Maine Should Abandon Notice-and-Consent for Data Minimization, Says Lawmaker

Also at the hearing, Maine legislators debated whether to repeal the state’s ISP privacy law while crafting a privacy law that would apply to all entities, including broadband companies. Maine enacted the ISP privacy law in 2019, countering Congress’ 2017 repeal of 2016 FCC broadband privacy rules (see 1906060050).

On Monday, Sen. Harold Stewart (R) urged support for a standalone bill (LD-1284) to repeal the 2019 law, while Rep. Rachel Henderson (R) said she was including the repeal as one part of her comprehensive privacy bill (LD-1088). Another comprehensive privacy bill (LD-1224) by Rep. Tiffany Roberts (D) doesn’t include the repeal but is otherwise similar to LD-1088.

Henderson said Maine should align with privacy laws in other New England states to make it less confusing for businesses to comply. The approach in her LD-1088 ensures a "baseline level of privacy protection" and "supports cross-border data flows." Similarly, Roberts said her mostly similar LD-1224 “gives us an interoperable path.” The digital economy "doesn't stop at the Maine border,” she said. “That's why this bill follows a widely adopted model."

Kuhn agreed that interoperability is important, but said Maine should choose "interoperability that actually is protecting consumers.” The committee chair sees her legislation as part of a second phase of privacy bills including strict data minimization that started with the 2024 Maryland Online Data Privacy Act, which takes effect this October. Kuhn’s bill copies data minimization and other elements of the Maryland law (see 2504290048). Also, the legislator noted that Vermont and Massachusetts are considering similar bills, while Connecticut is weighing legislation to update its law to include such requirements.

State laws from the first wave “essentially enshrine the status quo because they permit a company to collect, process and sell any data at all, so long as those practices are disclosed in the terms and conditions page and the consumer consents,” said Kuhn: In contrast, LD-1822 sets "actual limits on what data can be collected and what companies can do with it.”

Rep. Adam Lee (D) remarked on a shifting landscape. “I'm confused what interoperability looks like in a world where we don't have a federal law" and "when Connecticut is the model, and [yet] they're amending their legislation to look more like a data minimization law."

Maine Assistant AG Brendan O’Neil said LD-1822 would give Maine one of the strongest privacy laws in the U.S. because of its data minimization requirements. “It minimizes the consumer burden in contrast to the notice-and-consent model, which obligates consumers to continually take action to guard their own data on a site-by-site and app-by-app daily basis," O'Neil said. American Civil Liberties Union witnesses also supported LD-1822 and its data minimization approach.

None of the Maine bills included a private right of action, unlike an early 2024 version of Kuhn’s measure that let individuals sue. Instead, all the bills would vest enforcement solely with the AG office. The PRA was removed from the bill during last year’s session; Kuhn said she wanted to honor where 2024 negotiations ended.

However, the Maine AG office still supports including a PRA, said O’Neil. "We don't think that you either open the door to a flood of litigation or you have nothing. We think there's room in the middle."

ACLU still wants a PRA but will support LD-1822 regardless, said Policy Director Michael Kebede. The AG is "woefully under-resourced and so it's a real open question whether the AG will be able to enforce this privacy law,” he said. However, "AG enforcement is better than no enforcement."

ISP Privacy

Maine should treat ISPs the same as all other businesses that interact with customer data, said Stewart, the author of LD-1284. "At the end of the day, it's clear that ISPs aren't uniquely positioned to invade our privacy. In some cases, they have less access to personal data than the platforms that we actually use every day.”

"I'm not saying the ISP should not be included in privacy protections," added Stewart. "Instead, everyone, including them, should be regulated the same and have obligations to consumers.” Henderson similarly supported having the same rules for all kinds of companies.

However, when pressed by two committee members if he would support passing a repeal of the 2019 ISP privacy measure without replacing it with a comprehensive privacy law, Stewart said he considers LD-1284 “step one.” He added that consumers are already vulnerable because many incorrectly believe the ISP privacy law protects them from data mishandling by other kinds of companies.

Maine’s AG office opposes repealing the ISP privacy law, which regulates companies that interact with consumers in a “fundamentally different way” than websites and apps, said O’Neil. ISPs are like the "pipe that supplies water to your house,” he said. Consumers “can’t avoid them,” unlike other types of companies.

ISPs are utilities that are "fundamentally different from other tech-connected parts of the world,” agreed ACLU’s Kebede. In addition, the ISP law has stronger privacy protections than were proposed in the comprehensive bills, he said.

However, the cable industry supports LD-1284, said Alex Minard, NCTA lead legislative counsel. NCTA and other ISP associations unsuccessfully challenged the 2019 ISP privacy law in court. Minard said no other state followed Maine making an ISP privacy law. “Numerous entities touch an individual's personal data when a person goes online,” he said. Having ISP-only privacy rules, or different standards for ISPs versus other companies, is confusing for consumers, he said.