Selling or trading personal information -- a common practice in the adtech industry -- is increasingly under regulatory scrutiny and legislators around the world are contemplating measures that put clear limits around such practices, increase transparency and put consumers in control over their data. By way of example, the German competition agency has been investigating the adtech sector for some time, the UK is following suit and Australia is contemplating a code for social media and online platforms which trade in personal information.
As of 1 July 2019 (Maine), and 1 October 2019 (Nevada), some companies will have to comply with additional requirements and restrictions regarding personal information selling under new U.S. state laws that seem inspired by, but are not as broad as the California Consumer Privacy Act (CCPA) (for detailed articles on the CCPA, please see an alert by Lothar Determann here and an article by Brian Hengesbaugh and Harry Valetk here). Maine's Act to Protect the Privacy of Online Customer Information requires prior opt-in to data selling (the CCPA requires offering opt-out) and introduces new notice requirements, but only for broadband providers. Nevada’s Senate Bill 220 applies to any operator of online services, within or outside Nevada, but not offline and “selling” is more narrowly defined than under the CCPA.
Maine's Act to Protect the Privacy of Online Customer Information
Who and what data are protected?
Customers of broadband Internet access service that are physically located and billed for service received in Maine are protected with respect to their customer personal information, defined as:
- personally identifying information about a customer, including but not limited to the customer's name, billing information, social security number, billing address and demographic data
- information from a customer's use of broadband Internet access service, including but not limited to web browsing history and a number of other categories of data
The definition of "customers" is much more limited than the definition of "consumers" under the CCPA. Unlike the CCPA, which generally protects California residents, online and offline, even when they are physically outside the state, under the Maine law customers must subscribe to broadband services and both be physically located in Maine and billed for services received in Maine to be protected under the law.
The definition of protected information is also more limited than under the CCPA. While the CCPA covers any information relating to a California resident or household, the Maine law only protects data relating to broadband services. Data relating to broadband services, however, is broadly protected under the Maine law.
Who must comply?
Unlike the CCPA, which applies to most businesses world-wide and in all industries, the Maine law is limited to providers of broadband Internet access service operating within Maine.
"Broadband Internet access service" means a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints, including any capabilities that are incidental to and enable the operation of the service, excluding dial-up Internet access service.
"Provider" means a person who provides broadband Internet access service.
How to comply?
Provide notice, seek express opt-in consent before collecting personal information, and protect personal information.
Providers must provide notice of its obligations and customers’ rights under the law to its customers at the point of sale and on their publicly accessible website. Just as the CCPA, because of its prescriptive details (e.g. disclosing an opt-out right with respect to non-personally identifiable information pertaining to a customer) this adds another jurisdiction specific disclosure requirement for companies.
Subject to several exemptions including to provide the service, providers must seek express prior opt-in consent before using, disclosing, selling or permitting access to a customer's personal information. Any consent given may be revoked at any time. Unlike the CCPA, which defines "sale" of personal information broadly as any sharing for "monetary or other valuable consideration," the Maine law is silent on the definition of sale.
Like the CCPA, the Maine law includes an antidiscrimination right and a provider may not refuse to serve a customer who does not provide consent or charge a penalty or offer a customer a discount based on the customer’s decision to provide or not provide consent. But unlike the CCPA, under the Maine law there is no carve out permitting charging a different price or offering a different level of services if that difference is reasonably related to the value provided by the customer’s data.
The following is exempted from the law’s opt-in requirements and a provider may collect, retain, use, sell and permit access to customer personal information without customer approval:
- for the purpose of responding to a customer's call for emergency services, a public safety answering point; a provider of` emergency medical or emergency dispatch services; a public safety, fire service or law enforcement official; or a hospital emergency or trauma care facility
- the customer's legal guardian or a member of the customer's immediate family in an emergency situation that involves the risk of death or serious physical harm
- a provider of information or database management services solely for the purpose of assisting in the delivery of emergency services in response to an emergency. Providers that use, disclose, sell or permit access to customer personal information beyond the exemptions will have to build in an express opt-in option when selling services to new customers and reach out to existing customers to seek their express opt-in (and if they don’t get it, stop existing practices that would be prohibited from July 1, 2019). But notably, providers may sell customer personal information as necessary to provide their services which may suggest that sharing with commonly relied upon service providers that routinely use information for analytics and to improve its own services would not trigger the opt-in requirement.
If the provider receives written notice from the customer notifying the provider that the customer does not permit the provider to use, disclose, sell or permit access to non-customer personal information the provider collects pertaining to such customer (opt-out), the law also prohibits the provider from using, disclosing, selling or permitting access to such information.
As already required by numerous data privacy and security laws in other U.S. states and jurisdictions around the world, providers must take reasonable measures to protect customer personal information from unauthorized use, disclosure or access.
Sanctions and remedies
Maine’s Act to Protect the Privacy of Online Customer Information does not provide for sanctions and remedies specific to violations of that law. The sanctions and remedies can be found in chapter 15 of Maine’s title 35-A on Public Utilities.
If a provider violates title 35-A on Public Utilities, causes or permits a violation of the title or omits to do anything that the title requires it to do it may be liable in damages to the person injured as a result.
