Maine lawmakers advance what could be one of nation’s toughest data privacy laws

The majority of the Legislature’s Judiciary Committee wants Maine to lead the country in enacting some of the strictest regulations for companies that collect consumer information online.

With the final votes tallied late Wednesday, the committee voted 8-6 to advance a proposal for a comprehensive data privacy law, while voting down 8-6 an alternative bill with fewer baseline protections for data collection.

The votes were along party lines, as were the two proposals. The version the committee advanced is based off of a bill from Rep. Maggie O’Neil (D-Saco), largely favored by privacy advocates and Maine’s attorney general, which Democratic members amended based on discussions over the past several months. 

The other proposal, originally introduced by Sen. Lisa Keim (R-Oxford) and later amended with committee member Rep. Rachel Henderson (R-Rumford), has been seen as friendlier to tech companies and businesses. 

“We, I think, maybe naively had an idea that we could or that we would find a common ground and be able to move forward with one privacy bill,” Henderson said during the final work session for the bill on Tuesday.

The amended versions align much more than the original bills, notably when it comes to enforcement. The Democratic amendment now incorporates a provision from the Republican proposal that only allows enforcement through the Attorney General’s Office, rather than allowing people who feel their privacy has been violated to take a company to court.  

However, consensus could not be reached on two pivotal points: exemptions and data minimization. 

Data minimization is a baseline protection that limits companies to collecting only information directly relevant and necessary for their operations. The Democratic proposal has more data minimization and, as a result, offers more exemptions to the law. Meanwhile, the Republican proposal does not have as much minimization, leading to fewer exemptions. 

Judiciary Committee inches closer to a comprehensive data privacy law

There is no one federal law regulating internet privacy, although there have been several proposals. This has left a patchwork of state laws and parts of federal legislation governing the current landscape. If Maine passes a comprehensive law to regulate privacy online, it would be joining 14 other states that have done so in recent years.

California was the first state to enact a comprehensive data privacy law, currently considered the toughest in the country. Most other states with similar legislation have instead followed what has been dubbed the Connecticut model, often described as a watered down approach with regulations falling between California’s and those passed in red states. 

In Maine, business interests have argued consistency is paramount, which they say is why they’ve supported Keim’s bill, which is more closely aligned with this compromise model, whereas consumer advocates maintain that greater protections should not be sacrificed for consistency’s sake.

“We heard the suggestion that Maine may be a leader in this field and I’m fine with that,” Rep. Amy Kuhn (D-Falmouth) said in defense of the majority vote. “I’m fine leading when we’re trying to protect Maine consumers.” 

The disagreement is not for a lack of trying. Clocking in well over 30 hours of work spread across eight meetings this year, not counting additional work this past fall, legislators on both sides of the aisle described the process as the most intense and lengthy bill consideration of their tenures. 

“I’ve never seen a committee dig into something like this,” Carney said, also noting the work of analyst Janet Stocco from the Office of Policy and Legal Analysis. “I’m just incredibly proud of the work we’ve all done.” 

The proposals now head to the House and Senate for floor votes. 

Remaining differences between the proposals 

Data minimization shifts the work of protecting privacy from consumers to the companies that collect their data. 

The Democratic amendment limits the collection of personal data to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.” The Keim and Henderson amendment limits personal data collection to what is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer.” 

In plain language, Keim’s amendment limits data collection to what companies disclose in privacy policies (that long pop-up you have to agree to, and likely don’t fully read, to download an app), whereas the Democratic amendment would only allow for data collection tied to a specific product or service the consumer requested. 

Another major difference is that the Democratic amendment has stricter standards for data that is considered sensitive, for which it limits data collection to only what is “strictly necessary” to provide the service requested by the consumer. 

Business interests have argued that both versions of a data minimization framework would be too restrictive, though were more opposed to the stricter version, arguing it would prevent them from targeted advertising and limit some consumer-facing services, such as showing customers their recently viewed products.

“My concern is that, in an attempt to be special, that we’re adopting a brand new data minimization standard that is going to make it very difficult for businesses to do business here in the state of Maine,” Henderson said, “and almost give them every reason to avoid us.” 

