What is Maine’s LD946? New Privacy Regulations

Maine’s LD946, a recently passed internet privacy law, seeks to give residents of Maine more control over the personal information they share online. Under LD946, internet service providers are prohibited from selling, sharing, or granting third party access to the personal data of their customers, unless given permission and approval by those customers. What’s more, LD946 also prohibits internet service providers from refusing to serve a customer based upon their refusal to consent to a website’s or online internet service’s data usage terms.

As opposed to Nevada’s SB-220 and the California Privacy Rights and Enforcement act of 2020, which allows consumers in these states to opt-out of having their personal information shared online, LD946 instead prohibits internet service providers from sharing the personal information of their customers unless they first opt-in. The law only regulates 80 broadband internet service providers within the state of Maine, and only applies to service providers serving customers who are both physically located and billed for services within the state.

What is considered personal information under LD946?

LD946 defines personal information broadly to include:

• Any form of personally identifiable information relating to a customer including their name, social security number, billing address, billing information.
• Any form of information derived from the customer’s use of broadband internet access services including browsing history, application usage history, geolocation information, information pertaining to a customer’s children, device identifiers such as IP addresses or international mobile equipment identity, as well as the specific contents of a customer’s communications.

How do Maine internet service providers comply with LD946?

LD946 contains 3 primary compliance requirements. These requirements include:

• Personal customer information- An internet service provider is prohibited from the use, sale, disclosure, or permission of access to a customer’s personal information, except in cases of exception as stated by law.
• Security-Internet service providers must implement reasonable security measures to protect the personal information of their customers from unauthorized use, access, or disclosure.
• Disclosures- Internet service providers are required to offer customers and consumers a clear, conspicuous, and non-deceptive notice on both their website and at the point of sale concerning the provider’s obligations and the rights of the consumer under the law.

In order to be in compliance with these 3 requirements, a business must adhere to the following steps:

• Internet service providers must provide notice of their obligation to customers and the rights of their customers in accordance with the law at both the point of sale and on their website.
• Internet service providers must seek prior opt-in consent before using, disclosing, granting access to, or selling a customer’s personal information. This consent may be revoked by the consumer at any time.
• Internet service providers must protect all forms of personal information as defined and dictated by the law.

Alternatively, there are also a variety of exceptions and exemptions to these 3 requirements. These exceptions and exemptions include:

• To provide the service from which the personal information in question is provided.
• To advertise an internet service provider’s communications-related services to customers.
• To comply with a lawful court order.
• To protect users from abusive, unlawful, or fraudulent use or subscription to such services.
• Certain geolocation services.

The goal of Maine’s LD-946 is to provide some level of protection against the illegal online dissemination of the personal information of Maine consumers. As of this writing, LD-946 does not outline specific fines or penalties in regards to the violation of the bill, or what governing body would enact such punishments. This in combination with the limited scope of internet service providers who must adhere to the bill has led to some public criticism of LD-946. To give an example of this, major social media platforms such as Twitter and Facebook are not included in the 80 broadband internet service providers who must follow LD-946, as these websites obviously conduct operations well outside of the state of Maine. Nevertheless, residents who reside within the state of Maine are one step closer to having their personal information protected when using websites and internet services.