Case 1:20-cv-00055-LEW Document 1 Filed 02/14/20 Page 1 of 32 PageID #: 1
`
`UNITED STATES DISTRICT COURT
`DISTRICT OF MAINE
`
`
`
`
`
`
`ACA CONNECTS – AMERICA’S
`COMMUNICATIONS ASSOCIATION;
`
`CTIA – THE WIRELESS ASSOCIATION®;
`
`NCTA – THE INTERNET & TELEVISION
`ASSOCIATION; and
`
`USTELECOM – THE BROADBAND
`ASSOCIATION,
`
`Plaintiffs,
`
`v.
`
`Civil Action No. ___________
`
`
`
`AARON FREY, in his official capacity as
`Attorney General of the State of Maine;
`
`PHILIP L. BARTLETT II, in his official
`capacity as Chairman of the Maine Public
`Utilities Commission;
`
`R. BRUCE WILLIAMSON, in his official
`capacity as Commissioner of the Maine Public
`Utilities Commission; and
`
`RANDALL D. DAVIS, in his official capacity
`as Commissioner of the Maine Public Utilities
`Commission,
`
`Defendants.
`
`
`
`
`
`
`
`COMPLAINT FOR DECLARATORY JUDGMENT
`AND INJUNCTIVE RELIEF
`
`
`
`{R2226252.1 71521-079126 }
`
`
`
`

`

`Case 1:20-cv-00055-LEW Document 1 Filed 02/14/20 Page 2 of 32 PageID #: 2
`
`Plaintiffs ACA Connects – America’s Communications Association, CTIA – The
`
`Wireless Association®, NCTA – The Internet & Television Association, and USTelecom – The
`
`Broadband Association allege:
`
`PRELIMINARY STATEMENT
`
`1.
`
`Plaintiffs and their members, which include Internet Service Providers (“ISPs”),
`
`are committed to protecting their customers’ privacy. Plaintiffs and their members have
`
`consistently supported reasonable laws and regulations that safeguard consumers’ personal
`
`information uniformly across all consumer-facing companies, whether online or offline.
`
`2.
`
`The Maine statute challenged here, L.D. 946 (June 6, 2019) (“the Statute”), which
`
`was enacted purportedly to advance the goal of consumer privacy, is not such a law. The Statute
`
`imposes unprecedented and unduly burdensome restrictions on ISPs’, and only ISPs’, protected
`
`speech. These include restrictions on how ISPs communicate with their own customers that are
`
`not remotely tailored to protecting consumer privacy. Indeed, by targeting ISPs alone, the
`
`Statute deliberately thwarts federal determinations about the proper way to protect consumer
`
`privacy — that is, with technology-neutral, uniform regulation.
`
`3.
`
`The Statute violates the First Amendment because, among other things, it:
`
`(1) requires ISPs to secure “opt-in” consent from their customers before using information that is
`
`not sensitive in nature or even personally identifying; (2) imposes an opt-out consent obligation
`
`on using data that are by definition not customer personal information; (3) limits ISPs from
`
`advertising or marketing non-communications-related services to their customers; and
`
`(4) prohibits ISPs from offering price discounts, rewards in loyalty programs, or other cost-
`
`saving benefits in exchange for a customer’s consent to use their personal information. The
`
`Statute thus excessively burdens ISPs’ beneficial, pro-consumer speech about a wide variety of
`
`subjects, with no offsetting privacy-protection benefits. At the same time, it imposes no
`
`{R2226252.1 71521-079126 }
`
`
`2
`
`

