Maine’s new ISP privacy law and the enforcement conundrum
Maine’s new privacy law regarding broadband internet service providers, An Act To Protect the Privacy of Online Customer Information (LD 946, to be codified at 35-A M.R.S. c. 94), billed as the strictest in the nation, has gotten a lot of press. E.g., Gov. Mills signs nation’s strictest internet privacy protection bill, www.pressherald.com, June 6, 2019, Maine’s New Internet Privacy Law: What You Need to Know, www.natlawreview.com, June 14, 2019. Here’s our firm’s alert on the bill. Maine’s New Internet Privacy Law: What You Need to Know. As our alert and some news articles have noted, however, there’s no enforcement provision in the bill. So, setting aside whatever constitutional issues this new law might raise, what does the lack of an enforcement provision mean?
Let us ponder, understanding our general blogging caveat that we have engaged in about an hour of research, which is enough for me to raise questions, not to answer them. Here’s a menu of enforcement possibilities – and their potential problems:
- PUC enforcement. By plunking this into Title 35-A, perhaps the Legislature was saying here you go, PUC, this goes under your general enforcement powers. The problem with this argument is that nowhere in Title 35-A has the Legislation expressly given the PUC jurisdiction over ISPs. They aren’t public utilities, see 35-A M.R.S. 102(13). Section 103(2) references “certain other entities as specified in this Title” as subject to PUC regulation, but there’s no such specification of ISPs in any other section of Title 35-A. So the argument would have to be that this new statute bestowed that jurisdiction by implication – a position that the PUC generally hasn’t been keen to embrace – particularly when the area of telecommunications has been undergoing a deregulation process under Title 35-A, and now the PUC only governs the provider of last resort.
- Criminal penalties: This seems highly unlikely and probably unconstitutional. See U.S. v. Evans, 333 U.S. 483 (1948).
- Civil penalties: Such penalties would appear to present a due process problem similar to the criminal penalty context. When the Legislature wants civil penalties, it puts them in expressly – see, e.g. 12 M.R.S. § 8005, 25 M.R.S. § 2929.
- A private right of action: Interestingly, the legislative history of this bill shows that the enforcement issue was not simply forgotten. There was contemplation of an express provision providing for AG enforcement, but this would have prompted the dreaded fiscal note to be added to the bill, see An Act To Protect the Privacy of Online Customer Information, LD 946, LR 1031(04). If this rejection of an express provision regarding AG enforcement reflects a conscious decision by the Legislature not to provide for AG enforcement, does that mean the Legislature intended creating a private right of action – the Legislature avoided the expense of AG enforcement by allowing private actors to enforce and pay for the cost of litigation? Well, the Law Court is very, very loath to find that the Legislature has ever created a private cause of action unless it expressly says so. See, e.g., Wawenock, LLC v. DOT, 2018 ME 83; Charlton v. Town of Oxford, 2001 ME 104.
- A MUPTA claim. One firm has apparently opined that the provisions in the Act will be enforced by the AG under the Maine Unfair Trade Practices Act, 5 M.R.S. §§ 205-A et seq. It cites a statement by the AG’s office that it would vigorously enforce the statute (without saying how it would do so). Maine Governor Could Sign Bill Enacting Nation’s Strictest Data Privacy Law for Internet Providers, Ogletree.com, June 6, 2019. Others have also suggested that this is the right enforcement avenue. MUPTA can also be enforced by private parties, 5 M.R.S. § 213. But not so fast. Section 207 of MUTPA provides that “it is the intent of the Legislature that in construing this section” (which defines what conduct is unlawful under the Act), courts will be “guided” by the interpretations given by the FTC of the Federal Trade Commission Act, 15 U.S.C. § 45(a)(1). 5 M.R.S. § 207. A violation of the new Maine privacy act isn’t a violation of the FTCA. If the Legislature purposefully avoided a fiscal note AG enforcement provision in the new privacy act, is it reasonable to conclude that it meant the AG to enforce under MUTPA, which presumably would cost the same amount as if there were an express enforcement provision, particularly when the conduct doesn’t violate the FTCA, which is what section 207 seems to intend to prohibit?
- A negligence claim. Ok, then how about simply changing the common law so that a private plaintiff can cite the new statute as evidence of a tort? Well, first, that would mean no enforcement absent a private plaintiff being injured and so have standing to sue. This typically requires pecuniary or physical harm beyond emotional distress. Second, take a gander at Hudson v. S.D. Warren, 608 F. Supp. 477 (D. Me. 1985). Judge Carter rejects that reasoning, adopting the argument of now First Circuit Judge Kayatta, formerly of Pierce Atwood, representing the defendant. There, the plaintiff sought to establish a violation of the common law for negligence and invasion of privacy by citing statutes retaining the confidentiality of certain information. The district court rejected that position, saying that the federal court would not infer such an intent by the Maine Legislature, particularly given the Law Court’s rejection of implying the creation of private rights of action by the Legislature.
I have not perused the whole legislative history of the new statute. Perhaps it provides a clear answer to this question – although legislative history would never be persuasive, let alone dispositive, to strict constructionists should there any Justice Scalia followers involved in construing this law.
Perhaps litigation lies in the offing?