Maine could have strongest data privacy law in nation if bill passes 

Maine’s legislature is working on a data privacy bill that, if it passes in the face of opposition from the private sector, could become the strongest data privacy law in the nation.

The legislation, also known as the Data Privacy and Protection Act, was introduced last year after a competing data privacy bill was proposed in Maine. Privacy advocates say the private sector’s support of the competing bill is because it’s modeled after ineffective “comprehensive” data privacy laws that have been enacted in other states.

While it may appear as though though the Maine Data Privacy and Protection Act was proposed in reaction to the Maine Consumer Privacy Act, the bill’s sponsor has been working on expanding data privacy rights in the state for several years. State Rep. Maggie O’Neil introduced biometric privacy legislation last year and in 2022, but both efforts failed amid private sector opposition.

Her work is in line with the state’s aggressive reputation on privacy, and especially biometric privacy: In 2021, the state cemented itself as a privacy leader when it banned some uses of facial recognition technology. Maine was also the first in the nation to legally restrict how internet service providers can use, disclose or sell customer data — such as their personal information, web browsing history or location data — when in 2019 it passed the Act to Protect the Privacy of Online Customer Information.

O’Neil told StateScoop last year that it’s on states to enact privacy protections as long as the federal government does not. Her proposed legislation is modeled largely after the federal data privacy bill that failed in Congress in 2022, the American Data Privacy and Protection Act. StateScoop reached out to O’Neil for comment on her new bill, but did not heard back in time for publication.

The competing bill, sponsored by state Sen. Lisa Keim, features similar language to O’Neil’s 2022 and 2023 biometric legislation, such as opt-in requirements for the processing of sensitive data, such as biometric, health and geolocation. However, it offers little in the way of enforcement or deterrence. Maine Attorney General Aaron Frey, in a letter testifying in opposition to Keim’s bill, criticized its lack of a private right of action, a legal mechanism that allows people to individually sue violating companies.

“The availability of a private cause of action is important because it allows for enforcement even when my office might not have the necessary resources, and the potential for private enforcement has a significant deterrent effect,” Frey wrote in the letter.

Meagan Sway, policy director of the American Civil Liberties Union of Maine, worked closely with O’Neil on both her previous biometric privacy bill and the current proposal. She told StateScoop that the lack of enforcement measures in Keim’s bill is why the state’s private sector and Big Tech lobbyists are supporting it, despite the similarity in the language regarding biometrics.

“From my perspective, the industry put in its own bill to try to get out ahead, to weaken privacy and make sure we didn’t have strong privacy. And shame on them,” Sway told StateScoop. “What they did is they adopted a lot of the language of our biometric bill, but then they’re just pushing the same industry bill they’ve been pushing in other states.”

Organizations including the Maine Bankers Association, the National Retail Federation, the Alliance for Automotive Innovation and Maine clothing retailer L.L. Bean vocalized their opposition to O’Neil’s proposal, testifying in a letter in October that while it supports consumer data rights, the bill’s deviation from existing data privacy laws will make compliance difficult.

O’Neil’s bill also features a private right of action, allowing individuals to recoup $5,000 in damages from companies that violate the bill. This legal protection, along with its “data minimization” obligations that prevents companies from collecting unnecessary information, is why the bill could go on to be the only privacy law on the books to earn an “A” grade from the Electronic Privacy Information Center and the U.S. PIRG Education Fund, two research groups that last week released a report finding most states’ privacy laws offer limited protections for consumers.

They evaluated 14 data privacy laws for their strengths and weaknesses and assigned letter grades to each. The highest scoring law, the California Consumer Protection Act, earned a “B+”, while the Connecticut Data Privacy Act, which Keim’s bill is most similar to, earned only a “D.”

“Right now, there are no guardrails for what companies can do with our personal information. Companies have a free pass to do what they want with our data, including profiting off our most sensitive information,” O’Neil said in an ACLU news release. “Mainers deserve choices about how our personal information is collected and used. For years, Big Tech fought any laws to protect our personal information. Because of a building public outcry, now Big Tech is writing weak consumer privacy laws themselves to preserve their current practices under a false veil of protecting consumers. Mainers deserve real protections. We can’t let Big Tech write their own law here in Maine.”