LD 946
PUBLIC Law, Chapter 216

on - Session - 129th Maine Legislature
Bill Tracking, Additional Documents Chamber Status

An Act To Protect the Privacy of Online Customer Information

Be it enacted by the People of the State of Maine as follows:

Sec. 1. 35-A MRSA c. 94  is enacted to read:



§ 9301 Privacy of broadband Internet access service customer personal information

1 Definitions.   As used in this section, unless the context otherwise indicates, the following terms have the following meanings.
A "Broadband Internet access service" means a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints, including any capabilities that are incidental to and enable the operation of the service, excluding dial-up Internet access service.
B "Customer" means an applicant for or a current or former subscriber of broadband Internet access service.
C "Customer personal information" means:

(1) Personally identifying information about a customer, including but not limited to the customer's name, billing information, social security number, billing address and demographic data; and

(2) Information from a customer's use of broadband Internet access service, including but not limited to:

(a) The customer's web browsing history;

(b) The customer's application usage history;

(c) The customer's precise geolocation information;

(d) The customer's financial information;

(e) The customer's health information;

(f) Information pertaining to the customer's children;

(g) The customer's device identifier, such as a media access control address, international mobile equipment identity or Internet protocol address;

(h) The content of the customer's communications; and

(i) The origin and destination Internet protocol addresses.

D "Provider" means a person who provides broadband Internet access service.
2 Privacy of customer personal information.   A provider may not use, disclose, sell or permit access to customer personal information, except as provided in subsections 3 and 4, Title 16, chapter 3, subchapters 10 and 11 and 18 United States Code, Section 2703.
3 Customer consent exception.   Consent of a customer is governed by this subsection.
A A provider may use, disclose, sell or permit access to a customer's customer personal information if the customer gives the provider express, affirmative consent to such use, disclosure, sale or access. A customer may revoke the customer's consent under this paragraph at any time.
B A provider may not:

(1) Refuse to serve a customer who does not provide consent under paragraph A; or

(2) Charge a customer a penalty or offer a customer a discount based on the customer's decision to provide or not provide consent under paragraph A.

C A provider may use, disclose, sell or permit access to information the provider collects pertaining to a customer that is not customer personal information, except upon written notice from the customer notifying the provider that the customer does not permit the provider to use, disclose, sell or permit access to that information.
4 Other exceptions.   Notwithstanding the provisions of subsections 2 and 3, a provider may collect, retain, use, disclose, sell and permit access to customer personal information without customer approval:
A For the purpose of providing the service from which such information is derived or for the services necessary to the provision of such service;
B To advertise or market the provider's communications-related services to the customer;
C To comply with a lawful court order;
D To initiate, render, bill for and collect payment for broadband Internet access service;
E To protect users of the provider's or other providers' services from fraudulent, abusive or unlawful use of or subscription to such services; and
F To provide geolocation information concerning the customer:

(1) For the purpose of responding to a customer's call for emergency services, to a public safety answering point; a provider of emergency medical or emergency dispatch services; a public safety, fire service or law enforcement official; or a hospital emergency or trauma care facility; or

(2) To a provider of information or database management services solely for the purpose of assisting in the delivery of emergency services in response to an emergency.

5 Security of customer personal information.   A provider shall take reasonable measures to protect customer personal information from unauthorized use, disclosure or access.
A In implementing security measures required by this subsection, a provider shall take into account each of the following factors:

(1) The nature and scope of the provider's activities;

(2) The sensitivity of the data the provider collects;

(3) The size of the provider; and

(4) The technical feasibility of the security measures.

B A provider may employ any lawful measure that allows the provider to comply with the requirements of this subsection.
6 Notice required.   A provider shall provide to each of the provider's customers a clear, conspicuous and nondeceptive notice at the point of sale and on the provider's publicly accessible website of the provider's obligations and a customer's rights under this section.
7 Applicability.   The requirements of this section apply to providers operating within the State when providing broadband Internet access service to customers that are physically located and billed for service received in the State.

Sec. 2. Effective date. This Act takes effect July 1, 2020.

Effective 90 days following adjournment of the 129th Legislature, First Regular Session, unless otherwise indicated.

Top of Page