This bill enacts the Maine Consumer Data Privacy Act, which takes effect July 1, 2026. The Act regulates the collection, use, processing, disclosure, sale and deletion of nonpublicly available personal data that is linked or reasonably linkable to an individual who is a resident of the State, referred to in the Act as a "consumer," by a person that conducts business in this State or that produces products or services targeted to residents of this State, referred to in the Act as a "controller." Under the Act, a controller must limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which the controller processes that data, as disclosed in a privacy notice specifying the categories of personal data processed by the controller, the purposes for processing the personal data, the categories of personal data transferred to 3rd parties and the categories of 3rd parties to whom personal data is shared. The Act also requires a controller to process the minimum amount of personal data reasonably necessary, adequate or relevant for each disclosed processing purpose. A consumer has the right, under the Act, to confirm whether a controller is processing the consumer's personal data; to require the controller to correct inaccuracies in or delete the consumer's personal data; to obtain a copy of the consumer's personal data; and to opt out of the processing of the consumer's personal data for purposes of targeted advertising, sale or profiling in furtherance of decisions about the consumer's access to financial or lending services, housing, insurance, education, criminal justice, employment opportunities, health care services and essential goods and services. The privacy notice must describe how a consumer may exercise these rights. The controller must obtain the affirmative, informed consent of a consumer before processing the consumer's sensitive data, including data revealing the consumer's race or ethnic origins, religious beliefs, mental or physical health conditions or diagnoses, sexual orientation or citizenship or immigration status; genetic or biometric data; precise geolocation data; complete social security, driver's license or nondriver identification card number; specific financial or account access information; data of a known child who has not attained 13 years of age; or data concerning the consumer's status as the victim of a crime. If the controller knows that the consumer has not attained 13 years of age, the controller may not process the consumer's data for any purpose without parental consent. If the controller knows or willfully disregards that the consumer is at least 13 years of age but has not attained 16 years of age, the controller may not process the consumer's data for targeted advertising and must obtain the consumer's consent before processing the consumer's data for sale. The Act prohibits a controller from processing data in a manner that discriminates against a person in violation of state or federal law. A controller is also prohibited from retaliating against a consumer for exercising the consumer's rights under the Act, except that a controller may offer different prices or selection of goods in connection with a
45 consumer's voluntary participation in a bona fide loyalty or discount program. A controller
46 must establish, implement and maintain reasonable data security practices and a retention
47 schedule that requires the deletion or de-identification of personal data when retention of
48 the data is no longer reasonably necessary and relevant to the purposes for which data is
49 processed or when deletion of the data is required by law. Beginning July 1, 2026, if a
50 controller engages in a data processing activity that presents a heightened risk of harm to a
51 consumer, including processing any data for targeted advertising, sale or profiling or any
52 processing of sensitive data, the controller must conduct and document a data protection
53 assessment to identify and weigh the benefits and potential risks of the processing activity.
54 The controller may be required to disclose the data protection assessment to the Attorney
55 General, who must keep it confidential, when the assessment is relevant to an investigation
56 conducted by the Attorney General. The Act further prohibits any person from establishing
57 a geofence within 1,750 feet of any in-person health care facility in the State, other than
58 the operator of the facility, for the purpose of identifying, tracking, collecting data from or
59 sending a notification regarding consumer health data to consumers who enter that area. The provisions of the Act do not apply to specifically enumerated persons, including the State, political subdivisions of the State and federally recognized Indian tribes in the State; financial institutions or their affiliates subject to the federal Gramm-Leach-Bliley Act that are directly and solely engaged in financial activities; state-licensed and authorized insurers that are in compliance with applicable Maine laws governing insurer data security and data privacy; and persons that both processed the personal data of fewer than 25,000 consumers in the preceding calendar year and derived no more than 25% of gross revenue from the sale of personal data. The Act also does not apply to persons that controlled or processed the personal data for purposes other than completing payment transactions of fewer than 100,000 consumers in the preceding calendar year, except that, beginning January 1, 2028, this exception applies only to persons that controlled or processed the personal data for purposes other than completing payment transactions of fewer than
50,000 consumers in the preceding calendar year. In addition, the provisions of the Act do not apply to specifically enumerated types of data, including: nonpublic personal information regulated under the federal Gramm-Leach- Bliley Act; protected health information under the federal Health Insurance Portability and Accountability Act of 1996; personal data regulated by the Family Educational Rights and Privacy Act of 1974; data processed and maintained by the controller regarding an applicant for employment or employee to the extent the data is collected and used within the context of that role; and data necessary for the controller to administer benefits. The Maine Consumer Data Privacy Act also does not prohibit controllers from engaging in specifically enumerated activities, including complying with Maine or federal law; complying with investigations or subpoenas from governmental authorities including the Federal Government and the government of the State or a federally recognized Indian tribe in the State; cooperating with federal, Maine or tribal law enforcement agencies; providing a product or service specifically requested by the consumer; protecting life and physical safety of consumers and preventing or responding to security incidents; and conducting internal product research, effectuating a product recall or performing other internal operations aligned with the expectations of a consumer. Violations of the Act may be enforced exclusively by the Attorney General under the Maine Unfair Trade Practices Act. Absent a showing of immediate irreparable harm, the
47 Attorney General is required to provide a potential defendant with at least 30 days' notice
48 prior to initiating an enforcement action, during which time the potential defendant may
49 confer with the Attorney General to avoid the action. Any civil penalties, attorney's fees
50 or costs awarded to the State for a violation of the Act must be deposited in the Maine
51 Privacy Fund, which is established to provide funding for the enforcement staff and
52 activities of the Department of the Attorney General. The Act further requires the Attorney
53 General to submit a report by January 1, 2028 to the joint standing committee of the
54 Legislature having jurisdiction over judiciary matters regarding the operation and
55 implementation of the Act. The committee may report out legislation related to the report
56 to the Second Regular Session of the 133rd Legislature. The bill also repeals the current law governing the privacy of broadband Internet access service customer personal information because broadband Internet access service providers are subject to the provisions of the Act.