Bill Summary – FastDemocracy

This bill enacts the Maine Online Data Privacy Act, which takes effect July 1, 2026. The Act regulates the collection, use, processing, disclosure, sale and deletion of nonpublicly available personal data by a person that conducts business in this State or that produces products or services targeted to residents of this State, referred to in the Act as a "controller," if the personal data is linked or can be reasonably linked to an identified or identifiable individual who is a resident of this State, referred to in the Act as a "consumer," or is linked or reasonably can be linked to a device that is linked or reasonably can be linked to an identified or identifiable consumer. Under the Act, a controller must limit the collection and processing of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer, except that the controller must limit the collection and processing of certain sensitive data to what is strictly necessary to provide or maintain a specific product or service requested by the consumer. Under the Act, "sensitive data" includes data revealing a consumer's race or ethnic origins, religious beliefs, mental or physical health conditions or diagnoses, sexual orientation, gender identity, citizenship or immigration status; genetic or biometric data; precise geolocation data; social security, driver's license or nondriver identification card numbers; specific financial or account access information; data of a minor under 18 years of age; or data concerning the consumer's status as the victim of a crime. The Act establishes that consumers have the right to confirm whether a controller is processing their data; correct inaccuracies in their personal data; require the controller to delete any portion of their personal data that the controller is not required to maintain by law; obtain a copy of their personal data in a format that can be readily transferred to another controller; obtain a list of the 3rd parties to which the controller has sold personal data; and opt out of the processing of their personal data for purposes of targeted advertising, sale or consumer profiling. The Act also prohibits a controller from selling any sensitive data; processing the personal data of a minor for purposes of targeted advertising or sale; processing personal data in a manner that discriminates against a person in violation of state or federal law; and retaliating against a consumer for exercising a consumer's rights under the Act, except that a controller may offer different prices or selection of goods in connection with a consumer's voluntary participation in a bona fide loyalty or discount program. The Act also requires a controller to provide consumers with a privacy notice specifying how a consumer may exercise the consumer's rights under the Act; the categories of personal data processed by the controller; the purposes for processing the personal data; the categories of personal data transferred to 3rd parties; and the categories of 3rd parties to whom personal data is shared. The controller must establish, implement and maintain reasonable data security practices and a retention schedule that requires the disposal of personal data by the controller either when deletion is required by law or when the data is no longer necessary for the purpose for which it was processed and retention of the data is not required by law. The controller must also require, by contract, that any person who processes a consumer's personal data on behalf of the controller treats the personal data confidentially and deletes or returns all personal data to the controller at the end of the processing, unless retention of the data is required by law. If a controller engages in a data processing activity that presents a heightened risk of harm to a consumer, including processing any data for targeted advertising, sale or profiling or any processing of sensitive data, the controller must conduct and document a data protection assessment identifying and weighing the benefits and potential risks of the processing activity. The controller may be required to disclose the data protection assessment to the Attorney General, who must keep it confidential, when the assessment is relevant to an investigation conducted by the Attorney General. The Act further prohibits any person from establishing a geofence within 1,750 feet of any in-person health care facility in the State, other than the operator of the facility, for the purpose of identifying, tracking, collecting data from or sending a notification regarding consumer health data to consumers who enter that area. The provisions of the Act do not apply to specifically enumerated persons, including the State, political subdivisions of the State and federally recognized Indian tribes in the State; nonprofit organizations; institutions of higher education; federally registered national securities associations; supervised financial organizations and service corporations; health care facilities and health care practitioners as well as their affiliates that both qualify as business associates and provide services only to covered entitites; state-licensed and authorized insurers that are in compliance with applicable Maine laws governing insurer data security and data privacy; and broadband Internet service providers to the extent those providers are subject to the data privacy requirements of the Maine Revised Statutes, Title 
35-A, section 9301. In addition, the provisions of the Act do not apply to specifically 
enumerated types of data, including, for example: nonpublic personal information 
regulated under the federal Gramm-Leach-Bliley Act; protected health information under 
the federal Health Insurance Portability and Accountability Act of 1996; personal data 
regulated by the Family Educational Rights and Privacy Act of 1974; data processed and 
maintained by the controller regarding an applicant for employment or employee to the 
extent the data is collected and used within the context of that role; and data necessary for 
the controller to administer benefits. The Act also does not prohibit controllers from engaging in specifically enumerated activities, including, for example: complying with state or federal law; complying with investigations or subpoenas from federal, state or tribal governmental authorities; cooperating with federal, tribal or Maine law enforcement agencies; providing a product or service specifically requested by the consumer; protecting life and physical safety of consumers; and preventing or responding to security incidents. The Act also does not prohibit a controller from using personal data collected in a lawful manner to effectuate a product recall, identify and repair technical errors and perform internal operations that are reasonably aligned with a consumer's expectations or otherwise compatible with providing the product or service specifically requested by the consumer. Violations of the Act may be enforced exclusively by the Attorney General under the Maine Unfair Trade Practices Act. If the violation occurs on or before April 1, 2027, the Attorney General may provide a potential defendant with a notice of violation at least 60 days prior to initiating an enforcement action, during which time the potential defendant may cure the violation to avoid the enforcement action. The Act further requires the Attorney General to submit a report by February 1, 2027 to the joint standing committee of the Legislature having jurisdiction over judiciary matters regarding the implementation and operation of the Act. The committee may report out legislation related to the report to the 
133rd Legislature in 2027.