In the summer of 2019, the hotly contested privacy law “An Act to Protect the Privacy of Online Customer Information" passed in the state of Maine, closing the door on the common practice of internet service providers (ISPs) selling customer data for the profit of the company with no benefit – and often no knowledge – to the consumer. In a step toward maturity in internet privacy, the new law prohibits ISPs from using, selling, or granting access to most of the information generated by a customer’s use of the internet. Among thethings protected by the act are web browsing history, application usage data, precise geolocation, device identifiers, IP addresses, personal information (including name and account information), and the actual content transmitted through the ISP. This is a huge step in the right direction!
Before an ISP may use, disclose, sell, or permit access to thisinformation, it must obtain the customer’s “express, affirmative consent.” So, rather than allowing the longtime practice of forcing customers to expressly opt out of having their data utilized, the Act prohibits ISPs from utilizing customers’ data unless and until a customer gives explicit consent. In short, the ISP must become proactive rather than forcing the customer to be proactive about the use of their data.
In Maine, ISPs must provide customers a “clear, conspicuous and nondeceptive notice” of customer rights and the obligations that an ISP must meet in order to use the data, and the act also prohibits ISPs from refusing to serve customers who withhold consent.As part of the Act, ISPs are also required to take “reasonable measures” to protect customer data from theft or other types of data breaches.
A Good Start, and Some Pushback!
That all sounds great, so of course, a number of Maine-based ISPs claimed the Act violates their First Amendment rights to free speech. As the American Civil Liberties Union (ACLU) explains, “They’re right that this law regulates their speech: It governs the use and dissemination of information. But they’re wrong to call it unconstitutional.”
The ACLU continues, “The law focuses on ISPs: entities that are uniquely positioned to see everything we do, say, and even think online. Consumers have no choice but to use ISPs if they want to access the Internet. And the law does not ban their use of customer information entirely; it simply requires consent from customers first.”So in conjunction with the Electronic Frontier Foundation, and the Center for Democracy and Technology, the ACLU of Maine filed a brief with Aaron Frey, Attorney General of the State of Maine to explain the case law and civil rights at play in regards to US and State of Main law, and for now, the law agrees with the ACLU.
However, the challenges persist as ISP representatives complain that they are being singled out while search engines and social networks are being ignored. A spokesperson for the NCTA -- The Internet & Television Association said the group disagrees with the initial decision of the lawmakers and the courts, under the auspices of supporting “technology-neutral” rules about privacy.
“Consumers expect -- and deserve -- the same meaningful privacy protections across the internet,” the spokesperson stated. “Broadband providers are united in support of a comprehensive national privacy framework that puts consumers first and applies to all companies, including all those operating online, in a uniform and technology-neutral manner.”
So What Happens Next?
While this Maine law is the most progressive on the landscape of consumer rights and privacy, we should also beware that perhaps things have not gone far enough! For decades, large internet providers and companies have turned private customer data into some of the most valuable commodities in the history of business. It would be refreshing to see some of that sovereignty given back to the users! GoVanguard GRC Officer, Jason Connor was skeptical about the subject, saying, “It would be really refreshing if this law had some teeth. Big data companies tend to see this sort of thing as a blip that gets rolled into the cost of doing business, so they pay a few fines and keep abusing their customers anyways. If there was a sort of on-going dividend or a permanent rolling payout for the use or abuse of customer data, they might actually start to respect our right to privacy.”
Of course, that sort of thing comes with its own new problems. How is customer data tracked? How is the profitable value of that data paid out? How frequently can it be paid?GoVanguard’s blockchain expert, Kurt Wuckert Jr, points out, “This is actually the perfect use for the bitcoin protocol. As a perfectstore of timestamped custody and event data, and the ability to do instant payouts for essentially free, a Bitcoin SVMetaNetapp could be programmed to automate all of this.”
Keep your eye on Maine. If the courts rule in favor of individual privacy, we could see a cascading of pro-privacy laws move across the country, which is a very exciting development!
At GoVanguard, we recommend a systematic approach to maintaining your privacy and information security. Carefully and simply implemented security protocols can minimize the risk of exposure to data breaches and the penalties the proceed them. In order to successfully navigate data security protocols, compliance protocols must be in place. That is why we have a rigorous cybersecurity risk assessment and program implementation regimen in place!
Reach out to us today and see how easy it is to take control of your privacyand keep your data secure.
Enter your email and we'll keep you up to date with our latest posts and InfoSec news.