Advocates for consumer protection argue that data minimization doesn’t prevent these services but rather prevents companies from using personal information in out-of-context ways, such as selling data unrelated to the primary purpose of its collection. 

Exemptions from the comprehensive data privacy law would be provided in both amendments, though in different ways. The amendments break down these exemptions three ways: exemptions for entire companies, for specific types of data and for small businesses. 

An entity-level exemption is an exemption of an entire company from the law, if its data collection is already regulated by federal laws. Throughout consideration of the bills, industry lobby groups for healthcare, automobiles, bankers and credit unions in Maine largely argued in support of entity-level exemptions because of existing regulations under several federal acts, notably the Health Insurance Portability and Accountability Acts (HIPAA) and Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to explain their information-sharing practices to customers and to safeguard sensitive data.

Though details still up for debate, lawmakers determined to pass internet privacy law in 2024

The Democratic amendment provides more entity-level exemptions. Specifically, it provides exemptions from the law for tribal governments, nonprofits and institutions of higher education, which the Republican amendment does not. The Democratic amendment also exempts healthcare entities and affiliates covered by HIPAA, whereas Keim’s amendment does not have an entity exemption for HIPPA. 

When it comes to exemptions, the Democratic amendment more closely aligns with Connecticut law — though since enactment, Connecticut’s Attorney General suggested scaling back its entity-level exemptions, which Henderson said she wants Maine to consider prior to enactment. 

“We’re building a fence for the people of the state of Maine using material that hasn’t been used to build a fence anywhere else, and then we’re blowing big holes in that fence with all these exemptions for our friends to walk through,” Henderson said. 

Rep. Erin Sheehan (D-Biddeford) pushed back on the insinuation that the exemptions are favors.

“It feels particularly egregious in so far as we crafted them very surgically to address the concerns that were brought to us by industry stakeholders who are here based in Maine,” Sheehan said. “Their ability to continue to serve Mainers is very important to us. I think we’re able to address those concerns while still enacting meaningful change to better protect consumer data.”

Both versions have exemptions for businesses that are regulated by the Family Educational Rights and Privacy Act, insurance companies that are in compliance with applicable privacy and security laws, as well as internet service providers — however the Republican proposal exempts ISPs on an entity-level and the Democratic proposal only provides an exemption to the extent that they’re doing business covered by existing service law. 

Newfound areas of agreement 

The data-level exemptions in both amendments are now nearly aligned. A data-level exemption means regulated data maintained by a company will be exempt but that company still needs to otherwise comply with the privacy law. 

As for small business exemptions, Keim’s amendment takes a two-step approach, initially providing an exemption for businesses that collect data from less than 100,000 Mainers, but after a few years with the law in effect it gets tighter, providing exemptions for those that collect data from less than 50,000 consumers. 

The Democratic amendment had started right away with the latter, though the motion that advanced on Tuesday included an additional change to adopt the two-step approach.  

Enforcement had been a key difference between the two proposals but now they are in line. 

O’Neil’s bill originally included a private right of action, which provides people who feel their privacy has been violated with the ability to hold the perpetrator accountable, either in court or by another remedy. Keim’s proposal did not have a private right of action. Instead, it only permits enforcement by the Attorney General’s Office. 

As of the latest revisions shared Tuesday, both versions now only allow Attorney General enforcement and both completely prohibit a private right of action. 

The amendments diverge on what happens before the Attorney General brings a lawsuit, though Henderson proposed adopting the Democratic bill language into her amendment of Keim’s bill. 

In the Democratic amendment, the AG has to notify the defendant 30 days in advance of filing. In the Keim amendment, there was a discretionary 30-day right to cure period, to allow companies time to rectify issues before the government takes action on a violation.

Minors have additional protections in both proposals. In both, if a business knows a consumer is under 13 years of age, they have to follow federal law, meaning they need to get parental consent to collect the child’s data. 

When a child reaches 13 but is under 18 years old, the Democratic amendment allows consumers to consent to the sale of their data but never to targeted ads for as long as the person is a minor. Meanwhile, the cutoff for prohibiting targeted ads in Keim’s bill is 15 years old, which mirrors Connecticut law.