Maine Suit Challenges Privacy Regulation on First Amendment Grounds

When it comes to First Amendment free speech rights, the Supreme Court has sided mostly with consumers. Will that change with a Maine case?

In 2018, the U.S. Supreme Court struck down a California law that mandated that anti-abortion clinics advise patients that they did not offer abortion services. On its face, the case had nothing to do with data privacy or security. But the court found that the California law violated the First Amendment free speech rights of the clinics by compelling them to say and do things (advise their patients of what services they did and did not offer) that they did not want to say. In other words, compelled speech. The court found that the government could not, consistent with the First Amendment, compel the clinics to deliver a message that the government wanted to be delivered.

In another Supreme Court case, the court held that a Vermont law prohibiting pharmacies from selling information about what drugs doctors were prescribing to their patients (and how often) violated the First Amendment rights of the pharmacies to sell and of the drug companies to buy this information. While the law permitted the use of prescriber data for educational purposes, it prohibited it for “marketing,” and as such favored one form of expression over another and, in the opinion of the court, violated the First Amendment.

Into this fray comes a Maine law that prohibits certain internet companies from selling personal information such as a customer’s web browsing and application use history, precise geolocation data, customer financial and health data, non-public communications, IMEI and IP addresses and other sensitive information without the express consent (opt-in) of the customer. Various trade organizations representing phone companies, ISPs and others that collect and sell this data have filed suit in Maine to have the courts declare the statute an unconstitutional infringement on their First Amendment right to create, sell and use personal data, noting:

“The [Maine] Statute violates the First Amendment because, among other things, it: (1) requires ISPs to secure ‘opt-in’ consent from their customers before using information that is not sensitive in nature or even personally identifying; (2) imposes an opt-out consent obligation on using data that are by definition not customer personal information; (3) limits ISPs from advertising or marketing non-communications-related services to their customers; and (4) prohibits ISPs from offering price discounts, rewards in loyalty programs, or other cost-saving benefits in exchange for a customer’s consent to use their personal information. The Statute thus excessively burdens ISPs’ beneficial, pro-consumer speech about a wide variety of subjects, with no offsetting privacy-protection benefits.”

So, there are two aspects of the Supreme Court’s First Amendment jurisprudence at play here: compelled speech and content (or speaker) based discrimination.

The court has looked askance at laws that compel entities to engage in “speech” that they don’t want to engage in. While the court has generally considered compelled “health and safety warnings” permissible, as are “purely factual and uncontroversial disclosures about commercial products,” it is not clear whether other compelled disclosures—such as being forced to disclose one’s security posture, privacy policies or even the fact of a data breach—would come under the rubric of “health and safety warnings” or would be considered by the court to be objectionable content based compelled commercial speech. In fact, in the abortion clinic case, the dissenting justices noted that there was no “reasoned basis … for distinguishing lawful from unlawful disclosures. In the absence of a reasoned explanation of the disclaimer’s meaning and rationale, the disclaimer is unlikely to withdraw the invitation to litigation that the majority’s general broad “content-based” test issues. That test invites courts around the Nation to apply an unpredictable First Amendment to ordinary social and economic regulation, striking down disclosure laws that judges may disfavor, while upholding others, all without grounding their decisions in reasoned principle.”

So entities who do not want to disclose things such as their security posture to the SEC, data breaches to the public or their privacy policies generally might use the First Amendment as a shield to attack mandatory disclosure laws as unlawful content-based compelled speech, rather than a simple health and safety regulation.

First Amendment and Permitted Use

The flip side of compelled speech is content-based or speaker-based restrictions on the use of data, such as the pharmaceutical data sold in Vermont. So companies that collect, store and process sensitive or commercially useful information about their customers, applying the Vermont pharmacy First Amendment case, would argue that they have a First Amendment right to collect and sell that data and that any government regulation of that sale violates the constitution. Privacy laws, by their nature, are “content-based,” deciding what information is “private” and what information is not “private” based on the content of that data. They are also typically “use-based,” permitting some direct and other indirect use of the data (e.g., using IP addresses to make connections between machines) but prohibiting other uses (such as selling information about an individual’s browsing history). In their Maine lawsuit, the ISPs also complain that the regulation applies only to ISPs and not search engines including Bing and Google, or other parties that have the ability to track user activity and behavior. Thus, the regulation is also “speaker-based” and unconstitutional.

All regulations make distinctions usually based on content. Once the Supreme Court held that there was a First Amendment right to collect and sell personal data, it opened the door for challenges to privacy laws and regulations that infringed on this “right.” We can expect more of this to come. My advice: Hold on. It’s gonna be a bumpy ride.

Mark Rasch

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark