When it comes to First Amendment free speech rights, the Supreme Court has sided mostly with consumers. Will that change with a Maine case?
In 2018, the U.S. Supreme Court struck down a California law that mandated that anti-abortion clinics advise patients that they did not offer abortion services. On its face, the case had nothing to do with data privacy or security. But the court found that the California law violated the First Amendment free speech rights of the clinics by compelling them to say and do things (advise their patients of what services they did and did not offer) that they did not want to say. In other words, compelled speech. The court found that the government could not, consistent with the First Amendment, compel the clinics to deliver a message that the government wanted to be delivered.
In another Supreme Court case, the court held that a Vermont law prohibiting pharmacies from selling information about what drugs doctors were prescribing to their patients (and how often) violated the First Amendment rights of the pharmacies to sell and of the drug companies to buy this information. While the law permitted the use of prescriber data for educational purposes, it prohibited it for “marketing,” and as such favored one form of expression over another and, in the opinion of the court, violated the First Amendment.
Into this fray comes a Maine law that prohibits certain internet companies from selling personal information such as a customer’s web browsing and application use history, precise geolocation data, customer financial and health data, non-public communications, IMEI and IP addresses and other sensitive information without the express consent (opt-in) of the customer. Various trade organizations representing phone companies, ISPs and others that collect and sell this data have filed suit in Maine to have the courts declare the statute an unconstitutional infringement on their First Amendment right to create, sell and use personal data, noting:
“The [Maine] Statute violates the First Amendment because, among other things, it: (1) requires ISPs to secure ‘opt-in’ consent from their customers before using information that is not sensitive in nature or even personally identifying; (2) imposes an opt-out consent obligation on using data that are by definition not customer personal information; (3) limits ISPs from advertising or marketing non-communications-related services to their customers; and (4) prohibits ISPs from offering price discounts, rewards in loyalty programs, or other cost-saving benefits in exchange for a customer’s consent to use their personal information. The Statute thus excessively burdens ISPs’ beneficial, pro-consumer speech about a wide variety of subjects, with no offsetting privacy-protection benefits.”
So, there are two aspects of the Supreme Court’s First Amendment jurisprudence at play here: compelled speech and content (or speaker) based discrimination.
The court has looked askance at laws that compel entities to engage in “speech” that they don’t want to engage in. While the court has generally considered compelled “health and safety warnings” permissible, as are “purely factual and uncontroversial disclosures about commercial products,” it is not clear whether other compelled disclosures—such as being forced to disclose one’s security posture, privacy policies or even the fact of a data breach—would come under the rubric of “health and safety warnings” or would be considered by the court to be objectionable content based compelled commercial speech. In fact, in the abortion clinic case, the dissenting justices noted that there was no “reasoned basis … for distinguishing lawful from unlawful disclosures. In the absence of a reasoned explanation of the disclaimer’s meaning and rationale, the disclaimer is unlikely to withdraw the invitation to litigation that the majority’s general broad “content-based” test issues. That test invites courts around the Nation to apply an unpredictable First Amendment to ordinary social and economic regulation, striking down disclosure laws that judges may disfavor, while upholding others, all without grounding their decisions in reasoned principle.”
So entities who do not want to disclose things such as their security posture to the SEC, data breaches to the public or their privacy policies generally might use the First Amendment as a shield to attack mandatory disclosure laws as unlawful content-based compelled speech, rather than a simple health and safety regulation.
First Amendment and Permitted Use
The flip side of compelled speech is content-based or speaker-based restrictions on the use of data, such as the pharmaceutical data sold in Vermont. So companies that collect, store and process sensitive or commercially useful information about their customers, applying the Vermont pharmacy First Amendment case, would argue that they have a First Amendment right to collect and sell that data and that any government regulation of that sale violates the constitution. Privacy laws, by their nature, are “content-based,” deciding what information is “private” and what information is not “private” based on the content of that data. They are also typically “use-based,” permitting some direct and other indirect use of the data (e.g., using IP addresses to make connections between machines) but prohibiting other uses (such as selling information about an individual’s browsing history). In their Maine lawsuit, the ISPs also complain that the regulation applies only to ISPs and not search engines including Bing and Google, or other parties that have the ability to track user activity and behavior. Thus, the regulation is also “speaker-based” and unconstitutional.
All regulations make distinctions usually based on content. Once the Supreme Court held that there was a First Amendment right to collect and sell personal data, it opened the door for challenges to privacy laws and regulations that infringed on this “right.” We can expect more of this to come. My advice: Hold on. It’s gonna be a bumpy ride.