Maine just passed a new privacy law, but it only applies to internet service providers (ISPs), not the content platforms themselves. Now privacy advocates worry it’s not enough to protect consumers.
“The problem is that the proposed law does not even cover the major internet entities where users spend 99 percent of their time online — namely Google, Facebook, Amazon, Apple, Microsoft, Netflix, or even the Chinese giants Tencent, Alibaba, and Baidu,” American Enterprise Institute (AEI) visiting tech scholar Roslyn Layton wrote for Forbes. “Instead it applies only to internet services providers (ISPs), which represent a small fraction of internet activity.”
The new privacy law requires ISPs to obtain customers’ explicit consent before they repurpose, share or sell customers’ personal data. The language of the law echoes the Obama administration’s Federal Communications Commission’s 2016 ISP privacy rules, which Congress repealed in March 2017.
The most common criticism of the 2016 FCC rules was that they didn’t differentiate between an ISP using sensitive vs. non-sensitive information. The Maine law does make this distinction, specifically banning ISPs from repurposing, sharing or selling sensitive data that can be used to personally identify a customer.
Layton said the law doesn’t make sense because the companies with unfettered access to sensitive data are the edge providers like Google, she argues, not the ISPs.
“Data brokers, online advertisers, health and financial companies — all of them would get a free pass under this proposed legislation for no policy reason anyone can discern,” she wrote.
Natasha Duarte, a policy analyst for the Center for Democracy & Technology (CDT), told InsideSources it is right to question why Maine didn’t include edge providers and other tech companies in this privacy law, but some privacy protections are better than none at all.
“Ideally everyone would have consistent privacy protections,” she said. “It doesn’t necessarily matter who has the information, people want to be protected. CDT certainly supports a federal privacy law that covers both ISPs and all other companies that collect personal information, online and offline.”
The Maine law itself, she said, is “pretty straightforward” and important because so many consumers don’t get to choose an ISP due to a concentrated broadband market. With edge providers and apps, there’s more choice.
“In some cases we may be able to make a choice about what apps we use and what email providers we use, but I don’t want to overstate how much those are our choice and often we don’t have privacy choices among those edge providers, but there are at least some options,” she said. “With ISPs, a lot of people have only one or two high-speed broadband providers in their area. They get access to a lot of very sensitive info, the websites we go to, our location, things like what we can be looking at which can reveal health information and sexual orientation. So it’s very sensitive information that needs to be protected.”
Internet access is also paramount for success in today’s economy, which puts consumers in a tricky position because ISPs require them to share personal data in order to receive internet access.
“We also cannot choose not to have them collect this information in the first place because in order to facilitate access to the internet they have to have access to certain info like our usage, our location, what services we’re using,” Duarte explained. “We also have limited options in terms of obscuring or limiting what info they collect about us. Customers don’t have any real bargaining power to change the terms of the contract but have to pay every month of they like the privacy practices of their ISP or not.”
But because edge providers are some of the prime offenders when it comes to sharing and selling consumers’ personal data, a law targeting ISPs may not really help consumers.
“Maine consumers certainly would be surprised to learn that it does nothing to protect them from search companies selling their browsing history, dating services allowing advertisers to target them based on their relationship history, or smart TVs listening to their conversations,” she wrote. “And they would be especially skeptical of legislative promises to take the issue up and fix the rest of the privacy problem sometime down the road.”
According to a press release from Maine Gov. Janet Mills, the law will take effect on July 1, 2020.
“I think the main takeaway is, asking people for permission before you repurpose and share their data is the bare minimum that people deserve from ISPs that they rely on and pay every month,” Duarte said. “We would like to see more restrictions on how data is used when it’s collected, but this is a good step forward in terms of protecting people.”