This post was authored by Avisha Sabaghian, CDT Summer Intern, pursuing a degree at Harvard Law School.
Today, every one of our clicks, scrolls, and keystrokes can be monitored (try for yourself), recorded, and monetized by data collectors and third parties, whether you know it or not. Even if your internet traffic is encrypted at the application layer (HTTPS), one of those third parties, your Internet Service Provider (ISP) can still see loads of information about what sites you visit and what you do online— and it can infer even more. In response to this reality, last year Maine passed LD 946, an “Act To Protect the Privacy of Online Customer Information.” Effective July 2020, the statute imposes an opt-in regime for the use, sale, or distribution of a customer’s personal information by ISPs, and an opt-out regime for ISP use of other customer information. The statute also prohibits price discrimination based on whether a customer consents to the use of their information.
In February, a group of ISPs filed suit to prevent the law from going into effect. Last May, CDT filed a brief, alongside ACLU and the Electronic Frontier Foundation, urging the court to rule in favor of Maine. In July, judge Lance Walker agreed that there are simply too many disputed facts to allow for a judgment at this early stage. The suit will now proceed to discovery and trial phases.
The ISPs first argued that the Maine legislation was preempted by federal law. Judge Walker rejected this argument while characterizing its reasoning as judicial astrology, an “attempt to divine the legislative heavens with an armillary sphere and palm reading.” The ISPs’ “shoot-the-moon” argument that the law violated their First Amendment rights fared no better. “Like Harold with a purple crayon,” noted the Judge, “[p]laintiffs have drawn themselves a steep mountain to climb.”
In addition, ISPs argued that their extensive data collection practices pose no real danger to consumer privacy. CDT has already written about why protections for broadband users are important, so we won’t spend much time on that in this post. Instead, we think a discussion of the larger implications of the ISPs’ argument is a useful approach for contextualizing this lawsuit within the larger tech policy debate.
Implications of ISP’s Argument
In 2016, the FCC put in place an opt-in requirement for ISPs’ use of customer data (after which Maine modeled its rules), as the first step in extending privacy protections to internet users. Although they did not address aggressive data collection by other third parties, CDT supported those modest requirements because they gave users at least some degree of control over how ISPs used their data. Unfortunately, the FCC rules were rolled back by Congress in 2017, leaving the states as the last defenders of broadband privacy. In response, states like Maine began crafting their own rules to protect citizens from ISPs’ privacy-invasive data practices. But technology regulation, like regulation writ large, must adhere to the scope and boundaries of government’s regulatory power. Discerning the exact contours of that power can be a difficult and contentious issue in these cases.
ACA Connects is no different. To begin, the ISPs argued—and amici agree—that their collection, processing, and use of information their customers send across their networks is a form of protected speech. The key question was whether Maine could regulate this speech in the way it did. To answer this question, Judge Walker had to decide what level of First Amendment scrutiny to apply to the law.
The ISPs argued that the burden on their speech should be assessed under the highest level of protection given by the First Amendment. In other words, they argued for the application of what is known as strict scrutiny. This is the same standard that would be applied, for example, if Maine banned all discussions of privacy in local news. It is a difficult, often insurmountable standard for the government to overcome (hence the famous, though not exactly accurate, epithet “strict in theory, but fatal in fact”). Fortunately, the recent order rejects the ISPs’ position and applies a less burdensome standard known as intermediate scrutiny, which has a less rigorous test for whether the government’s interests are strong enough to outweigh the commercial entities’ interests in speaking.
ISPs are uniquely situated to invade our privacy. Although they are not the only entities watching and collecting consumer data, they are positioned between users and the rest of the internet, giving them access to all the information crossing their networks. But unlike many other types of online services, we often have few (or zero) choices for internet access. Maine’s law, like the FCC’s former rules, is not a comprehensive solution, but it is one positive step toward better privacy protections online. As CDT has explained, the dizzying amount of information ISPs collect and infer about us can reveal everything from our online activities, like the health questions we search, to our offline habits, like when we go to sleep. Our limited choice makes controlling their ability to use and disclose our information especially important.
But ISPs are not alone in using the First Amendment in their fight against consumer privacy. Clearview AI, for example, is gearing up to mount the same First Amendment argument in response to lawsuits challenging the company’s use of people’s images without their consent. And courts’ acceptance of this argument will have grave consequences for the future of privacy. According to some estimates, only 22% of speech laws survive strict scrutiny, whereas 73% survive appellate review under intermediate scrutiny. To build on Judge Walker’s children’s book reference, consumers’ chance at privacy can range from cloudy to meatballs depending on whether strict or intermediate scrutiny is used.
CDT is excited about the recent order’s vindication of Maine’s privacy law and the district court’s ruling in favor of the Privacy Act. There is still more to come, but we take this order as a good omen for the future of Maine’s privacy law.