‘Buckle up’: Data privacy bills back before Maine Legislature

sarayut Thaneerat via Getty Images

Featured eBooks
AI, From Front Line to Back Office
Trust in Government
Chasing New Industry
Insights & Reports
Building flexible and secure government services: An Identity-first guide
Presented By Okta
Download Now
Redefining Justice: Technology’s Role in Modern Courts
Presented By Salesforce
Download Now
By Emma Davis,
Maine Morning Star

By Emma Davis,
Maine Morning Star

|

Amid the lack of a national data privacy bill, all of the bill sponsors highlighted the importance of enacting a law that is interoperable among other states.

This story was originally published by the Maine Morning Star.

The Maine Legislature is again considering enacting a comprehensive data privacy law.

Last session, after a dozen public meetings, countless hours of behind-the-scenes work and sizable lobbying influence from Big Tech, the Legislature rejected two competing data privacy proposals, which the bills this session build upon. 

The sponsors of three proposals heard in the Judiciary Committee on Monday each described their legislation as a means to put Mainers in control of their personal information, however the bills diverge on how best to do so. 

The key difference between the versions remains the same: how they limit data collection.

Related articles

Is the US privacy policy good enough?

North Carolina lawmakers consider bill to let consumers opt out of targeted online ads

States’ privacy is a ‘continual conversation’ amid AI growth, officials say

LD 1822, sponsored by Rep. Amy Kuhn (D-Falmouth), uses a standard called data minimization, which limits companies to collecting only information directly relevant and necessary for their operations. Maine’s attorney general and privacy advocates testified in favor of this version last session and again on Monday, pushing for a plan that would make Maine’s regulations on companies that collect online consumer information among the strictest in the country.

Conversely, the version that was backed by businesses and technology companies last session is the basis for LD 1088, sponsored by Rep. Rachel Henderson (R-Rumford), and LD 1224, sponsored by Rep. Tiffany Roberts (D-South Berwick) and bipartisan co-sponsors. These bills use a consent-based model, which allows companies to collect the data they’d like so long as it’s disclosed in the terms and conditions consumers agree to.

Other tensions that arose last year regarding how to approach enforcement and exemptions, as well as whether to repeal Maine’s current internet service provider-specific law to instead regulate all businesses under one comprehensive law, are among the key points of division among proposals this session. 

There is currently a patchwork of state laws and parts of federal legislation governing the current landscape, as there remains no one federal law regulating internet privacy, despite several proposals. 

Because of this, all of the bill sponsors highlighted the importance of enacting a law that is interoperable among other states, though argued for different reasons why their version would best allow for it.

The bills last session morphed considerably as lawmakers attempted, though ultimately failed, to reach agreement on one proposal and the same tedious work is expected again this session. 

As Henderson put it on Monday, “I am happy to be here but I also want to offer condolences to everyone who now has to sit through more privacy bills, and if you have not had the honor of doing so, welcome and buckle up.”

Data Collection

The average consumer is likely more familiar with the data collection approach in the Republican and bipartisan measures, LD 1088 and LD 1224, which rely on privacy notices that consumers must agree to before accessing a website or app. Data collection can still occur in that case, whereas LD 1822 — which only has Democratic cosponsors — would prohibit businesses from collecting certain information. 

The arguments for and against each largely felt like déjà vu, with businesses and tech groups on one side and privacy advocates and civil rights groups on the other. 

Testifying in favor of LD 1822, Maine Assistant Attorney General Brendan O’Neil said data minimization would reduce consumer burden and better align data practices with what consumers expect. Health care providers and immigrant rights groups also argued explicit bans on sensitive data are crucial. 

“We know from firsthand accounts in Maine that immigrants avoid accessing healthcare, education or even emergency assistance because they fear where that information may end up,” said Ruben Torres, policy lead for the Maine Immigrants’ Rights Coalition.

Representatives of Maine Family Planning and Planned Parenthood argued data minimization would shore up Maine’s shield law, noting they currently hear from patients who fear data logged in menstrual tracking apps could be used in legal action in states where abortion and other sexual reproductive health care is banned.

All three bills approach “personal” and “sensitive” data differently. 

LD 1088 and LD 1224 would limit the collection of personal data to what is “adequate, relevant and reasonably necessary” to provide the product or service requested by the consumer, and require what’s collected to be disclosed in a privacy notice. 

However, the bills would require “affirmative, informed consent” for the collection of sensitive data, such as information about a consumer’s sexual orientation, immigration status and geolocation data — though how that would differ from a privacy notice was not clear on Monday.

LD 1822 would limit the collection of personal data to what is “reasonably necessary and proportionate” to provide the product or service requested by the consumer, but that the collection of sensitive data must be limited to only what is “strictly necessary.” 

Last year, the bill Kuhn modeled hers after had also also regulated the use of data, which this version does not, much to the disappointment of privacy advocates. 

Kuhn also made some changes based on concerns raised by businesses last year that data minimization would limit their ability to do targeted advertising and limit reach to new consumers. Essentially, the version this year now ensures small businesses that have to stretch their advertising dollars can access ad exchanges, which are marketplaces where companies can buy and sell advertising. 

