EFF to Court: Broadband Privacy Law Passes First Amendment Muster

When it comes to surveillance of our online lives, Internet service providers (ISPs) are some of the worst offenders. Last year, the state of Maine passed a law targeted at the harms ISPs do to their customers when they use and sell their personal information. Now that law is under attack from a group of ISPs who claim it violates their First Amendment rights. The lawsuit raises a number of issues—including free speech and data privacy—that are crucial to maintaining an open Internet. So EFF filed an amicus brief arguing that Maine’s law does not violate the First Amendment. The brief explains that the law’s requirement that ISPs obtain their customers’ opt-in consent before using or disclosing their personal information is narrowly tailored to the state’s substantial interests in protecting ISP customers’ data privacy, free speech, and information security.

The case is called ACA Connects v. Frey. We were joined by three other groups dedicated to both free speech and data privacy on the Internet: the ACLU, the ACLU of Maine, and the Center for Democracy and Technology.

Why EFF Supports Broadband Privacy Laws

ISPs have distinctive powers to surveil our online lives. We can’t get to the Internet without an ISP, and most Americans don’t have a choice among ISPs, so they cannot switch if they are unhappy with their current provider. ISPs can see everything that travels back and forth between our devices and the Internet. Even when we encrypt our web traffic to protect the content, ISPs can see our metadata, such as which web servers we visit. ISPs have a long and troubling history of abusing their distinctive powers to intrude on our online privacy.

In response, the FCC adopted broadband privacy rules in 2016, with EFF support. Unfortunately, Congress and the President repealed these FCC rules in 2017, over EFF opposition. So the battle for broadband privacy moved to the states. EFF supports broadband privacy bills around the country, and did so in Maine.

Maine enacted its broadband privacy law in 2019. It goes into effect in July 2020. The law requires ISPs to obtain a consumer’s opt-in consent before using or disclosing what the law calls “customer personal information.” This term is defined to include (1) personally identifying information, such as a customer’s billing information and social security number, and (2) information derived from a customer’s use of broadband service, such as browsing history, geolocation, and health information. The laws also bars “pay for privacy” schemes; that is, ISPs cannot punish consumers who withhold their consent, by refusing service, charging a penalty, or withholding a discount.

In February 2020, a consortium of ISPs filed a lawsuit against the State of Maine. They argue, among other things, that Maine’s broadband privacy law violates the First Amendment rights of ISPs. We disagree.

Why Maine’s Law Passes First Amendment Muster

EFF is second to none in working to protect free speech on the Internet for all the people of the world. We recognize that the Maine law limits the expression of ISPs: the law regulates how ISPs create and disseminate information, which is speech within the meaning of the First Amendment.

But not all government limits on expression deserve the highest level of First Amendment protection from courts. Here, given the particular relationship between ISPs and their customers, a reduced level of protection is appropriate. First, the Maine law regulates commercial speech, which the Supreme Court has described as “expression related solely to the economic interests of the speaker and its audience,” in an opinion called Central Hudson Gas v. New York (1980). Second, the speech regulated by Maine does not concern a “public issue,” in the words of a Supreme Court opinion called Dun & Bradstreet v. Greenmoss Builders (1985).

In cases involving speech regulations with these characteristics, courts enforce a slightly relaxed form of First Amendment protection known as intermediate scrutiny. The government must show (1) it has a “substantial interest” that it is seeking to achieve through the law, and (2) the law “directly advances,” and is “narrowly drawn” to, this interest. But the government need not show the challenged law is “the least restrictive means” to achieve the government’s interests.

This analysis is not changed by Sorrell v. IMS Health (2011), a Supreme Court decision that struck down a Vermont law that regulated use and disclosure of pharmacy prescription information, but only as to a narrow set of speakers (drug sellers) and a narrow message (marketing of brand-name drugs). The Maine law, on the other hand, does not discriminate on the basis of viewpoint, and it is uniformly targeted to an entire tech sector.

Maine Has Substantial Interests In Protecting Users’ Privacy, Speech, and Information Security

Here, Maine’s broadband privacy law advances three substantial government interests. First, our privacy over our personal information is a fundamental human right. We should have a say in how others process data about us. New technologies make it increasingly easy for businesses to harvest and monetize vast amounts of our personal information.

Second, our freedom of speech often relies on conversational privacy. As the Supreme Court explained in Bartnicki v. Vopper (2001), “the fear of public disclosure of private conversations might well have a chilling effect on private speech.” To be clear, the ISPs are not the only party in this case with First Amendment interests. Rather, ISPs’ customers also have a First Amendment interest that the court must weigh—their interest in keeping their expressive information private, including who they communicate with online and what websites they visit to read.

Third, information security is strengthened by our ability to control the flow of our personal data. By regulating how ISPs use and disclose our data, the Maine law reduces the incentive for ISPs to collect and store vast troves of our data. Thus, in the event of a data breach at an ISP, less of our data will be at risk. Adversaries like identity thieves, stalkers, and foreign nations can use breached data for further attacks against us. For example, our Internet use patterns can expose when we are not at home, and our interests and associations that are exposed by browsing can facilitate phishing attacks.

Maine’s Law Is Narrowly Tailored

The requirement of Maine law (i.e., that ISPs obtain opt-in consent before using or disclosing customers’ data) is narrowly tailored to Maine’s substantial interests (i.e., protection of ISP customers’ data privacy, free speech, and information security). As the Supreme Court explained in DOJ v. Reporters Committee (1989), “the individual’s control of information concerning [their] person” lies at the center of our privacy rights. The opt-in consent requirement restores to consumers control over the personal information that they expose to ISPs when they visit the Internet.

The ISPs argue that the Maine law’s requirement of opt-in consent is not narrowly tailored, because there is an alternative regulatory approach that, according to the ISPs, would be less burdensome on their processing of customer data: empowerment of customers to opt-out of this processing. But defaults matter. Studies show that tech users generally do not change default settings. Many customers who strongly prefer that ISPs do not use and disclose their personal data are not aware (1) that ISPs are doing so, (2) that they can opt-out, and (3) how to navigate the settings to flip the default. Thus, the requirement of opt-in consent is far more protective of data privacy than a consumer option to opt-out.

Numerous federal appellate and trial courts have upheld consumer data privacy laws like the one at issue here because they are narrowly tailored to substantial government interests. The one outlier appellate court decision is older, subject to a persuasive dissent, and not followed by subsequent decisions.

Finally, the Maine law is tailored to an economic sector, broadband providers, that presents particular threats to data privacy, as discussed above. Many other consumer data privacy laws are sector-specific, including those regulating cable, video rentals, health services, financial services, credit reporting, telecommunications carriers, websites, and electronic communication services and remote computing services. The sector-specific approach taken here by Maine does not heighten the First Amendment scrutiny.

Next Steps

Moving forward, EFF will continue to advocate for enactment of broadband privacy laws, at the federal and state levels, and to defend these laws in court against poorly taken First Amendment challenges.

This work is part of a larger constellation of EFF advocacy for Internet users. For example, we support net neutrality laws that ban ISPs from discriminating for or against different websites, apps, or services. Likewise, we support fiber–for–all laws that would, among other things, promote competition and give consumers more choice among ISPs. And we support consumer data privacy laws that apply to all manner of entities that harvest and monetize our personal information, including third-party trackers.

You can read here our amicus brief in ACA Connects v. Frey [PDF], the ISPs’ First Amendment challenge to the Maine broadband privacy law.