Maine Lawmaker Clarifies When Data Collection May Be 'Reasonably Necessary'
A substantive amendment to a Maine privacy bill would color in what data is allowed to be collected under its Maryland-like data minimization requirement. House Chair Amy Kuhn (D) on Thursday released the proposed amendment to her LD-1822, which also moves back the bill’s effective date, addresses mergers and bankruptcies, and makes many wording changes. The joint Judiciary Committee plans to consider the draft amendment at a work session Friday.
Sign up for a free preview to unlock the rest of this article
Under the original bill’s data-minimization requirement, which effectively copied text from the Maryland Online Data Privacy Act, a controller must limit “the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.”
The amendment would add to that sentence: “including any routine administrative, operational, website, or account-servicing activity that is consistent with the reasonable expectations of the consumer. This subparagraph does not prevent a controller from processing personal data collected in accordance with this paragraph to provide advertising to a consumer based on the consumer's activities within a controller's own websites or online applications.”
That proposed change appears to address concerns raised by Maine retailer L.L. Bean about website data, said Caitriona Fitzgerald, Electronic Privacy Information Center deputy director, in an email. “It is not as strong as EPIC would like to see [in] an ideal world (we’d prefer it covered collection and processing), but it is a step in the right direction and would protect Mainers from the overcollection of their personal data, cutting down on the risk of data breaches and data abuse.” L.L. Bean didn’t comment on the change.
While LD-1822 is one of three comprehensive privacy bills under consideration, the other two come from a Republican in the legislature’s minority (LD-1088) and a Democratic chair of a different committee on fisheries and wildlife (LD-1224).
The committee waded into differences among the three bills at a May 14 meeting (see 2505140060), with LD-1822’s stricter approach to data minimization flagged as one of its biggest distinctions. Kuhn said at a May 5 hearing that she sees her legislation as part of a second phase of privacy bills including strict data minimization that started with Maryland’s 2024 law (see 2505050025).
Under another possible change to Kuhn’s bill, the proposed Maine comprehensive privacy law would now take effect Sept. 1, 2026, two months later than originally proposed.
Also, the Maine attorney general would now have to issue reports to the legislature about enforcing the law annually on Feb. 1. Before, the bill only required one report, due Feb. 1, 2027.
Also, in many parts of the bill referencing processing of personal data, the amendment adds collection to clarify the requirement in question applies to both activities. It would tighten definitions of de-identified data and precise geolocation, with the latter now clarifying that it covers “past or present” location data.
The definition of sale would no longer include disclosure of the data as an asset as part of a merger, acquisition, bankruptcy or other transaction. Also, the amended bill wouldn’t restrict a company’s ability to transfer assets to a third party as part of a transaction, but only if the company notifies affected consumers about the deal “in a reasonable time prior to the transfer” and gives them a “reasonable opportunity” to withdraw previous consent related to their personal data and to ask that their data be deleted.
Previously, the bill’s definition of sensitive data included billing, financial or payment method information. However, the amendment would revise that category to say: “Account number, credit card number or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes or passwords.”
Also, under the amendment, publicly available information -- not considered personal data to be regulated -- would no longer include information that a business received “from a person to whom the consumer disclosed the information unless the consumer has restricted the information to a specific audience.” In addition, it doesn’t include any “any information that is made available for sale” or “information that is collated and combined to create a consumer profile that is made available to a user of a publicly available Internet website or mobile application either for remuneration or free of charge,” the amendment says.
Moreover, the amendment adds an exemption from the proposed law for “data collected and used for purposes of the federal policy under the Controlled Substances Act Section on the Regulation of Listed Chemicals under 21 United States Code, Section 830.”
Kuhn’s amendment would maintain the original bill’s approach of allowing enforcement only by the AG, despite some committee members asking about adding a private right of action at last week’s meeting.