Maine’s ISP Privacy Law Does Not Violate the First Amendment, Much as ISPs Would Like for It To
Without many of us even realizing it, our use of the Internet reveals deeply private information about us, ranging from the contents of our communications to details about our finances, health, and exact location. This information — especially when aggregated — provides an intimate window into our personal lives and can reveal a great deal of personal, private information about us, like our health care needs and personal or political beliefs.
For each of us, there’s at least one entity that can see perfectly through that window: our “broadband information access service” provider, more commonly known as an Internet service provider or ISP. In order to even access the Internet, we must each rely on an ISP; our computers and phones have to connect to their networks before we can send and receive information online. As a result, they are uniquely positioned to collect, retain, and analyze troves of personal information about us.
Without regulation, they can use our personal information in any manner they please. As their track record shows, they often choose to use it in privacy-invasive ways, like creating extensive portfolios of their users’ online activity and injecting “super cookies” that allow third parties to track individual customers.
This perfect storm raises not only serious online privacy concerns, but free speech and information security concerns, too. Unwanted surveillance can chill us from speaking freely, deterring us from voicing unpopular or simply private opinions. Equally, access to personal information, should it end up in the wrong hands, could open us up to everything from personalized phishing emails to identity theft and bank account fraud.
In an effort to quell this storm and put some control back in consumers’ hands, Maine passed “An Act to Protect the Privacy of Online Customer Information.” That law requires ISPs to get approval from customers before selling or using their personal information — everything from social security numbers and billing information to details derived from Internet use, like browsing histories and app usage, precise geolocation, financial and health information, and even the contents of communications.
A group of ISPs are now challenging this privacy law, claiming that it infringes on their First Amendment rights by unconstitutionally restricting how they use or disclose customer personal information.
They’re right that this law regulates their speech: It governs the use and dissemination of information. But they’re wrong to call it unconstitutional.
As we explain in a friend-of-the-court brief we filed with the ACLU of Maine, the Electronic Frontier Foundation, and the Center for Democracy and Technology, Maine’s law regulates commercial speech, a category of speech that relates solely to the economic interests of the speaker and its audience. And the law satisfies the scrutiny that applies to regulations of commercial speech because it is narrowly drawn to advance the state’s interests in protecting consumer privacy, free expression, and security.
The law focuses on ISPs: entities that are uniquely positioned to see everything we do, say, and even think online. Consumers have no choice but to use ISPs if they want to access the Internet. And the law does not ban their use of customer information entirely; it simply requires consent from customers first. Since we have no control over whether that information — which relates entirely to our use of a commercial service — is created and shared in the first place, surely we should at the very least have some say in what ISPs can do with it. It speaks volumes about the intent of the ISP companies — and the money they make off the collection and use of private customer information — that they would rather file an expansive lawsuit than simply ask their customers for permission to use their information.
As an organization deeply committed to the protection of both free speech and data privacy, we take these issues seriously. Maine’s law gives us the power to say yes or no to the collection and use of our private information. It puts the decision about when ISPs can use and disclose customers’ personal information back where it belongs: in the hands of Internet users. Despite the ISPs’ insistence to the contrary, Maine’s law does not violate their speech rights, and in fact does a great deal of good in protecting consumers’ privacy rights. Other states are already looking to follow in Maine’s legislative footsteps by requiring customers’ approval before allowing ISPs to share or sell their personal data — as they should. Perhaps that is what is scaring the ISP companies the most.