`

`Case 1:20-cv-00055-LEW Document 1 Filed 02/14/20 Page 3 of 32 PageID #: 3
`
`restrictions at all on the use, disclosure, or sale of customer personal information, whether
`
`sensitive or not, by the many other entities in the Internet ecosystem or traditional brick-and-
`
`mortar retailers, thereby causing the Statute to diverge further from its stated purpose. To make
`
`matters worse, the Statute is shot through with irrational distinctions between closely related
`
`types of speech based on the content of the speech.
`
`4.
`
`Protecting customer privacy is a laudable objective that ISPs support. But Maine
`
`has not shown — through evidence in the legislative record — that ISPs’ privacy practices are
`
`causing any harm whatsoever to consumers, let alone harm that justifies unique restrictions on
`
`ISPs’ communications. Nor has Maine shown that such unique restrictions are needed in light of
`
`federal privacy standards, which apply evenly across businesses of all types. Maine cannot
`
`discriminate against a subset of companies that collect and use consumer data by attempting to
`
`regulate just that subset and not others, especially given the absence of any legislative findings or
`
`other evidentiary support that would justify targeting ISPs alone. Maine’s decision to impose
`
`unique burdens on ISPs’ speech — while ignoring the online and offline businesses that have
`
`and use the very same information and for the same and similar purposes as ISPs — represents
`
`discrimination between similarly situated speakers that is impermissible under the First
`
`Amendment. See Sorrell v. IMS Health Inc., 564 U.S. 552, 572 (2011); U.S. West, Inc. v. FCC,
`
`182 F.3d 1224, 1238-39 (10th Cir. 1999).
`
`5.
`
`This speaker-based discrimination, which renders the Statute inconsistent with its
`
`avowed goal of protecting consumers’ privacy, is not the only reason the State cannot carry its
`
`burden under the First Amendment. Indeed, the Statute lacks any reasonable fit between its
`
`provisions and advancing consumer privacy — even as applied to ISPs. For example, the Statute
`
`restricts wide swaths of information that raise no plausible privacy concerns at all, including
`
`{R2226252.1 71521-079126 }
`
`
`3
`
`

`

`Case 1:20-cv-00055-LEW Document 1 Filed 02/14/20 Page 4 of 32 PageID #: 4
`
`information the Statute defines as not customer personal information. In addition, the Statute
`
`draws sharp, content-based distinctions between categories of speech that cannot be explained by
`
`any interest in protecting privacy — allowing, for example, ISPs to use consumer data for speech
`
`about their communications-related services but not about their non-communications-related
`
`services. The Statute also restricts valuable non-commercial speech such as location-based
`
`public service announcements and mandatory reports to the federal government.
`
`6.
`
`The Statute’s speech restrictions are also too vague to comply with due process
`
`because they force ISPs to guess at the boundaries of those restrictions. Johnson v. United
`
`States, 135 S. Ct. 2551, 2561 (2015). The Statute’s amorphous, broad, and open-ended
`
`restrictions will therefore chill ISPs’ protected First Amendment speech.
`
`7.
`
`In addition to violating the First Amendment in multiple respects, the Statute is
`
`preempted by federal law because it directly conflicts with and deliberately thwarts federal
`
`determinations about the proper way to protect consumer privacy. Indeed, the Statute’s express
`
`purpose was to contradict Congress’s decision — embodied in a binding joint resolution signed
`
`by the President — to repeal and prohibit the federal adoption of an ISP-specific privacy regime
`
`in favor of privacy rules that apply uniformly to all companies holding consumers’ personal
`
`information. The Statute also conflicts with the Federal Communications Commission’s
`
`(“FCC”) decision that a combination of disclosure, competition, and Federal Trade Commission
`
`(“FTC”) oversight — not prescriptive ISP-specific rules — best balances the federal policies of
`
`promoting broadband and protecting consumer privacy. And it does so in a manner that makes it
`
`impossible for Plaintiffs’ members to comply with mandatory federal reporting requirements and
`
`other disclosures required by law.
`
`8.
`
`The Court should declare the Statute unconstitutional and enjoin its enforcement.
`
`{R2226252.1 71521-079126 }
`
`
`4
`
`

