A coalition of trade groups representing internet service providers has filed a lawsuit challenging a Maine privacy law, arguing it singles out the industry for stringent new regulations.
The Act To Protect the Privacy of Online Customer Information, scheduled to go into effect on July 1, prohibits ISPs from using, disclosing, selling, or permitting access to customer personal information without customer consent. The law also prohibits ISPs from refusing to serve customers or charging a penalty to customers who do not consent to the use or sale of their personal data.
In 2017, Congress repealed a similar regulation passed by the Federal Communications Commission during President Barack Obama’s administration.
In February, four ISP trade groups, ACA Connects, CTIA, NCTA, and USTelecom, filed a challenge to the Maine law, saying it imposes privacy regulations on them but not on other internet-based companies such as Google, Facebook, Netflix, or Amazon.
The law “imposes no restrictions at all on the use, disclosure, or sale of customer personal information, whether sensitive or not, by the many other entities in the Internet ecosystem or traditional brick-and-mortar retailers,” the four trade groups say in their lawsuit.
The trade groups also argue the Maine law violates their First Amendment free speech rights to use customers’ personal data and to send marketing communications about non-broadband services to their customers.
The law “excessively burdens ISPs’ beneficial, pro-consumer speech about a wide variety of subjects, with no offsetting privacy-protection benefits,” the ISPs argue.
The law’s regulation only of ISPs “won’t give consumers the protection they want,” the trade groups said in a joint statement. “Maine’s approach of regulating the collection and use of data by internet service providers only, and not the practices of other companies, including the largest internet companies, data brokers, and others that collect, use, and monetize even more data than ISPs, leaves a gaping hole in the law, is unconstitutional, preempted by federal law, and should be struck down by the courts.”
However, supporters of the bill suggest the bill targets a group of companies with unique access to personal data, including web browsing histories.
“It’s no surprise to see ISPs lobbying against anything that reduces their ability to profit from consumer data,” said Harold Li, vice president at VPN provider ExpressVPN. “But even for them, it’s quite a stretch to frame it as an unconstitutional limitation on broadband companies’ speech, while riding on anti-big tech sentiments to divert our attention from their bad behavior.”
The ISPs’ complaint reminds Li of an argument telemarketers made against a national do not call list in the 1990s and early 2000s. “Consumers were annoyed by the proliferation of intrusive calls to their homes, but telemarketers argued that they gave them opportunities to hear about great deals and products,” he said. “Once the regulation passed, though, people signed up for the list in droves.”
The law attacks a problem that’s been happening for several years, added Paul Katzoff, CEO of WhiteCanyon Software, a cybersecurity software firm in Salt Lake City.
“ISPs have been selling customer browser history to advertising platforms,” he said. “The value to ISPs is so high, they’d probably provide your internet to you for free, in order to keep it.”
Online search histories are used to deliver targeted advertising that can be very effective, he added.
“If customers knew that ISPs were making money off of them, while they are paying for their service, there would be an uproar by users,” Katzoff added. “This closely held secret, and what they sell about each device, is a gold mine.”
But courts may be sympathetic to the ISPs’ argument that they are getting targeted, said Dennis Sawan, managing partner of Ohio law firm Sawan & Sawan.
“I can see a scenario wherein the court is concerned about the singling out of one industry over other similarly situated ones,” he said. “Oftentimes, a law of this nature can seem as if it is not sufficiently related to the evil it is seeking to prevent — but rather a targeted attack on one particular company or industry.”
The ISPs’ argument that their data practices aren’t causing consumer harm may resonate, he added. “If there is no proof of harm, a regulation cannot logically be related to preventing it — or so the argument goes.”
