For an assignment at The Fletcher School in Spring 2024, I provided the following brief on Maine’s LD 1977 “An Act to Create the Data Privacy and Protection Act.” The legislation “died” in the 131st Maine Legislature.
Background
The 131st Maine Legislature, Second Regular Session, is taking testimony and comment on four distinct proposed privacy laws: LD 1705, LD 1902, LD 1973, and LD 1977. Among these four competing proposals, LD 1977 has attracted attention as the “strongest data privacy law in [the] nation” if passed (Quinlan 2024). State and national organizations, from L.L. Bean to Financial Industry Regulatory Authority (FINRA), have voiced concerns ranging from Constitutional issues to specific implementation details.
Analysis
LD 1977, submitted by State Representative Maggie O’Neil of Saco, was modeled after the failed federal 2022 American Data Privacy and Protection Act and continues the Legislature’s engagement on consumer privacy and data security over the past seven years (Quinlan 2024). O’Neil, in a 2024 ACLU of Maine press release, stated several of the objectives of the legislation: creating “guardrails for what companies can do with […] personal information” and giving Mainers “choices about how [their] personal information is collected and used.” Beyond the public messaging on LD 1977, the bill text itself reveals concerns about organizations collecting, processing, and transferring individuals’ sensitive data (§9605) and the imbalance of power between individuals and large organizations (such as high-impact social media companies).
The current legislative draft proposes to regulate companies and ensure individuals’ control over their data through three broad approaches: data minimization, affirmative consent on collection and transfer, and enforcement. The legislation defines a relatively broad category of “covered data” (covered, in this context, means within the scope of the legislation) that includes information that that uniquely identifies an individual (or could be used to identify an individual when combined with other data). Organizations above a certain size (excluding small business and government) are required to minimize collection, processing, and transfer of the covered data to what is “reasonably necessary and proportionate” (§9604) to the service being offered to the individuals. Certain covered data that is considered “sensitive” is further constrained to “strictly necessary to provide” (§9605) a service. These two sections describe the data minimization requirements, with the first sharing similar language with the California Consumer Privacy Act and the second more stringent.
The primary lever proposed to balance power between individuals and large organizations is the requirement for unambiguous affirmative consent (§9609). Individuals would retain extensive control over the processing and transfer of covered data, including protection for corrections/deletion, and be granted protection from retaliation for exercising rights under the law. Organizations must obtain affirmative consent from the individual, which can be withdrawn at any time, to process data for a different purpose, transfer data to a third party, or display targeted advertising to an individual. Control over one’s data, whether it’s sensitive or generally privacy impacting, has not been possible in this context within the United States. Section 9609 fundamentally advances the interests of the individual and codifies a stronger definition of consent.
The third leg of the legislation’s regulatory framework is enforcement. Civil actions can be brought by government officials (state Attorney General, district attorneys, or municipal counsel) or individuals. Overall, the Attorney General plays the most important role representing the interests of the citizens of Maine, including managing large data holder certifications of internal controls, registrations of data brokers, algorithm assessments, and more. The individual’s role in enforcement is not overly circumscribed, but for a small business exclusion, and individuals right to act together is protected.
While it is rare for legislation to work precisely as intended, especially once subjected to the wide variety of real-world situations and judicial scrutiny, LD 1977’s application of concepts from proposed federal legislation and informed by other state’s laws should re-balance the power dynamic between individuals and large organizations regarding the individual’s data and privacy. As the primary enforcement mechanism is the intervention of the Maine Attorney General, an organ of the state will act on behalf of individuals to restrain inadvertent or overt overreach by large organizations.
The legislation will be challenging to implement and will draw legal challenges because privacy law in the United States is caught between national level delay and state level dynamism. Privacy and speech rights are likely to clash and federal preemption may be a threat to the long term viability of the legislation in Maine.
Recommendations
There are several areas in which LD 1977 could be improved:
- Administrative rulemaking is referenced obliquely in the draft (the language “rule[s] adopted under this chapter” appears in three sections) and therefore the entity responsible for rulemaking should be named within the legislation. For example, Title 10 Maine Revised Statutes Chapter 308 §1682 definitively names the Attorney General (“The Attorney General may adopt rules necessary to implement this chapter.”).
- The Attorney General’s Office should be required to publish implementation guidance for algorithm assessments and privacy impact assessments ahead of the Section 2 deadlines.
- The Legislation should analyze whether entity level exclusion for organizations operating under federal Gramm-Leach-Bliley Act (GLBA) and HIPAA/HITECH is appropriate due to preemption concerns and avoidance of unneeded legal challenges.
- Additional attention should be given to harmonization with applicable case law and existing Maine law, specifically regarding employer access and 35-A MRSA Chapter 94 (Broadband Internet Access Service Customer Privacy). The latter, while regulating a more specific person, could overlap with the “large data holder” definition within LD 1977.
As LD 1977 progresses through the session, the prohibition on arbitration (§9620(3)) should be maintained. According to many consumer advocates, arbitration and the contracts that demand arbitration benefit companies over consumers (National Association of Consumer Advocates 2024).
References
ACLU of Maine. (2024, February 4). Many States Get Failing Grade on Data Privacy, Maine Lawmakers Could Earn an A [Press release]. https://www.aclumaine.org/en/press-releases/failing-grade-data-privacy
Me. 131st Legislature, Second Reg. Sess., L.D. 1977, “An Act to Create the Data Privacy and Protection Act” (2023). http://www.mainelegislature.org/legis/bills/display_ps.asp?ld=1977&PID=1456&snum=131
National Association of Consumer Advocates. (2024). “Arbitration.” https://www.consumeradvocates.org/for-consumers/arbitration/
Quinlan, K. (2024). “Maine could have strongest data privacy law in nation if bill passes”. StateScoop. https://statescoop.com/maine-strongest-data-privacy-law-2024/