`

`Case 1:20-cv-00055-LEW Document 1 Filed 02/14/20 Page 5 of 32 PageID #: 5
`
`PARTIES
`
`9.
`
`Plaintiff ACA Connects – America’s Communications Association is a trade
`
`association representing nearly 800 small and medium-sized independent operators that provide
`
`video, broadband, and phone services. ACA Connects’ members often operate in smaller
`
`markets and rural areas, where they provide communications services that are crucial to the
`
`economic prosperity of the communities they serve. ACA Connects’ members include providers
`
`of broadband Internet access service in the State of Maine. ACA Connects maintains its
`
`principal place of business in Pittsburgh, PA.
`
`10.
`
`Plaintiff CTIA represents the U.S. wireless communications industry and
`
`companies throughout the mobile ecosystem that enable Americans to lead a 21st century
`
`connected life. CTIA vigorously advocates at all levels of government for policies that foster
`
`continued wireless innovation and investment. Its members include providers of wireless
`
`broadband Internet access service to households, businesses, and governmental entities
`
`throughout the country, including to customers in the State of Maine. CTIA maintains its
`
`principal place of business in Washington, D.C.
`
`11.
`
`Plaintiff NCTA is the principal national trade association of the cable industry in
`
`the United States. NCTA’s mission is to protect and advocate for the interests of the cable and
`
`telecommunications industry. Its members include cable operators offering fixed and wireless
`
`broadband Internet access services to households, businesses, and governmental entities
`
`throughout the country, including to customers in the State of Maine. NCTA maintains its
`
`principal place of business in Washington, D.C.
`
`12.
`
`Plaintiff USTelecom is a non-profit association of telecommunications companies
`
`of all sizes working toward the common goal of providing accessible, thriving, and secure
`
`{R2226252.1 71521-079126 }
`
`
`5
`
`

`

`Case 1:20-cv-00055-LEW Document 1 Filed 02/14/20 Page 6 of 32 PageID #: 6
`
`broadband infrastructure in all corners of the United States. USTelecom’s members provide
`
`fixed and wireless broadband Internet access service to millions of consumers and businesses
`
`across the country, including in the State of Maine. USTelecom maintains its headquarters in
`
`Washington, D.C.
`
`13.
`
`Defendant Aaron Frey is the Attorney General of the State of Maine. His
`
`principal place of business is in Augusta, Maine, and he regularly transacts business within the
`
`State. Attorney General Frey is charged with enforcing Maine’s civil law, including the Statute.
`
`14.
`
`Defendant Philip L. Bartlett II is the Chairman, and Defendants R. Bruce
`
`Williamson and Randall D. Davis are Commissioners, of the Maine Public Utilities Commission,
`
`which has authority to enforce the Statute. Their principal place of business is in Hallowell,
`
`Maine, and they regularly transact business within the State. Chairman Bartlett is responsible for
`
`implementing the policies of the Commission as principal executive officer.
`
`JURISDICTION AND VENUE
`
`15.
`
`This Court has subject matter jurisdiction pursuant to 28 U.S.C. § 1331 because
`
`the case arises under the First and Fourteenth Amendments and the Supremacy Clause of the
`
`United States Constitution.
`
`16.
`
`42 U.S.C. § 1983 provides a civil cause of action to any person who is deprived of
`
`rights guaranteed by the United States Constitution or federal law, by another person, under color
`
`of State law.
`
`17.
`
`This Court may declare the legal rights and obligations of the parties in this action
`
`under 28 U.S.C. § 2201 because this action presents an actual controversy within the Court’s
`
`jurisdiction.
`
`{R2226252.1 71521-079126 }
`
`
`6
`
`

