Privacy legislation has advanced in Maine, where it has cleared the Senate following debate by the legislature’s Energy, Utilities and Technology committee and passed the House on May 29. This bill, titled “an Act to Protect the Privacy of Online Customer Information,” would regulate only Internet service providers (ISPs), leaving other entities that operate online regulated under the existing federal and state patchwork of privacy laws.

The principal feature of the bill is its prohibition on ISPs’ use, disclosure, sale, or permission of access to “customer personal information” without the customer’s opt-in consent, subject to several limited exceptions. ISPs also would be prohibited from refusing to serve customers, charging customers a penalty, or offering customers a discount based on the customers’ decision to provide or not provide consent to use, disclose, sell, or permit access to their personal information. The bill would apply to customers who are located in Maine and billed for service received while there.

The House added an amendment to the bill which would delay implementation until July 1, 2020. The amendment now needs to be accepted by the Senate for the bill to progress further.

The bill would capture a vast amount of information – including information that is not sensitive and is not even personal information. For instance, “customer personal information” is defined broadly and includes two categories: (1) “personally identifiable information about a customer, including but not limited to the customer’s name, billing information,” and similar identifying information, and (2) “information from a customer’s use of broadband Internet access service, including but not limited to” web browsing history, app usage, device identifiers, and other information generated by a customer’s use of the ISP’s services. The information in the second category is not required to be linked or even linkable to a specific individual, thereby prohibiting ISPs from using any information that a customer generates when using the ISP’s services, unless the customer provides express consent or an exception applies. Moreover, the bill would even allow customers to request in writing that ISPs not use, disclose, sell, or permit access even to information “that is not customer information.” It is not clear what the intent of this provision is, as it does not serve any privacy-related purpose.

ISPs would be able to use, disclose, sell, and permit access to customer personal information without consent as needed to provide the service from which the information is derived, advertise or market the ISP’s “communications-related services,” issue bills and collect payment for broadband services, protect users from “fraudulent, abuse or unlawful use of or subscription to” the broadband services, and for several other purposes. But these exceptions may prohibit ISPs from using or disclosing the information to improve their services or develop new products and services, to protect their networks from the full range of threats that they face, or to advertise services other than the underlying broadband Internet access service – such as Internet of Things offerings.

The bill’s focus on ISPs to the exclusion of other entities in the Internet ecosystem is a reminder of events in 2017, when state legislatures reacted to Congress’ repeal of the FCC’s broadband privacy rules by introducing bills to reinstate those rules in various forms. All of those ISP-only privacy bills failed, however, and today, both the states and Congress are focused on comprehensive privacy legislation that would provide uniform protection across the Internet. Nonetheless, the Maine bill has momentum, and because Democrats control both the legislature and the Governor’s mansion, the chances of its enactment appear to be high.