Maine legislature to vote on new state data privacy bill
Maine’s State Legislature introduced a new comprehensive data privacy bill in May of last year. If passed, it is set to be the strongest data privacy law in the United States. The bill, entitled “An Act to Create the Data Privacy and Protection Act," or DPPA, was introduced and sponsored by state representative Margaret O’Neil. Though it is unclear if the DPPA will be enacted, the possibility of its adoption represents a shift in the U.S. towards more stringent state data privacy regulations in the absence of federal regulation.
Rep. O’Neil stated that the DPPA is modeled after the federal American Data Privacy and Protection Act, which failed in Congress in 2022, and noted the legislation would provide Mainers enhanced data privacy protection and “strengthen Maine’s legal protections around personal data collected by tech companies.”
The DPPA: What Does this Mean for You?
Scope
The DPPA would apply to “covered entities," which includes persons or entities acting in a commercial context “that alone or jointly with others determines the purposes and means of collecting, processing or transferring covered data,” including a “person that controls, is controlled by or is under common control with the covered entity.” “Certain persons” qualifies as a “person that meets the following criteria:”
- Have an average annual gross revenue of $20,000,000 or less;
- Does not annually collect or process the covered data of more than 75,000 individuals during the period beyond the purpose of initiating, billing for, finalizing or otherwise collecting payment for a requested service or product; and
- Does not obtains revenue from transferring covered data during a year or part of a year if the person is an entity that has been in existence for less than one year.
This coverage provision limits the DPPA to large commercial organizations and specifically excludes governmental agencies, service providers, and noncommercial or nonprofit entities.
The DPPA also carves out specific applicability for social media companies. Specifically, a "covered high-impact social media company” is defined as a “covered entity that provides an Internet-based platform that constitutes an online product or service that is primarily used by users to access or share user-generated content and:”
- Generates $3,000,000,000 or more in annual revenue; and
- Has 300,000,000 or more monthly active users for not fewer than 3 of the preceding 12 months on the online product or service of the covered entity.
This provision would place larger social media platform providers, such as TikTok, squarely within the scope of the DPPA if they collect and process the data of Maine residents.
Consumer Impact
The DPPA would provide Mainers with several key rights found in other state-level privacy laws, including California’s CCPA and CPRA. Among these rights are the right to protection from retaliation against individuals for exercising their rights guaranteed by the DPPA, enhanced access, rectification, deletion, and portability.
Corporate Impact
The DPPA would impose numerous restrictions and obligations for entities that fall within its scope. Some of those provisions include an all-out ban on the use of sensitive data for targeted advertising, restrictions on the transfer of sensitive data to third parties, data minimization and purpose limitation principles, record retention obligations, proscriptive privacy policy obligations, rigid consent requirements, and reporting and certification mandates. If enacted, the DPPA would also impose specific requirements on algorithm use and development.
Enforcement
The DPPA provides tough enforcement measures. Under the DPPA, the Attorney General, a district attorney, or a counsel for a municipality, could bring a civil enforcement action on behalf of a Maine resident to:
- Enjoin the violating act or practice;
- Enforce compliance;
- Obtain damages, civil penalties, restitution or other compensation on behalf of Maine residents; or
- Obtain reasonable attorney’s fees and other litigation costs reasonably incurred.
Unlike other state laws, the DPPA includes a private right of action for residents to bring a civil suit on their own behalf, which could result in the award of damages of not less than $5,000 per violation, punitive damages, injunctive relief, declaratory relief, and reasonable attorney’s fees and other litigation costs.
Competing Legislation
The DPPA was introduced to the state legislature in parallel with a competing privacy bill, known as the Maine Consumer Privacy Act or the MCPA. The MCPA was introduced on May 18, 2023, by state senator Lisa Keim. Unlike the DPPA, the MCPA is largely supported by the private sector, including titans like Meta and L.L. Bean, and lacks much of the deterrence and enforcement mechanisms incorporated into the DPPA.
In an interview with the ACLU Maine, Rep. O’Neil shared that “for years, Big Tech fought any laws to protect our personal information.” It’s her view that “companies have a free pass to do what they want with our data, including profiting off our most sensitive information. Mainers deserve choices about how our personal information is collected and used.”
Maine’s State Legislature is expected to vote this year on the two bills. Though it is unclear which of the two competing bills, if either, will be enacted, the push for greater protection of Mainers’ privacy, from the legislature of a historically progressive and privacy-focused state, could likely result in the adoption of the sweeping DPPA, with teeth only otherwise seen in California.
Conclusion
While the enactment of the DPPA remains uncertain, its potential adoption signals a move towards stricter state-level data privacy laws in the U.S., especially in the void of overarching federal regulations. The DPPA was scheduled for a committee work session on February 5, 2024, and will be voted on in April 2024. Should it be adopted, the Act will take effect 180 days after the adjournment of the legislative session.
For a copy of the proposed DPPA, click here.
For a copy of the proposed MCPA, click here.
For more legislative updates on data privacy law from McDonald Hopkins, please subscribe to receive our publications or view the links below for recent updates on other state data privacy legislative updates.
If you have questions about your company’s compliance with cyber regulations, concerns about vulnerability to a ransomware attack or other breach, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins' national data privacy and cybersecurity team.
Hannah Babinski, a law clerk at McDonald Hopkins, assisted with the writing of this article.