`

`Case 1:20-cv-00055-LEW Document 1 Filed 02/14/20 Page 7 of 32 PageID #: 7
`
`18.
`
`Venue is proper in the District of Maine under 28 U.S.C. § 1391(b)(1) and (2),
`
`because Defendants have offices in, and therefore reside in, the District of Maine, and a
`
`substantial part of the events giving rise to Plaintiffs’ claims occurred in the District of Maine.
`
`19.
`
`Under Local Rule 3(b), this action should be assigned to the Bangor Division of
`
`this Court because a substantial part of the events giving rise to Plaintiffs’ claims for relief
`
`occurred in Kennebec County.
`
`20.
`
`ACA Connects, CTIA, NCTA, and USTelecom each have associational standing
`
`to bring this suit on behalf of their members because at least one member of each association will
`
`be directly, adversely, and imminently affected by the Statute and thus would have standing to
`
`sue in their own right. The interests that Plaintiffs seek to protect by way of this lawsuit are
`
`germane to each organization’s purpose. Finally, neither the claims asserted nor the relief
`
`requested requires an individual member of ACA Connects, CTIA, NCTA, or USTelecom to
`
`participate in this suit.
`
`FACTUAL BACKGROUND
`
`Internet Service Providers And Consumer Data
`
`21.
`
`ISPs provide consumers with access to the Internet. They deploy high-speed
`
`fixed and mobile links connecting their networks to consumers’ homes and smartphones, and
`
`they operate the equipment and systems that in turn allow consumers to send and receive
`
`information from those networks across the Internet.
`
`22.
`
`ISPs are just one segment of the broader Internet ecosystem. They provide
`
`consumers access to digital content, websites, and applications (“apps”), including those
`
`developed and operated by “edge providers,” such as operators of streaming video services (e.g.,
`
`Netflix), search engines (e.g., Google), social media (e.g., Facebook), and online marketplaces
`
`(e.g., Amazon), among countless others. Other businesses develop the software — including the
`
`{R2226252.1 71521-079126 }
`
`
`7
`
`

`

`Case 1:20-cv-00055-LEW Document 1 Filed 02/14/20 Page 8 of 32 PageID #: 8
`
`operating systems, web browsers, and other applications — that facilitate Internet activity on
`
`computers, tablets, smartphones, and other devices.
`
`23.
`
`Each of these types of actors collects and uses consumer data for business,
`
`operational, marketing, and advertising purposes. Standard uses include providing products or
`
`services to customers, verifying customers’ identities, processing payments, providing financing,
`
`and conducting research in order to improve existing products and services. Internet-based
`
`businesses are far from unique in this respect. Traditional brick-and-mortar businesses similarly
`
`collect and use customer information in the course of charging for products or services and
`
`administering customer loyalty or rewards programs. In addition to collecting data directly from
`
`customers, businesses also turn to so-called “data brokers” (e.g., Experian) to purchase additional
`
`consumer data.
`
`24.
`
`Online and offline businesses also use consumer information to develop and
`
`engage in effective and efficient communications with their customers. By analyzing this data,
`
`businesses — including ISPs, edge providers, and brick-and-mortar retailers — can better tailor
`
`their products, services, marketing, and advertising to meet consumer needs and satisfy their
`
`preferences.
`
`25.
`
`This type of tailored marketing and advertising creates “enormous benefits” for
`
`businesses and consumers. Executive Office of the President, Big Data: Seizing Opportunities,
`
`Preserving Values 50 (2014). It allows businesses to communicate with consumers more
`
`effectively and efficiently, and allows consumers to receive more relevant information and
`
`superior service. Because of these benefits, targeted marketing and advertising have become an
`
`important means of communication between Internet-based businesses and their customers. See
`
`eMarketer Editors, US Digital Ad Spending Will Surpass Traditional in 2019 (Feb. 19, 2019)
`
`{R2226252.1 71521-079126 }
`
`
`8
`
`

`

`Case 1:20-cv-00055-LEW Document 1 Filed 02/14/20 Page 9 of 32 PageID #: 9
`
`(domestic spending on digital advertising is projected to account for more than half of all U.S.
`
`advertising spending).
`
`26.
`
`Recent technological developments have limited ISPs’ access to consumers’ data
`
`when transmitted over their Internet connection. Widespread encryption is “pervasively limiting
`
`the ability of ISPs to see Internet activity.” Peter Swire, et al., Online Privacy and ISPs: ISP
`
`Access to Consumer Data is Limited and Often Less than Access by Others 25, Working Paper of
`
`The Institute for Information Security & Privacy at Georgia Tech (Feb. 29, 2016),
`
`https://b.gatech.edu/2Hn2ULi (“Swire Study”); see also Cam Cullen, Global Internet
`
`Phenomena Preview: Encrypted Traffic Dominates the Internet, Sandvine (2018) (estimating
`
`that 75 to 90 percent of Internet traffic is encrypted), https://bit.ly/2O8fzri. The widely adopted
`
`HTTPS encryption standard, for example, prevents ISPs from seeing both the full URL1 and the
`
`content of websites their customers visit. See Swire Study at 26. To illustrate, if a customer
`
`conducts a Google search for “best bookstores in Portland,” her ISP can “see” only that she
`
`contacted google.com; it cannot see what she asked Google to search for. For these and other
`
`reasons, “other companies often have access to more information and a wider range of user
`
`information than ISPs [and] ISPs have neither comprehensive nor unique access to information
`
`about users’ online activity. Rather, the most commercially valuable information about online
`
`users, which can be used for targeted advertising and other purposes, is coming from other
`
`contexts.” Id. at 3-4.
`
`
`1 A “URL” or Uniform Resource Locator is the text that represents information
`accessible over the Internet. For example, http://www.med.uscourts.gov is the URL for the
`Court’s home page, while http://www.med.uscourts.gov/office-hours is the full URL that
`provides direct access to the page listing the clerk’s office’s telephone numbers and hours of
`operations.
`
`{R2226252.1 71521-079126 }
`
`
`9
`
`

