On July 1, 2020, Maine will become one more state that is regulating online data. But, unlike California’s and Nevada’s new legislation, the Maine privacy law—“An Act to Protect the Privacy of Online Customer Information”—focuses entirely on user data collected by Internet Service Providers (ISPs).
Signed by the governor in June, LD 946 says that ISPs “may not use, disclose, sell, or permit access to customer personal information,” unless the customer gives “express, affirmative consent.” The consent can be revoked at any time, the ISP cannot refuse service if consent is not given, and there can be no penalty or discount related to consent.
While sharing or selling personal information requires consent, sharing or selling nonpersonal information is fine, unless the customer notifies the ISP in writing against doing so. Although the law doesn’t specify, the implication is that nonpersonal information can be data such as average transmission speeds in a neighborhood or customer loads at certain times of day. ISPs can use personal or nonpersonal information to fulfill their own service obligation to the customer, without explicit consent.
Personal information includes the customer’s name, billing info, Social Security number, demographic data, web browsing and application usage history, geolocation info, financial and health data, info relating to the customer’s children, device identifiers, the origin and destination of IP addresses, and the content of the customer’s communications.
‘Knows when we’re asleep’
For state Senator Shenna Bellows, sponsor of LD 946, the ISPs collect enough information to rival Santa Claus.
“Our ISPs know when we’re sleeping, they know when we’re awake,” she testified before the state legislature. “They may know more about us than we know about ourselves.”
Access to the wired and wireless internet is “not optional,” she noted, given how important it has become for paying bills, communicating with health providers, email, texting, playing music, and managing our homes. Because of these essential uses, she said, interacting with an ISP is not optional.
The reason for the new law comes down to one question, Bellows said: “Should ISPs be able to sell or share everything that they know about you—including your most private and sensitive personal information—without your consent?”
Her answer is no.
Bellows compared the data sent over the internet to conversations one has over landline phones. She said the phone company would never say to a customer, “your conversation belongs to me and I can use everything you say in any way I want, including profiting from it.”
But, she added, none of the data or communications held by ISPs were private before LD 946.
The new Maine privacy law reinstates consumer protection that the Federal Communications Commission had adopted in 2016. Those rules, which required consumer consent before using or sharing personal data, had not yet gone into effect when they were overturned by new regulations signed by President Trump in April 2017.
LD946 is “heavily based on those FCC ISP privacy rules,” Emory Roane, Policy Counsel for Privacy Rights Clearinghouse, told RampUp via email. “States are picking up the slack left by the federal government and innovating in privacy protections,” he added, “acting like laboratories of democracy, as they are intended.”
Data ‘doesn’t stop at the border’
It’s not a question of privacy, NCTA Counsel and Gibson, Dunn & Crutch Attorney Helgi Walker told RampUp. NCTA (the Internet & Television Association, formerly the National Cable & Telecommunications Association) is the principal trade group for U.S. broadband and pay television industries, representing over 90% of the U.S. cable market. Its member companies include Charter Communications (Spectrum), one of the largest Internet providers in Maine.
“The NCTA and its members support the privacy of its customers,” she said, “but this goes about it wrong.” The correct solution is a national law, she said, not different rules in different states.
“Online data doesn’t stop at the border of any state,” Walker pointed out.
The law, however, does not purport to cover all online data, and Bellows makes the point in her testimony that other legislation could be warranted. The purpose of the Maine privacy law is to protect Maine residents, whose residences do stop at the border.
Although a variety of major tech companies and the Interactive Advertising Bureau, among others, have urged Congress to get busy enacting a federal law to replace state laws, that possibility is still a work-in-progress.
“It would be great to see a more generalized consumer privacy law in Maine,” Roane said, “or a federal consumer privacy law that sets a floor for Maine to improve upon.” Unlike the California law or the European Union’s General Data Privacy Regulation (GDPR), he noted, Maine’s law is entirely a “notice and consent” type, where providers essentially have carte blanche once consent is given.
In the absence of a federal law, the key question is the impact of a state law like Maine’s.
Rate of consent
To answer that question, it’s first necessary to consider the degree to which Mainers’ personal ISP data will become unavailable due to lack of customer consent.
Since it has not been implemented, it’s not yet possible to know definitively how many Maine residents will grant consent. But there are some indications.
ISPs have many touch points to present consent options, including monthly bills and, potentially, every time someone uses their ISP’s service to go online.
And there are a variety of indications of very high levels of consent from users under the GDPR, a much more rigorous set of online privacy rules for any company providing online content or services to EU citizens. Among other things, GDPR requires consent for specific kinds of data uses—a more stringent requirement than Maine’s.
Even with GDPR, the consent rates appear to be high. About two months after GDPR went into effect in May 2018, digital media company Purch said it was seeing user consent rates for its publishing and performance marketing platform of about 70%.
Fidzup, an adtech firm that had to make changes after being cited by GDPR authorities for compliance violations, reported a 70% opt-in rate.
And from its Privacy Manager implementations, LiveRamp has seen average opt-in rates of 95% for brands and publishers that take the time to create a bespoke, authentic consent management experience.
Given these stats, plus the fact that consent under the Maine privacy law will be much simpler to explain and obtain than under GDPR, it is reasonable to assume that consent rates will be high—possibly even nearly universal. If this is the case, the impact on marketers and ISPs will likely be negligible, since ISPs will be able to continue selling or sharing this data.
If there will be less customer data making its way from ISPs to data providers because of lack of consent, marketers like Dirigo CEO David Addison of Portland, Maine, have mixed feelings.
As a marketer, he said, he likes the way it has been. The Maine ISPs sell their data to providers like Experian Hitwise, he said, which allows him to target Google ads to aggregated, anonymous segments of users—not individuals—by age, gender, zip code, interests, and so on.
Those segments, he said, might be affluent suburban areas or groups of users whose demographics resemble the top visitors to LL Bean’s website. Dirigo doesn’t deal directly with ISPs, but with a data provider like Hitwise, which he described as “extremely helpful, but expensive.” About 10% of his company’s business is inside the state.
As a marketer, he said he opposes the “misuse of personal data,” the idea of using data for individual profiles without permission or the use of the data to sway opinions on public issues.
As a consumer, Addison acknowledged he doesn’t like the idea of his personal info being sold or shared, such as through his ISP, Time Warner.
Even if consent rates will be low, he noted that it’s not clear whether Hitwise’s data for Maine users will become less accurate, given that the data provider has access to many other sources.
No complaints yet
Similarly, Tom Gale, CEO of branding agency Ethos Marketing and marketing agency Vont, both in Westbrook, Maine, told RampUp he isn’t sure what part of the data he uses comes from ISPs.
His agency employs “a number of data sources,” he said, for programmatic targeting of display ads. Even if the ISP data begins to dry up because of lack of consent, he is “fairly confident we’ll have the data we need from other sources.”
Gale said he was “surprised” that the new privacy law only targets ISPs, although he acknowledged ISPs are not really a choice for consumers the way going to a particular website is, since the need for Internet service is so widespread.
To date, he said, he is not hearing any complaints or other buzz from marketers about the new law.