The Most Important Privacy Case You've Never Heard Of
from the pay-attention dept
One of the most important privacy cases you?ve never heard of is being litigated right now in a federal district court in Maine. ACA v. Frey is a challenge by the nation?s largest broadband Internet access providers to a Maine law that protects the privacy of the state’s broadband Internet users. If the broadband providers prevail, this case could eliminate sector-specific privacy laws across the nation, foreclose national privacy legislation, and have broad implications for broadband regulation generally.
In May 2019, the Maine legislature overwhelmingly passed LD 946, “An Act to Protect the Privacy of Online Consumer Information.” The law largely tracks the now-repealed FCC?s 2016 broadband privacy rules, requiring broadband providers to obtain customer consent before disclosing, selling or otherwise using customer personal information. When the Maine bill was being considered, broadband providers complained that the law didn’t apply to online companies like Google, Facebook, and Amazon. If everyone was treated the same, they claimed, they would support privacy legislation.
But the industry’s lawsuit shows that its true intent is to avoid privacy regulation of any kind. Instead, they claim that giving consumers any control over their own data violates the First Amendment rights of the broadband providers to market goods and services. The industry also claims that by targeting only broadband providers, and not edge providers or any other company, the law is based on their status as a “speaker” and should be subject to “strict scrutiny” under the First Amendment, which requires a law to be “narrowly tailored to serve a compelling state interest.”
The court should reject these arguments. Should it accept them, it would set the stage for overturning any and all sector-specific privacy laws as unconstitutional “speaker-based” violations of the First Amendment. If that were the case, then federal and state laws regulating the privacy practices of, among others, hospitals, financial institutions, pharmacies, credit reporting agencies, and libraries would all fall. Maine alone has nearly a dozen sector-specific laws. Now multiply that by 51.
The broadband industry argues that there?s no good reason to regulate it differently than any other company. But their claim that “no special characteristics of ISPs justify that distinction” doesn?t reflect reality. Broadband access providers do have “special characteristics” that other companies?including edge providers?do not.
As the FCC found in 2016, a broadband provider “sits at a privileged place in the network, the bottleneck between the customer and the rest of the network.” This gatekeeper position allows broadband providers to see every piece of digital information a customer sends and receives over the Internet while on the network, often including the content of the information. Broadband providers see every website a customer visits, every communication they make, every device they use and, in many cases, every location they have visited.
Despite Big Broadband?s breathless objections, the principles underlying Maine?s broadband privacy law are nothing new. Instead, the law fits within a longstanding tradition of state and federal laws that prohibit those that deliver messages of all kinds?whether paper or electronic?from disclosing any information relating to those packages; in other words, a duty of confidentiality. This “common law” covers everyone from the post office to the telephone company to a broadband provider.
The reasoning is simple: in order to receive service, customers must expose their personal information to those entities. Like the post office or a telephone company, broadband providers shouldn’t be allowed to unfairly exploit that information or reveal that information to others for profit. None of these laws violate the First Amendment. If this duty of confidentiality were found to be unconstitutional, all these laws, and those that protect lawyer/client, doctor/patient, and other fiduciary relationships would fall as well.
In any case, the core behavior prohibited by the statute?collecting and selling data?isn’t even speech. The First Amendment typically protects “expressive” activity?something meant to convey a message. Instead, the law regulates the commercial exchange of data. Just because the data could potentially transmit information does not make it expressive. My former colleagues at Public Knowledge said it best in a “friend of the court” brief supporting the State of Maine:
Selling a collection of data to be used as a tool to develop products, enhance a search engine or develop marketing strategies is no more “expressive” than selling inside information to enhance a stock trade or selling paper at a retail outlet. The customer data is not commercial speech “proposing a transaction,” it is the object of the transaction. [.?.?.?] No one has ever found that regulation of raw materials ? such as marble or paper ? that imposes incidental burdens on speakers as well as others raises First Amendment concerns.
While the broadband industry should lose this case, there are never any guarantees. A decision favoring the broadband industry would put every consumer privacy bill and law?including those seeking to regulate the data collection and data protection powers of big technology companies, retailers, banks, hotels, credit reporting agencies and others?at risk, whether or not they are sector specific. Worse, a broad ruling in favor of the industry’s First Amendment “rights” could put other regulations at risk, including net neutrality and other efforts to protect consumers and promote competition. While normally a federal district court case in the sparsely populated state of Maine wouldn?t raise much nationwide attention, ACA v. Frey should. The future of consumer privacy protections may depend on it.
Jeff Gary is a project manager at Georgetown Law, where he runs technology-focused educational and training programs for state attorneys general and researches digital advertising. Previously, he worked in congress, federal agencies, and civil society on privacy, content moderation, and data security policy. He is a graduate of Georgetown Law and holds an M.A. in sociology of religion from King’s College London.
Gigi Sohn is a Distinguished Fellow at the Georgetown Institute for Technology Law and Policy and a Benton Senior Fellow and Public Advocate. She served as Counselor to Former FCC Chairman from November 2013-December 2016. While at the FCC, she worked on the 2016 Broadband Privacy Rules. She testified before the Joint Committee on Energy, Utilities and Telecommunications of the Maine Legislature on April 24, 2019 in support of the LD 946, Maine?s Broadband Privacy Law.