Maine Privacy Bill With Unique Standard for Data Minimization Advances
A Maine privacy bill with strict data minimization standards is moving to the final stages. The joint Judiciary Committee voted 7-1 Tuesday evening to say that the Democratic caucus’ LD-1977 “ought to pass,” while rejecting a Republican alternative (LD-1973). A nuanced exemption for broadband providers, currently in LD-1977, could mean that the proposed law would still apply to mobile services provided by a company that’s covered by the state’s 2019 ISP privacy law, two consumer privacy advocates said Wednesday.
Maine’s proposed minimization standard would be a “new paradigm for protecting individual privacy both in the United States or globally,” stricter than Connecticut or California state laws and the EU’s general data protection regulation, Keir Lamont, Future of Privacy Forum director-U.S. legislation, said during Tuesday's hearing. The bill would limit “processing and transferring of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains,” said a non-final draft Tuesday. For sensitive data, the standard would be “strictly” rather than “reasonably” necessary. Also, it would ban collection of biometric data without first obtaining a consumer’s consent.
The bill's language “reflects a clear break from the status quo, where businesses can collect and use any data they see fit, for any purpose, so long as they disclose it in their privacy policy somewhere,” Consumer Reports Policy Analyst Matt Schwartz said Wednesday. Essentially, it would ban “unexpected collection and use of data by default,” he said. Schwartz additionally praised the Maine bill for containing civil rights language he said is stronger than other privacy laws. Also, the bill contains expansive authorized agent rights and bans advertising targeting minors, he said. However, Schwartz is disappointed that the bill dropped a private right of action included in a prior draft (see 2312110061). The Maine AG would now exclusively enforce the bill.
Maine’s data minimization approach “would establish novel, default protections for personal information that would relieve individuals of the need to exercise their privacy rights on a case by case basis,” Lamont emailed us Wednesday. “However, there are open questions about how these new standards would interact with separate consent requirements in the bill as well as how they would be interpreted, implemented, and ultimately enforced.” Also, some industry groups have raised concerns “that a plain read of the text may foreclose uses of personal information that are consistent with their customers' reasonable expectations, like the use of data for product improvement,” he said.
It's OK for Maine to differ from other jurisdictions, said Rep. Amy Kuhn (D) at the hearing. "I'm fine leading when we're trying to protect Maine consumers." State Democrats focused “on data minimization because it's a really strong and effective way to protect Maine consumers,” she added. “The less data that is collected and maintained and stored, the less risk for the consumer." Rep. Adam Lee (D) said the data minimization language is why he prefers the bill to the Republican alternative (LD-1973). “The most safe data ... is the data that's not collected at all.” Rep. Erin Sheehan (D) said she understands that “it's very uncomfortable for industry groups to accept something that is new, but I think it's really important to protect the next generation of Mainers' data.”
The lone nay vote came from Rep. Rachel Ann Henderson, a Republican sponsor of LD-1973. Other committee Republicans were absent. The Democrats’ bill has too many exemptions, she said. Exempting all nonprofits is too broad, since “even the NFL is a nonprofit,” she noted. Sheehan said the proposed exemptions are “surgical.” But Henderson said, "Whether they're carefully crafted or not, an exemption is still an exemption."
LD-1977 would cover entities that control or process personal data of at least 50,000 consumers yearly, not counting if it was done only for completing payments, or entities that controlled or processed data of at least 10,000 customers if they derived at least 20% of gross revenue from selling the data. One exemption is for broadband providers covered by Maine’s 2019 ISP privacy law, which restored for Maine the FCC rules that Congress repealed. But rather than simply exempting all ISPs, the Tuesday draft of LD-1977 would exempt a “person or entity that is a provider of broadband Internet access service as defined in Title 35-A, Section 9301, but only to the extent that the person or entity is providing broadband Internet access service.”
The exemption seemingly would cover broadband companies only “when they are providing ISP services” covered by the 2019 law, “but not if they are providing mobile phone coverage or other services,” said Electronic Privacy Information Center Deputy Director Caitriona Fitzgerald. Likewise, Schwartz thinks the Maine lawmakers intend “to prevent giant internet providers (e.g. Comcast) that may provide services unrelated to internet (e.g. Xfinity Mobile) from getting a wholesale exemption.” USTelecom and Comcast declined to comment, while CTIA didn’t comment.