`

`Case 1:20-cv-00055-LEW Document 1 Filed 02/14/20 Page 10 of 32 PageID #: 10
`
`27.
`
`In addition, consumers today increasingly access the Internet through multiple
`
`devices and, as a result, they typically use the services of more than one ISP. See Cisco, Cisco
`
`Visual Networking Index (VNI), Complete Forecast Update, 2017–2022, at 22 (Dec. 2018). In
`
`using several devices, many of which are mobile, consumers “constantly shift from one ISP to
`
`another, not just for home and work, but among many WiFi hotspots and other locations from
`
`which they connect to the Internet,” providing ISPs mere “episodic glimpses” of a customer’s
`
`Internet usage. Swire Study at 25.
`
`28.
`
`These same developments have not affected the ability of edge providers and
`
`software developers to access Internet-usage information. See Swire Study at 11-14. To the
`
`contrary, edge providers are obtaining ever more comprehensive and detailed customer
`
`information by tracking customers across devices. See id. at 116-18.
`
`29.
`
`Because of their greater access to comprehensive customer information, edge
`
`providers and software developers have become dominant players in the market for targeted
`
`advertising. Last year, nine of the top 10 largest digital ad sellers were projected to be edge
`
`providers or software developers, not ISPs. See Jasmine Enberg, Global Digital Ad Spending
`
`2019, eMarketer (Mar. 2019), https://bit.ly/2FRu2lB.
`
`30.
`
`The FTC’s enforcement data reflects that ISPs are rarely the object of
`
`enforcement actions concerning consumer privacy. Of the 101 Internet privacy-related
`
`enforcement actions the FTC brought between 2008 and 2018, only one action involved an ISP.2
`
`U.S. Government Accountability Office, Internet Privacy Report 21 (Jan. 2019),
`
`
`2 This sole ISP was Level 3 Communications, LLC, which settled charges that it falsely
`claimed to participate in the international privacy framework called the U.S.-EU Safe Harbor.
`See FTC, Press Release, FTC Approves Final Orders Settling Charges of U.S.-EU Safe Harbor
`Violations Against 14 Companies, https://bit.ly/2OQIwGI.
`
`{R2226252.1 71521-079126 }
`
`
`10
`
`