Of note, while more supportive of LD 1088 and LD 1224, L.L. Bean did not testify against the data minimization bill this year. 

Now neither for nor against, Christy Van Voorhees, legal counsel for the Freeport-based retail giant, said Kuhn’s version is “very close” to something they could get behind but that the data minimization standard still raises concerns that she hopes lawmakers can clarify.

“This is a very challenging time for businesses,” Van Voorhees added, “and I hope that that’s taken into account.”

Interoperability 

Last session, business interests argued in favor of enacting a law most consistent with those adopted by other states, whereas consumer advocates maintained that greater protections should not be sacrificed for consistency’s sake. 

More than a dozen states have modeled their laws off of one first passed in Connecticut, the model LD 1088 and LD 1224 use. 

Patrick Woodcock, president and CEO of the Maine State Chamber of Commerce, said the group has sent a letter to Maine’s congressional delegation requesting change on the federal level, however, “absent that, we would strongly encourage the committee to avoid anything that puts Maine businesses at a disadvantage.”

GET THE MORNING HEADLINES.

SUBSCRIBE

However, this session the interoperability argument has become more muddled, as Kuhn pointed out that some of the states that have adopted the Connecticut model are now amending their laws to bring them closer to the data minimization standard. 

Also, Maryland passed a law last year that is very similar to Kuhn’s proposal. Maryland’s move marks a divergence from the years-long trend of state-level proposals being watered down. Lawmakers in Connecticut have also proposed an amendment to change its standard to match Maryland’s data minimization model.

“We should settle on interoperability that actually is protecting consumers,” Kuhn said. She added, “If you think of Wayne Gretzsky: where’s the puck going? This is where the puck is going.” 

Building off of that analogy, Woodcock argued it’s unclear where the puck is going because there remains ambiguity in how Maryland law will be implemented and how companies will comply. 

That was also the view shared by other business interests, including Charlie Sultan, an attorney representing the Maine Association of Insurance Companies, who argued a pending amendment is only that, an example of lawmakers advocating for a position but not a change that the state has officially made. 

Exemptions 

During floor debates last year, the most common critique from Republicans was that the version with more data minimization offered too many exemptions to several types of companies, such as higher education, banks, hospital systems and nonprofits. 

That remains a key difference between the two buckets of data privacy bills being considered this year.

While Kuhn said on Monday that in an ideal world a data privacy law would not have entity level exemptions, she included the exemptions for certain businesses settled on in negotiations last year. 

“I felt it was very important to the business community that we not ask people to come back here and relitigate all of those,” Kuhn said. She also noted that her bill includes previously proposed data-level exemptions, which exempt regulated data maintained by a company but require that company to otherwise comply with the privacy law.  

Overall, her more stringent proposal has more data minimization and, as a result, offers more exemptions to the law. Meanwhile, the more business-friendly proposals do not have as much minimization, leading to fewer exemptions.

One key difference between LD 1088 and LD 1224, however, is that the former would repeal the current law governing the privacy of internet consumers, which was enacted in 2019. 

The version favored by businesses and tech last year initially proposed such a repeal but later removed it as a concession made during negotiations. Henderson is pushing for the repeal again. So is Senate Minority leader Trey Stewart (R-Aroostook). 

Also on Monday, the Judiciary Committee heard LD 1284, sponsored by Stewart, which would solely repeal that law. 

Advocating against the repeal, Michael Kebede, policy director for the American Civil Liberties Union of Maine, said the internet provider law affords stronger protections than those proposed in Henderson’s bill and LD 1224. 

But Stewart said the fact that lawmakers are considering a comprehensive data privacy law underscores the need for a different approach. 

“Privacy today is no longer just a technology or telecom issue,” Stewart said. “It’s a legal issue, a civil rights issue and a consumer protection issue. The fact that the Legislature itself has recognized this complexity is a signal that we can no longer afford to treat privacy as if it starts and ends with [internet service providers].” 

Enforcement 

Through the course of deliberations last session, the data privacy proposals ended up taking a very similar approach to enforcement. This year the proposals are all starting out largely in agreement in this regard. 

All bills only allow enforcement through the Maine Attorney General’s Office, rather than allowing people who feel their privacy has been violated to take a company to court, known as a private right of action. 

“Again, we’re going to honor that negotiated conclusion,” Kuhn said on Monday. 

The Maine Attorney General’s Office and the ACLU of Maine still urged the committee to consider adding a private right of action.

In contrast to the other proposals, Kuhn’s bill also includes a cure period, so that businesses have an opportunity to comply without facing consequences. 

All three bills would require the Attorney General to regularly submit reports on enforcement to inform the Legislature on any amendments that might need to be made, which has been the approach in Connecticut and other states. 

YOU MAKE OUR WORK POSSIBLE.

SUPPORT

Maine Morning Star is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Maine Morning Star maintains editorial independence. Contact Editor Lauren McCauley for questions: info@mainemorningstar.com.

NEXT STORY: Tech is driving the New York City economy, new report finds

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.