Ask Reggi Your Question Now
Can I ignore my obligations as a service provider with access to personal information in Maine? What are the requirements?
Obligations of Service Providers with Access to Personal Information in Maine
As a service provider with access to personal information in Maine, you have certain obligations that you must comply with. These obligations are outlined in the Maine Revised Statutes, Title 35-A, Chapter 93, Section 9301 [1.1].
Definition of Terms
Before we dive into the requirements, it’s important to understand the definitions of some key terms used in the statute:
- “Broadband Internet access service” means a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints, including any capabilities that are incidental to and enable the operation of the service, excluding dial-up Internet access service.
- “Customer” means an applicant for or a current or former subscriber of broadband Internet access service.
- “Customer personal information” means personally identifying information about a customer, including but not limited to the customer’s name, billing information, social security number, billing address and demographic data, and information from a customer’s use of broadband Internet access service, including but not limited to the customer’s web browsing history, application usage history, precise geolocation information, financial information, health information, information pertaining to the customer’s children, device identifier, content of the customer’s communications, and origin and destination Internet protocol addresses.
- “Provider” means a person who provides broadband Internet access service.
Obligations of Service Providers
As a service provider with access to personal information in Maine, you must comply with the following obligations:
- Privacy of Customer Personal Information: You may not use, disclose, sell, or permit access to customer personal information, except as provided in subsections 3 and 4, Title 16, chapter 3, subchapters 10 and 11 and 18 United States Code, Section 2703 [1.1].
- Customer Consent Exception: You may use, disclose, sell, or permit access to a customer’s customer personal information if the customer gives you express, affirmative consent to such use, disclosure, sale, or access. A customer may revoke their consent under this paragraph at any time. You may not refuse to serve a customer who does not provide consent or charge a customer a penalty or offer a customer a discount based on the customer’s decision to provide or not provide consent [1.1].
- Other Exceptions: You may collect, retain, use, disclose, sell, and permit access to customer personal information without customer approval for the purpose of providing the service from which such information is derived or for the services necessary to the provision of such service, to advertise or market the provider’s communications-related services to the customer, to comply with a lawful court order, to initiate, render, bill for and collect payment for broadband Internet access service, to protect users of the provider’s or other providers’ services from fraudulent, abusive or unlawful use of or subscription to such services, and to provide geolocation information concerning the customer for the purpose of responding to a customer’s call for emergency services, to a public safety answering point, a provider of emergency medical or emergency dispatch services, a public safety, fire service or law enforcement official, or a hospital emergency or trauma care facility, or to a provider of information or database management services solely for the purpose of assisting in the delivery of emergency services in response to an emergency [1.1].
- Security of Customer Personal Information: You must take reasonable measures to protect customer personal information from unauthorized use, disclosure, or access. In implementing security measures required by this subsection, you shall take into account the nature and scope of the provider’s activities, the sensitivity of the data the provider collects, the size of the provider, and the technical feasibility of the security measures [1.1].
- Notice Required: You must provide to each of your customers a clear, conspicuous, and nondeceptive notice at the point of sale and on your publicly accessible website of your obligations and a customer’s rights under this section [1.1].
- Applicability: The requirements of this section apply to providers operating within the State when providing broadband Internet access service to customers that are physically located and billed for service received in the State [1.1].
Information Requirements and Limitations
Notwithstanding the above obligations, the commission may not require a service provider to provide infrastructure maps that contain a level of detail that is greater than the infrastructure maps filed for that service provider’s service territory prior to March 1, 2012 or that depict the infrastructure connecting interoffice facilities to remote terminals and digital loops. Additionally, a service provider is not required to submit notices to the commission of unscheduled service outages or notices of restorations of service earlier than 7 calendar days following the restoration of service [3.1].
Provider of Last Resort Service Consumer Protection
A service provider in accordance with rules adopted by the commission shall provide customers adequate and timely information about provider of last resort service including posting in an easily discoverable location on its publicly accessible website its rate for provider of last resort service. The service provider shall treat its customers in a nondiscriminatory manner and may not unreasonably deny or disconnect provider of last resort service. The service provider shall comply with minimum consumer protection standards for provider of last resort service essential to the preservation of good quality, affordable provider of last resort service throughout the State. A customer of a service provider may seek redress from the commission in accordance with any applicable provisions of this Title with respect to provider of last resort service, regardless of any other services the customer may take from the service provider. A service provider may not disconnect a provider of last resort service customer from provider of last resort service except in accordance with rules adopted by the commission. This section does not authorize the commission to regulate services other than provider of last resort service, including but not limited to discontinuance by the service provider of any other services to the customer [3.2].
Conclusion
As a service provider with access to personal information in Maine, you have several obligations that you must comply with to protect your customers’ privacy and security. These obligations include obtaining customer consent, protecting customer personal information, and providing notice to customers of their rights. Failure to comply with these obligations may result in legal consequences. However, the commission may not require you to provide infrastructure maps with a level of detail greater than what was filed prior to March 1, 2012, or submit notices of unscheduled service outages or restorations of service earlier than 7 calendar days following the restoration of service. Additionally, you must comply with minimum consumer protection standards for provider of last resort service essential to the preservation of good quality, affordable provider of last resort service throughout the State [1.1][3.1][3.2].
Source(s):
- [1.1] Privacy of broadband Internet access service customer personal information
- [3.1] Certain information requirements and limitations
- [3.2] Provider of last resort service consumer protection
Jurisdiction
Maine