`

`Case 1:20-cv-00055-LEW Document 1 Filed 02/14/20 Page 11 of 32 PageID #: 11
`
`https://bit.ly/2Hkx2XL. The others involved edge providers, software developers, and brick-and-
`
`mortar manufacturers also conducting business online, among others. See id. Moreover, several
`
`of the FTC’s privacy-related enforcement actions involved product manufacturers or other brick-
`
`and-mortar businesses outside the Internet ecosystem, see id., underscoring that consumer
`
`privacy interests are implicated by the actions of all consumer-facing businesses, not just those
`
`within the Internet ecosystem — and certainly not by ISPs alone.
`
`Federal Internet Privacy Rules
`
`31.
`
`The federal government has determined that consumer privacy is best protected
`
`through a technology-neutral, uniform, and nationwide approach applicable to all businesses and
`
`governed by a single regulator — the FTC — and not through a regime that addresses only ISPs.
`
`32.
`
`The FTC has decades of experience bringing enforcement actions pursuant to
`
`uniform federal privacy standards that apply evenly to all businesses — including ISPs, edge
`
`providers, and brick-and-mortar retailers — nationwide. Indeed, in its traditional role “as the
`
`cop on the broadband beat,” the FTC “has vigorously protected the privacy and security of
`
`consumer data.” Statement from Acting FTC Chairman Maureen K. Ohlhausen on the FCC’s
`
`Approval of the Restoring Internet Freedom Order, Federal Trade Commission (Dec. 14, 2017),
`
`https://bit.ly/2Ho4egW. That uniform, technology-neutral approach has long enjoyed broad
`
`support among consumers and the federal government. See, e.g., Progressive Policy Institute,
`
`Recent National Survey of Internet Users (May 26, 2016), https://bit.ly/3bGusth (reporting that
`
`94% of Internet users agreed that “[a]ll companies collecting data online should follow the same
`
`consumer privacy rules”); Protecting Consumer Privacy in an Era of Rapid Change, FTC, at 56
`
`(Mar. 2012), https://bit.ly/2vsiT8m (“any privacy framework should be technology neutral”);
`
`Executive Office of the President, Consumer Data Privacy in a Networked World: A Framework
`
`for Protecting Privacy and Promoting Innovation in the Global Digital Economy, White House
`
`{R2226252.1 71521-079126 }
`
`
`11
`
`

`

`Case 1:20-cv-00055-LEW Document 1 Filed 02/14/20 Page 12 of 32 PageID #: 12
`
`Report, at 36 (Feb. 2012), https://bit.ly/2vAlywv (recommending “a level playing field for
`
`companies, a consistent set of expectations for consumers, and greater clarity and transparency in
`
`the basis for FTC enforcement actions”).
`
`33.
`
`In 2016, the FCC departed from that uniform, technology-neutral approach to
`
`privacy regulation and sought to impose restrictions on what ISPs — and only ISPs — could do
`
`with “customer proprietary information.” Report and Order, Protecting the Privacy of
`
`Customers of Broadband and Other Telecommunications Services, 31 FCC Rcd. 13911 (2016)
`
`(“ISP Privacy Order”).
`
`34.
`
`Among other things, the ISP Privacy Order required ISPs to obtain “opt-in”
`
`consent to use, disclose, or permit access to “sensitive” customer proprietary information, and to
`
`permit customers to “opt out” of letting the ISP use, disclose, or permit access to “non-sensitive”
`
`customer proprietary information. ISP Privacy Order ¶ 9. But the ISP Privacy Order imposed
`
`no restrictions on the use of information that could not be “linked” to an individual (for example,
`
`aggregated or anonymized data). 47 C.F.R. § 64.2002(m) (2016). It permitted ISPs to use
`
`customer data to provide services and to make disclosures required by law. See ISP Privacy
`
`Order ¶ 9. And it allowed ISPs to offer discounts, benefits, or other incentives in exchange for
`
`customers’ providing opt-in consent, as long as the ISP clearly described the offer’s terms. Id.
`
`¶¶ 298-303.
`
`35.
`
`The ISP Privacy Order was short-lived. In 2017, Congress passed and the
`
`President signed a joint resolution under the Congressional Review Act, see 5 U.S.C.
`
`§ 801(b)(1), repealing the ISP Privacy Order and stating that: “Congress disapproves the rule
`
`submitted by the Federal Communications Commission relating to ‘Protecting the Privacy of
`
`Customers of Broadband and Other Telecommunications Services’ (81 Fed. Reg. 87274
`
`{R2226252.1 71521-079126 }
`
`
`12
`
`

`

`Case 1:20-cv-00055-LEW Document 1 Filed 02/14/20 Page 13 of 32 PageID #: 13
`
`(December 2, 2016)), and such rule shall have no force or effect.” Joint Resolution, Pub. L. No.
`
`115-22, 131 Stat. 88 (2017). The joint resolution not only vacated the ISP Privacy Order, but
`
`also precludes the FCC or any other federal agency from adopting “a new rule that is
`
`substantially the same” as the ISP Privacy Order unless “specifically authorized” by a
`
`subsequent act of Congress. 5 U.S.C. § 801(b)(2).
`
`36. Members of Congress explained that the FCC’s approach of targeting only ISPs
`
`would “arbitrarily treat ISPs differently from the rest of the internet, creating a false sense of
`
`privacy” among consumers. 163 Cong. Rec. at H2495 (Mar. 28, 2017) (statement of Rep.
`
`Lance). “[S]eparating edge providers from ISPs,” one sponsor explained, “creates confusion for
`
`both consumers and business operations,” and repeal of the ISP Privacy Order was therefore
`
`necessary to “reduce the confusion that has been created from this unnecessary regulation that
`
`has stifled competition and impeded innovation.” Id. at H2497 (statement of Rep. Collins).
`
`37.
`
`Another House sponsor observed that ignoring the rest of the industry by targeting
`
`only ISPs would do little to accomplish the FCC’s stated objectives, in light of substantial
`
`evidence showing that “ISPs now have increasingly limited insight into our activities and
`
`information online.” 163 Cong. Rec. at H2490 (statement of Rep. Blackburn). In contrast, “so-
`
`called edge providers, like search engines, social media, advertising, shopping, and other
`
`services online, often have greater visibility into personal consumer data.” Id.
`
`38. Members of Congress also emphasized the need for uniform enforcement of
`
`privacy practices across the Internet, in lieu of a patchwork of burdensome and inconsistent
`
`regulations. As one of the House sponsors explained, “[t]he FTC has served as our Nation’s sole
`
`online privacy regulator for over 20 years” and having other “privacy cops on the beat will create
`
`confusion within the internet ecosystem and will end up harming consumers.” 163 Cong. Rec. at
`
`{R2226252.1 71521-079126 }
`
`
`13
`
`

`

`Case 1:20-cv-00055-LEW Document 1 Filed 02/14/20 Page 14 of 32 PageID #: 14
`
`H2489 (statement of Rep. Blackburn). By repealing the ISP Privacy Order, Congress intended
`
`to “put[ ] all segments of the internet on equal footing and provide[ ] American consumers with a
`
`consistent set of privacy rules.” Id. at H2495 (statement of Rep. Lance).
`
`39.
`
`The FCC subsequently reaffirmed that it does not serve the public interest to
`
`subject ISPs to a separate and different privacy regime than other businesses. Instead, the FCC
`
`found that ISPs, no different from edge providers or other online and offline businesses, should
`
`fall under the jurisdiction of the FTC, which is the only consumer protection agency with
`
`enforcement power that “operates on a national level across industries.” Declaratory Ruling,
`
`Report and Order, and Order, Restoring Internet Freedom, 33 FCC Rcd 311, ¶ 183 (2018) (“RIF
`
`Order”), petitions for review denied in pertinent part, Mozilla Corp. v. FCC, 940 F.3d 1 (D.C.
`
`Cir. 2019). The FCC concluded that “[r]estoring FTC jurisdiction over ISPs will enable the FTC
`
`to apply its extensive privacy and data security expertise to provide the uniform online privacy
`
`protections [across the Internet ecosystem] that consumers expect and deserve.” Id. ¶ 181. This
`
`reflects the practical reality that the Internet necessarily operates across state lines and
`
`throughout myriad industries.
`
`40.
`
`As a complement to restoring jurisdiction over ISPs’ privacy and data security
`
`practices to the FTC, the FCC concluded that ISPs should comply with a narrow Transparency
`
`Rule requiring them to make “[a] complete and accurate disclosure about the ISP’s privacy
`
`practices,” including “whether any network management practices entail inspection of network
`
`traffic, and whether traffic [information] is stored, provided to third parties, or used by the ISP
`
`for non-network management purposes.” RIF Order ¶ 223. The FCC determined that these
`
`privacy-related disclosures “inform the [FCC], consumers, entrepreneurs, and other small
`
`businesses about the parameters of the service, without imposing costly burdens on ISPs.” Id.
`
`{R2226252.1 71521-079126 }
`
`
`14
`
`

