Maine’s new privacy law means well, but goes wrong

Americans are concerned about how data related to their digital activity are being used — and legislators are taking notice. States around the nation are acting, many without appropriate reflection, to lavish new responsibilities upon consumers with little consideration for how their actions will change the nation’s digital landscape and the lives of their residents. Maine’s recently enacted “Act to Protect the Privacy of Online Consumer Information” is the latest misstep in that trend.

Signed into law on June 6, Maine’s act is more limited and more onerous than other digital privacy laws, such as the California Consumer Privacy Act, that have come before it. The scope of Maine’s law is limited to internet service providers (ISPs), such as Verizon or Charter, and thereby narrower than the CCPA in terms of applicability, but its requirements are more onerous. 

For example, for the first time nationally, it requires consumers to opt in rather than opt out of allowing their data to be sold to, distributed to, or accessed by third parties. That means, in Maine, ISPs will be required to seek affirmative consent from customers before selling personal information to third parties. 

The concept undergirding Maine’s law is similar to rules adopted by the Federal Communications Commission (FCC) in 2016, that subsequently were nullified, to require opt-in consent for the sharing or sale of certain sensitive information, such as financial and health information, by ISPs. But, Maine’s law goes further, not distinguishing between categories of information, requiring ISPs to gain opt-in consent to share or sell virtually any information. 

On its face, such a requirement may make sense. After all, consumers like the feeling of being in control. But, the trade-offs opt-in requirements present are significant not only for ISPs, but also consumers. That is because the information that consumers may casually restrict access to, particularly information used for advertising purposes, is fundamentally necessary to the ongoing operation of digital life as we know it. 

Ironically, consumers, concerned though they may be about privacy, tend to discount the value of privacy when confronted with an opportunity to obtain goods and services for less. Studies demonstrate that, when faced with a straightforward trade-off between paid access to a service and free alternative predicated on a more privacy-invasive approach, consumers opt for the free alternative. Which means that the reason privacy laws such as Maine’s are so popular is that they obscure the real-world price consequences of the restrictions they levy. 

Ultimately, that is what is most troubling about Maine’s approach — it mismatches consumer concern with an unrelated and likely harmful policy outcome. The “Act to Protect the Privacy of Online Consumer Information” hews to a perspective on consumer privacy that is, as a matter of practice, alien to most consumers. 

If policymakers at the state level wish to protect the digital privacy of their residents, there are some fundamental principles they should keep in mind. First, they should not conflate privacy with limits on data collection. Privacy harms stem from the inappropriate maintenance and use of data, not its mere collection. Second, privacy harms should always be at the center of the activity that policymakers seek to prevent. This means focusing on behavior that is unfair, misleading or otherwise likely to trigger a market failure. Third, and perhaps most importantly, state policymakers should avoid creating bespoke legal frameworks around fundamentally interstate activity. State-by-state regulation will lead firms to cut compliance costs by imposing conservative regulatory approaches on consumers. 

Maine’s attempt to protect the digital privacy of consumers, which will go into effect in 2020, overlooks that consumer privacy is not an end in itself, but rather one of many things that consumers value in the market. As a result, though it means well, the Pine Tree State’s consumers ultimately will be disappointed. 

Ian Adams is vice president of policy for TechFreedom, where his research focuses on the disruptive impact of technology on law and regulation. He also is a public policy attorney with the international law firm Orrick, Herrington & Sutcliffe. 

Law student Monica Carranza at American University, an intern at Techfreedom, contributed to this article.