Another State Passes Law to Protect Consumer Data

data breach concept. internet compute privacy compromised. unsecured network and data transfer. hacker hacked in to the system. cyber crime. Red binary code background with open black padlock icon.
By Eric Sinrod on June 11, 2019 5:58 AM

FindLaw columnist Eric Sinrod writes regularly in this section on legal developments surrounding technology and the internet.

States are taking online consumer protection into their own hands given a perceived lack of sufficient protection at the federal level. Maine now has jumped in.

Indeed, Janet Mills, the Governor of Maine, just signed into law arguably one of the strongest privacy bills in the country. This law, called the Act to Protect the Privacy of Online Consumer Information and which goes into effect on July 1, prohibits internet service providers from using, selling, or distributing data from consumers without obtaining their consent. And, according to The Hill, this new state law bars internet service providers from refusing to serve consumers, penalizing consumers or offering them discounts to seek to gain their permission to sell their data.

Consumer Affairs and Privacy

This bold step by Maine follows in the footsteps of California, a state which passed a complicated online privacy law last year. That law has been both applauded by privacy activists and criticized in certain respects by the tech industry.

At first blush, the new Maine law may be even more robust than the California law. The Maine law is opt-in in nature, requiring explicit consent from consumers before internet service providers can sell their data. The California law is opt-out in effect, making consumers affirmatively request that their data not be sold.

So, what is the genesis of the Maine law? It seems patterned after a prior Federal Communications measure -- a measure that was removed by the Trump administration in 2017. Perhaps it is because of this nullification that states are entering the fray to seek greater consumer protection.

This is reminiscent of when states passed laws dealing unsolicited commercial email before Congress enacted the Can-Spam Act at the federal level. It also is a reminder of the various state laws addressing data breach notifications.

Legislative Patchwork and Protection

The creation of a patchwork of different state laws is not necessarily ideal. It is difficult for internet service providers to know how to guide their practices, when their customers are located in various states with different laws.

When in doubt, in such a context, internet service providers arguably would be best served by honoring the dictates of the state with the most strict law on the books -- to make sure that they are not violating any law. If they are complying with the strictest law, they then also should in compliance with more permissive laws in other states. (Internet service providers obviously should seek specific legal advice from skilled counsel).

A strict law in just one state, even a small state like Maine, can have a major impact when the federal government creates a void.

Eric Sinrod (@EricSinrod on Twitter) is a partner in the San Francisco office of Duane Morris LLP, where he focuses on litigation matters of various types, including information technology and intellectual property disputes. You can read his professional biography here. To receive a weekly email link to Mr. Sinrod's columns, please email him at ejsinrod@duanemorris.com with Subscribe in the Subject line. This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.

Related Resources: