Maine bans ISPs from selling customer data without consent

A new law protecting consumer data is perhaps the strongest such privacy measure to be passed by a state.
Maine Gov. Janet Mills
Maine Gov. Janet Mills (Wikimedia Commons)

Maine Gov. Janet Mills on Thursday signed legislation that prohibits internet service providers from selling customer data to third parties without their explicit permission.

Under the new law, traditional ISPs and mobile carriers will have to seek their customers’ direct consent to “use, disclose, sell or permit access to” their personal information. The law’s definition of personal information is expansive, including precise geolocations, browsing histories, application usage, financial and health records, internet protocol addresses and device types, along with more common types of information like names, billing information, dates of birth and Social Security numbers.

“Maine people value their privacy, online and off,” Mills said in a press release after signing the bill. “With this common-sense law, Maine people can access the internet with the knowledge and comfort that their personal information cannot be bought or sold by their ISPs without their express approval.”

The law is meant to restore to Maine residents a rule adopted in October 2016 by the Federal Communications Commission that would’ve required ISPs nationwide to seek their customers’ consent before selling their personal information. The FCC rule was undone in April 2017 after President Trump signed legislation repealing it passed by the Republican-majority Congress on a party-line vote.


Privacy advocates in Maine have applauded the state’s new measure.

“The Maine legislature did what the United States Congress has thus far failed to do and voted to put consumer privacy before corporate profits,” Oamshri Amarasingham of the American Civil Liberties Union of Maine said last week after the Maine Senate passed the bill unanimously. “Lest we forget, internet providers work for us. We pay them – a lot – for their services, and it is outrageous that they would turn around and sell our most private information without our consent.”

The bill was opposed heavily by the Maine State Chamber of Commerce, which argued the legislation singled out ISPs while not also targeting major technology companies — like Facebook or Google — that routinely harvest consumer data.

Maine’s new law could be the strongest internet-privacy measure implemented by a state when it takes effect July 1, 2020. Similar legislation in other states puts the onus on the individual to opt out, rather than companies opting out all of their customers by default. The California Consumer Privacy Act, for instance, will allow residents to opt out of businesses’ buying and selling of their personal information when it takes effect next January. A recently enacted law in Vermont requires companies that buy and sell user data to register with the state as “data brokers” and give their customers there the right to be excluded from those transactions.

Nevada and Minnesota have also enacted laws that require ISPs to keep their customers’ information private without consent, though they are not as sweeping as Maine’s new statute. And more privacy laws are under consideration. Along with Maine, 13 other states and the District of Columbia have considered legislation this year that would crack down on what ISPs can do with their customers’ records, according to the National Council of State Legislatures.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts