Maine L.D. 946, An Act to Protect Privacy of Online Consumer Personal Information
Chairman Lawrence, Chairman Berry, members of the Joint Committee, my name is Gigi Sohn. I’m a Distinguished Fellow at the Georgetown Law Institute for Technology Law and Policy. Prior to that, I served as Counselor to former FCC Chairman Tom Wheeler, where I worked on the FCC’s 2016 Broadband Privacy Rules, upon which L.D. 946 is based.
I urge the Joint Committee and the legislature to pass L.D. 946 without delay. It is common sense legislation that would require broadband Internet access providers operating in the state to protect the privacy of their customers. L.D. 946 would ensure that broadband customers have meaningful choice, greater transparency and strong security protections for their personal information collected by ISPs. And while the bill gives consumers control over how their data is used, it doesn’t prohibit broadband providers from using or sharing customer information, allowing them flexibility to innovate.
Broadband providers receive, store and use a vast amount of consumer information, including sensitive information. As the FCC found in 2016, a broadband provider “sits at a privileged place in the network, the bottleneck between the customer and the rest of the network….” This gatekeeper position allows them to see every packet that a consumer sends and receives over the Internet while on the network, including its contents. The FCC’s record showed that only three online companies have 3rd party tracking capabilities across more than 10 percent of the top one million websites, and none of those has access to more than approximately 25 percent of web pages. In contrast, a broadband provider sees 100 percent of a customers’ unencrypted Internet traffic.
Broadband providers also see all the encrypted traffic over their networks. Though they do not see the contents of these packets, they see when and how long a person is watching TV, visiting a website, turning on the lights, or using other devices. In addition, because broadband Internet access services are paid services, the broadband provider has the subscriber’s name, address, phone number and billing history. This gives them a uniquely detailed and comprehensive dossier on their customers.
L.D. 946 would give consumers control over this wealth of data and would place an affirmative duty on broadband companies to take reasonable measures to secure that data. The protections are more necessary now than when this Committee heard testimony on a similar bill, L.D. 1610, in May 2017. Then, broadband providers could make a colorable argument that the FCC still retained authority over their privacy practices under Section 222 of the Communications Act of 1934. But that argument dissolved on December 14, 2017, when the Trump FCC repealed the 2015 Open Internet Order and reversed its classification of broadband Internet access service as a telecommunications service under Title II of the Communications Act. In doing so, the FCC abdicated its responsibility to oversee the broadband market, including the privacy practices of broadband providers.
When the federal government abdicates its responsibility to protect consumers, the states must step in. Here’s an example of why state oversight of broadband privacy practices is so critical. This January, Vice Motherboard reported that AT&T, T-Mobile and Sprint sold customers’ precise geolocation data to data brokers, who then turned around and sold it to companies whose sole mission is to find a person who doesn’t want to be found, like domestic violence victims. Broadband providers never asked customers to consent to this sale and didn’t provide any opportunity to opt out. This, despite testimony from AT&T last year that they would not share customer information without consent.
What has been the federal government’s response to this report? The FCC has allegedly been “investigating” the matter for over a year. The Federal Trade Commission just sent what’s called a “6(b)” letter to broadband providers seeking details about their privacy policies, procedures and practices. Had the FCC’s privacy rules still been in place, the mobile broadband providers wouldn’t have been able to sell the precise geolocation data unless a consumer expressly opted-in to that sale. Of course, a consumer would be extremely unlikely to do so. Clear mandates, like those embodied in L.D. 946, protect consumers before they are harmed.
Broadband providers complain that if every state were to pass a similar law, they will be forced to comply with a “patchwork” of different consumer privacy protections, and that a federal framework would be preferable. I have little sympathy for an industry that was the driving force in convincing Congress to repeal the existing federal broadband privacy framework – the FCC’s 2016 rules – and then performed an encore by pushing the FCC to abdicate its oversight over broadband. In any event, companies comply with different state laws all the time – including tax laws, laws governing corporations, telecommunications laws and yes, privacy and consumer protection laws. The solution to the alleged “patchwork” problem is for the companies to comply with the highest level of privacy protection a state requires.
Many of the laws in this fearsome “patchwork” come from this body. Maine has been a national leader in protecting the privacy of its residents. It has passed laws protecting prescription data, health data, library records and data on victims of domestic violence. This legislature passed one of the most comprehensive statutes requiring law enforcement to get warrants for cellphone information, including the content of messages and location tracking data. I urge you to continue that leadership by passing LD 964. Thank you and I look forward to your questions.