Legislature rejects paths to a comprehensive data privacy law in Maine

Fourteen states have passed comprehensive laws to regulate privacy online in recent years. (Getty Images)

Maine will not be enacting a comprehensive data privacy law for the foreseeable future after the Legislature killed two competing proposals on the last day of session that lawmakers had spent 12 public meetings and countless hours behind-the-scenes throughout the past year trying to get over the finish line. 

One of the proposals, from Rep. Maggie O’Neil (D-Saco), would have made Maine’s regulations on companies that collect consumer information online among the strictest in the country. This version was favored by privacy advocates, Maine’s attorney general and the majority of the Legislature’s Judiciary Committee. 

The other plan, from Sen. Lisa Keim (R-Oxford), was backed by businesses and technology companies and followed a template that has been increasingly adopted by other states in recent years.

The House and Senate both voted against Keim’s proposal on their first pass, meanwhile the House approved O’Neil’s version but the Senate disagreed, bouncing it back and forth again before ultimately dying after neither chamber would alter its stance. 

“Mainers will be left without protections,” O’Neil told Maine Morning Star on Wednesday night. “That’s disappointing because Mainers deserve these and we should have had them a long time ago.”

Keim’s reaction was similarly dismayed. “We’ve totally let the people of Maine down,” Keim told Maine Morning Star.

O’Neil and Keim both said their intention had been to reach agreement on one proposal to bring before the full Legislature, however the fundamental differences between the frameworks of the two bills could not be reconciled. 

Keim’s bill took an approach the average consumer is likely more familiar with, privacy policies. These are the long pop-up texts that consumers have to agree to, though don’t often fully read, when accessing a website that details how a company is going to use consumer data. 

O’Neil’s bill instead took a data minimization approach, meaning it would’ve only allowed for companies to collect data that is specifically tied to the product or service the consumer requested. While this would have made Maine’s law distinct from most, a privacy bill with a similar framework passed the Maryland General Assembly and is awaiting governor approval. 

There is a patchwork of state laws and parts of federal legislation governing the current landscape, as there remains no one federal law regulating internet privacy, despite several proposals. 

However, on the same day the Maine Legislature rejected its two options for a comprehensive data privacy law, U.S. Congress was eyeing a national privacy standard for data harvested by big tech companies. U.S. House members met Wednesday to discuss a series of data privacy bills that are drawing rare bipartisan and bicameral support, including the bipartisan discussion draft of the American Privacy Rights Act, which uses the data minimization approach.

Democrats and Republicans in Maine, however, are not yet at a point where agreement can be reached on a path forward for a state data privacy law, despite some votes across party lines on both O’Neil’s and Keim’s bills and the two versions falling more in line than when first introduced. 

Objections during floor speeches centered around how each proposal would’ve provided exemptions to the law. O’Neils bill has more data minimization and, as a result, offers more exemptions. Meanwhile, Keim’s does not have as much minimization, leading to fewer exemptions. 

Exemptions are offered in both versions but O’Neil’s provides more entity-level exemptions, meaning an exemption of an entire company from the law if its data collection is already regulated by federal laws. When it comes to exemptions, O’Neil’s more closely aligns with Connecticut law — though since enactment, Connecticut’s Attorney General suggested scaling back its entity-level exemptions.

Keim criticized the nonprofit exemptions in O’Neil’s version, noting that the research nonprofit Electronic Privacy Information Center (EPIC) worked with O’Neil to fine tune her version. On the Senate floor Wednesday, Keim said of O’Neil’s bill, “It builds a wall, right, and in some ways it’s a good wall. But then, by exempting nonprofits, they’ve blown a hole right through the wall.”

At the same time, O’Neil pointed to big tech influences in the drafting of Keim’s bill, including a representative of Meta who’d emailed O’Neil in January 2023 to inform her he was working with Keim on a data privacy bill. 

While O’Neil said she had been opposed to many of the exemptions that ultimately ended up in her bill, “there’s no point in having a weak bill that covers everyone.” 

In both chambers, lawmakers also disagreed on which version provided more protections for children, the privacy of which is also a key focus in discussions of potential federal legislation.

Those supportive of Keim’s version argued the entity exemptions posed risks for children. Those supportive of O’Neil’s pointed to the differences in the bill’s explicit provisions about children.  When a child reaches 13 but is under 18 years old, O’Neil’s bill would have allowed consumers to consent to the sale of their data but never to targeted ads for as long as they’re a minor. In Keim’s bill, the cutoff for prohibiting targeted ads is 15 years old, which mirrors Connecticut law.  

“Maine has led before,” O’Neil said on the House floor during consideration of her bill on Tuesday night.

While Maine does not have a comprehensive data privacy law, it was the first state to restrict how internet service providers can use, disclose and sell customer data in 2019 and enacted the country’s strongest statewide facial recognition law in 2021. 

“The sky didn’t fall then and it won’t fall now,” O’Neil added. 

Rep. Rachel Henderson (R-Rumford), who worked with Keim on her proposal, said she agreed that the sky isn’t going to fall, “but our economic growth will, our business value in the state of Maine will,” she said in response. 

Critics of O’Neil’s stricter framework argued it would limit targeted advertising, meanwhile proponents said it would ensure that companies are not collecting more information than they need. Business interests also argued in favor of consistency with other states, which was a reason they supported Keim’s bill, whereas consumer advocates maintained that greater protections should not be sacrificed for consistency’s sake.

While agreement could not be reached this session, both bill sponsors hope this is not the end for data privacy in Maine. Both O’Neil and Keim are termed out after this session but they expect others who have engaged in the extensive consideration of their bills to continue the work.

“The Judiciary Committee and the team of people that did this work really dug into it and put a lot of work into it this session,” O’Neil said, “and I think we can expect that folks will continue to work on it going forward.”

The post Legislature rejects paths to a comprehensive data privacy law in Maine appeared first on Maine Morning Star.