Maine Democrats' Privacy Bill Copies Maryland Data Minimization Rules
The Maine Judiciary Committee’s top Democrats unveiled a comprehensive privacy bill Tuesday that contains data minimization language similar to the Maryland Online Data Privacy Act. Judiciary House Chair Amy Kuhn (D) and Senate Chair Anne Carney (D) introduced LD-1822 with five Democratic colleagues.
Sign up for a free preview to unlock the rest of this article
Kuhn and Carney’s bill picks up from last year’s Democratic proposal by Rep. Maggie O’Neil. Rep. Rachel Henderson (R) last month introduced LD-1088, a version of an alternative Republican bill sponsored last year by Sen. Lisa Keim. O’Neil and Keim are no longer legislators because they reached term limits at the end of 2024. In addition, Rep. Tiffany Roberts-Lovell -- with five other Democrats and three Republicans, including Henderson -- introduced a third comprehensive privacy bill (LD-1224) last month.
Last month in an interview with Privacy Daily (see 2503250074), Kuhn said that, while states are increasingly trying to harmonize their privacy laws, the Maine Democrat is unwilling to "prioritize interoperability to the point where we’re agreeing on the lowest common denominator.”
Similar to the data minimization requirement that's currently unique to Maryland's privacy law, Maine's LD-1822 would say a controller may not “[c]ollect, process or share sensitive data concerning a consumer, unless the collection or processing is strictly necessary to provide or maintain a specific product or service requested by the consumer.” Also, a controller must limit "the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains." Also as in the Maryland law, a controller may not sell sensitive data under Kuhn and Carney's bill.
"This appears to be a copy of Maryland's data minimization language," Jordan Francis, Future of Privacy Forum policy counsel, emailed Tuesday.
The bill would be enforced exclusively by the attorney general. Companies would get a 60-day right of cure until April 1, 2027. The proposed law itself would take effect July 1, 2026.
Like Maryland’s privacy law, the measure would cover businesses that process personal data of at least 35,000 consumers, or that control or process data of at least 10,000 consumers and derive more than 20% revenue or price discounts from selling personal data. The 35,000-consumer threshold wouldn’t count data used solely for completing payments.
The bill includes entity-level exemptions for government, nonprofits, higher education, national securities associations, supervised financial organizations, health care facilities and practitioners, Maine-licensed insurance companies and broadband ISPs. It has data-level exemptions, including for data covered by the federal Driver's Privacy Protection Act, Fair Credit Reporting Act, Family Educational Rights and Privacy Act, Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.
Under the bill, sensitive data would include racial or ethnic origin; religious beliefs; consumer health data; sexual activity or orientation; gender identity; national origin; citizenship or immigration status; genetic or biometric data; children's data; precise geolocation data; social security number, driver’s license or nondriver ID card number; billing, financial or payment method information, except the last four digits of a debit or credit card number; account or device log-in credentials; and a consumer's status as a crime victim.
Like most state privacy laws, the legislation would include consumer rights to: (1) confirm the controller is processing personal data; (2) access personal data; (3) correct inaccuracies; (4) delete personal data; (5) obtain copies of personal data in a portable format; (6) obtain a list of the third parties to whom personal data has been sold; and (7) opt out of personal data sale, targeted advertising and profiling.