A privacy bill was signed into law in Maine last year and is set to go into effect in July. That is—unless a group of ISP trade associations has something to say about it.
The new law would regulate the use, disclosure, and sale of customer information by broadband Internet service providers (“ISPs”). Most importantly, it requires ISPs to secure “opt-in” consent from their customers before using “personal information.” Personal information is given a broad definition, including personally identifying information (e.g., the customer’s name, SSN, and billing information) as well as information about the customer’s Internet use (e.g., the customer’s web browsing history, geolocation information, and health and financial information).
A group of four trade associations representing ISPs filed suit in federal court, raising vagueness and preemption arguments, but the meat of their challenge is that the law violates the First Amendment by unconstitutionally restricting the speech of its members. The plaintiffs argue that the law triggers First Amendment protections by limiting how ISPs use information. To support that argument, they cite to Sorrell v. IMS Health Inc., a 2011 case where the US Supreme Court struck down a Vermont statute that prohibited pharmacies from selling prescriber-identifying information and prohibited pharmaceutical manufacturers from using the same for marketing purposes. There, the Court held that “Speech in aid of pharmaceutical marketing, however, is a form of expression protected by the Free Speech Clause of the First Amendment.” In rendering its decision, the Court found that Vermont imposed unconstitutional speaker- and content-based restrictions—burdening the speech of only speakers whose messages with which it disagreed.
The plaintiffs challenging the Maine law argue that the statute is not narrowly tailored to accomplish its stated goal of protecting customer privacy—a requirement the law must satisfy to survive strict scrutiny (the level of judicial review the plaintiffs argue is demanded). In support of this, they argue that the law is both under-inclusive and over-inclusive. It is under-inclusive because it only targets ISPs. They argue that ISPs have increasingly limited information about customers when compared to entities like search engines and social media companies. Essentially, regulating ISPs while leaving Google and Facebook untouched makes no sense if your concern is protecting privacy of consumers. The plaintiffs argue that the law is over-inclusive because it establishes an opt-in regime, instead of simply allowing customers to opt-out of information sharing. The argument goes that because the law is under- and over-inclusive, it is not narrowly tailored to protect customer privacy and, as a matter of law, must be struck down as unconstitutional.
In the past, I would have lost a lot of money betting on the outcome of commercial speech cases so I won’t venture a guess as to the strength of the plaintiffs’ arguments. I will say this, though: First Amendment arguments have experienced a bit of success recently when it comes to challenging regulations. We’ve seen the arguments succeed in the context of credit card surcharge regulations (e.g., Expressions Hair Design v. Schneiderman). And recently, PayPal sued the Consumer Financial Protection Bureau to challenge certain disclosure regulations on First Amendment grounds. If courts continue to support the idea that the use of consumer data collected by companies triggers First Amendment protection, we could see a lot more of these types of challenges.