For willful violations, the Maine Public Utilities Commission may impose an administrative penalty for each violation in an amount that does not exceed $5,000 or .25% of the annual gross revenue that the provider received from sales in Maine, whichever amount is lower. Each day a violation continues constitutes a separate offense. The maximum administrative penalty for any related series of violations may not exceed $500,000 or 5% of the provider’s annual gross revenue that the provider received from sales in Maine, whichever amount is lower. For a violation in which a provider was explicitly notified by the commission that it was not in compliance and that a failure to comply could result in the imposition of administrative penalties, the commission may impose a penalty that does not exceed $500,000. The commission may also require disgorgement of profits or revenue realized as a result of a violation. The commission may, in an adjudicatory proceeding, suspend or revoke the authority of a provider to provide service upon a finding that the provider is unfit to provide safe, adequate and reliable service at rates that are just and reasonable.
Nevada’s Senate Bill 220
Who and what data are protected?
Consumers who reside in Nevada are protected with respect to their covered information.
Covered information means “any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator in an accessible form: … A first and last name … Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.”
Compared to the CCPA, the Nevada law defines consumer in a more limited (and more intuitive) way as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes”. Also, unlike the CCPA, the Nevada law only protects consumers when seeking or acquiring those things “from the Internet website or online service of an operator.” But like the CCPA, the law lacks any limiting reference to Nevada residents having to be physically located in Nevada to be protected.
The Nevada law’s definition of covered information is more limited compared to the CCPA’s any “information that . . . relates to . . . a particular consumer or household,” because it does not extend to household information and is limited to information collected by an operator online and maintained in an accessible form.
Who must comply?
Unlike the CCPA, only “operators”, as opposed to the CCPA’s broadly defined “businesses”, must comply.
Subject to certain exemptions as noted below, “Operator” means a person who owns or operates an Internet website or online service for commercial purposes; collects and maintains covered information from Nevada resident consumers who use or visit the Internet website or online service; and purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution.
Like the CCPA, this definition would cover many businesses without a physical presence in Nevada but with a commercial website accessed by Nevada residents.
Similarly to the CCPA, the key exemptions are financial institutions or its affiliates that are subject to the Gramm-Leach-Bliley Act and entities that are subject to the Health Insurance Portability and Accountability Act of 1996, and third parties that operate, host, or manage an Internet website or online service on behalf of its owner, and generally, manufacturers of motor vehicles or persons who repairs or services motor vehicles are also exempt.
How to comply?
Every operator of an online service purposefully addressed to Nevada consumers must establish a designated request address through which a consumer may submit a verified request directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer and respond to such requests. There is no language in the text of the bill limiting this obligation to establish a request address and respond to requests to businesses that are currently selling information.
Nevertheless, given that the Nevada law defines “selling” only as exchanging personal information specifically for monetary consideration and for onward licensing or sale, far less companies should be affected by the opt-out right than by the CCPA. Most businesses do not sell personal information for monetary considerations. The legislative history indicates that the Nevada bill is targeted to businesses that are selling information for specific monetary consideration. Thus, the definition of "selling" under the Nevada law should be interpreted far more narrowly than potentially broad interpretation of the CCPA, which could be understood to cover any exchange of personal information for any valuable consideration, monetary or otherwise - and by extension pretty much any contract, given that contracts by definition involve consideration.
First of all, any contracts not involving payments are excluded from the Nevada law. Second, even contracts involving payments are arguably not covered by the Nevada law's definition of "selling" if the payment is intended for a service and the data sharing is coincidental, given the definitional focus on monetary consideration for information under the Nevada law. This may leave only arrangements whereby online operators are paid specifically for personal information of Nevada-based consumers./
Those operators who currently do sell personal information for monetary considerations should consider stopping the practice, given the increasing hostility to such forms of data monetization. Or, companies can establish a designated address for consumers to opt-out of data selling, respond to opt-out requests within 60 days, and stop data selling when requested.
Most operators must already, under existing Nevada law, provide a website privacy notice with information about its data collection practices. The new requirement to also establish a designated request address must be implemented either by establishing an email address, toll-free number or Internet website.
Subject to broad exemptions, sale is defined as the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. The following is exempted from the definition of sale:
- the disclosure of covered information by an operator to a person who processes the covered information on behalf of the operator
- the disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer
- the disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator
- the disclosure of covered information to a person who is an affiliate (controls, is controlled by or is under common control with another company) of the operator
- the disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator. An operator who has received a verified request from a consumer not to sell their personal information shall respond within 60 days after receiving the request and must not sell any covered information collected about the consumer. If the operator determines that an extension is reasonably necessary, the operator may extend by not more than 30 days the period to respond and must notify the consumer of such extension.
Sanctions and remedies
The Nevada Attorney General can bring a civil action for an injunction or penalties up to $5,000 for each violation.
Further resources you may be interested in
Your must-have resource for Global Data Privacy, Baker McKenzie's 2019 Global Data Privacy & Security Handbook, now combines and consolidates our renowned privacy-related handbooks into one resource. We have revised our content to make it more concise, comparable and practice-relevant while still providing detailed overviews of the increasingly complex and sophisticated data privacy and security standards in around 50 countries. Click here to download the handbook.