, and with language in the bill that also prevents providers from both disciplining those who don’t consent as well as favoring those who do. It’s more important now than ever for states to take the issue into their own hands, seeing as two years ago, Congress effectively overturned broadband privacy rules adopted under the Obama administration that would have required ISPs to get consumer consent before sharing their web browsing history and other personal information with outside parties.
Hopefully, Maine’s ruling sets a precedent for other states to follow suit and display a real commitment to illustrating that privacy isn’t a privilege, but a basic right.