`

`Case 1:20-cv-00055-LEW Document 1 Filed 02/14/20 Page 15 of 32 PageID #: 15
`
`To the extent an ISP acts inconsistently with its stated policies, the FCC determined, the FTC can
`
`protect consumer interests by “tak[ing] [enforcement] action against deceptive ISP conduct.” Id.
`
`¶ 244.
`
`41.
`
`The FCC determined that a combination of requiring disclosure of ISP privacy
`
`practices, together with consumer protection enforcement by the FTC, better comported with
`
`those goals than “complex and highly prescriptive privacy regulations for broadband Internet
`
`access service.” RIF Order ¶ 158.
`
`42.
`
`Separately, the FCC requires ISPs to submit data about their subscribers,
`
`including the number of active customers the ISP currently serves within each specified
`
`geographic area, to the agency on Form 477. See 47 C.F.R. § 1.7001. To comply with this
`
`reporting requirement, ISPs must use information they have collected that pertains to their
`
`customers, including the number of customers per location based on residential address,
`
`geolocation information, and telephone number. Failing to file Form 477 subjects an ISP to
`
`“enforcement action pursuant to the Act and any other applicable law.” Id. § 1.7001(f).
`
`Maine Enacts L.D. 946
`
`43.
`
`On June 6, 2019, Maine enacted L.D. 946 — an ISP-only privacy law and “the
`
`nation’s strictest” information privacy statute to date. Casey Leins, Maine Passes Nation’s
`
`Strictest Internet Privacy Protection Law, U.S. News (June 7, 2019), https://bit.ly/2mgQAFt.
`
`The Statute takes effect on July 1, 2020. L.D. 946, § 2.
`
`44.
`
`The sponsors of L.D. 946 expressly intended to reinstate the rules from the ISP
`
`Privacy Order that Congress had repealed. As one of the bill’s co-sponsors explained: “In April
`
`2017, the U.S. Congress voted to reverse new privacy protections from the [FCC] that would
`
`have required [ISPs] to seek customers’ permission before sharing their personal information”;
`
`“[s]oon after,” the Maine House responded by introducing legislation to “fill the gap created by
`
`{R2226252.1 71521-079126 }
`
`
`15
`
`

`

`Case 1:20-cv-00055-LEW Document 1 Filed 02/14/20 Page 16 of 32 PageID #: 16
`
`the Congress.” Hearing on LD 946, An Act To Protect the Privacy of Online Consumer
`
`Information (Apr. 24, 2019) (Testimony of Sen. Guerin).
`
`45.
`
`The Statute applies solely to ISPs — “providers” of “broadband Internet access
`
`service,” defined as “mass-market retail service[s],” including fixed and mobile Internet access
`
`that “provides the capability to transmit data to and receive data from all or substantially all
`
`Internet endpoints.” Me. Rev. Stat. tit. 35-A, § 9301(1)(A), (D). It leaves wholly unregulated
`
`the vast majority of entities — online and offline — that collect and use the same customer
`
`personal information and for the same or similar purposes as ISPs.
`
`46.
`
`The Statute requires “express, affirmative consent” — that is, opt-in consent —
`
`for any use, disclosure, sale, or access to “customer personal information.” Me. Rev. Stat. tit.
`
`35-A, § 9301(2), (3)(A).
`
`47.
`
`The Statute broadly defines “customer personal information” to include both
`
`(1) “[p]ersonally identifying information about a customer, including but not limited to the
`
`customer’s name, billing information, social security number, billing address and demographic
`
`data,” and (2) “[i]nformation from a customer’s use of broadband.” Me. Rev. Stat. tit. 35-A
`
`§ 9301(1)(C)(1), (2). Although the Statute lists certain categories of information falling within
`
`each prong, it makes clear that these are simply non-exclusive examples of “customer personal
`
`information.” Id. The Statute thus demands opt-in consent for a vast swath of information
`
`regardless of sensitivity — including technical information such as an IP address used to connect
`
`a customer to the Internet — a demand that even the ISP Privacy Order did not i