Maine Lawmakers Weighing Privacy Bill Provisions
The Maine legislature’s joint Judiciary Committee is weighing whether a state consumer privacy law should allow a private right of action, exempt small businesses or limit allowed data collection to what is “strictly necessary,” according to a livestreamed work session Monday. Comments on possible provisions for privacy legislation are due Dec. 18, when the committee is expected to have updated draft language on dueling consumer privacy bills: LD-1977, which is similar to the proposed federal American Data Privacy and Protection Act, and LD-1973, which is based on Connecticut’s privacy statute.
LD-1977 sponsor Rep. Maggie O’Neil (D) said her bill primarily differs from LD-1973, sponsored by Sen. Lisa Keim (R), in that it includes the private right of action that would allow consumer lawsuits and requires that companies minimize the data they collect. She believes the bills' common elements can be “harmonized.” Keim’s proposal also wouldn’t exempt businesses, while O’Neil’s includes a small-business exemption. “We have to pass something in this session,” said Keim, pointing to other states working on similar legislation. “We can’t leave Mainers behind.”
A privacy law that lacks a private right of action won’t deter companies from violating data privacy rules, said O’Neil, echoing comments from consumer privacy advocacy group the Electronic Privacy Information Center (EPIC). Courts historically have had difficulty determining damages for privacy violations, and allowing a private right of action with fixed damages per privacy violation would solve that issue, O’Neil said. The Office of the Maine Attorney General has endorsed the private right of action, and Chief Deputy AG Chris Taub said Monday the office lacks the staff to cope with the likely influx of complaints a privacy law would generate. Keim said companies should have a time period to correct data violations, which would likely reduce the volume of complaints, and a private right of action would hurt businesses by “making them the piggy bank” for litigious consumers. Keim also said she could support a “very, very limited” private right of action.
A Maine privacy law should apply to all businesses, regardless of size, to make sure consumer data is protected, Keim said. Consumer data privacy is “something we should all take responsibility for,” she said. Keim’s bill would also repeal the state’s existing law governing ISP data privacy and apply the new data privacy rules to those companies. “Everyone in Maine should have the same law if it is good policy,” Keim said. Representatives from Maine’s AG office said ISPs are situated differently from other companies and have a history of compliance with the existing law. O’Neil’s bill, LD-1977, would exempt smaller companies and focus on the largest users of consumer data, she said. The Retail Association of Maine told the committee it can’t support a bill without a small-business exemption. Under Keim’s bill, “your local hairstylist or your local candy shop” would have to comply with the same data rules as vast tech companies, said CEO Curtis Picard.
Representatives of the Maine Hospital Association and the Maine Association of Insurance Companies (MAIC) told the committee any bill should exempt entities that primarily deal with health data covered by the Health Insurance Portability and Accountability Act. Although Sen. Eric Brakey (R) and other lawmakers asked about simply exempting HIPAA data from the bill, the trade groups said hospitals and other entities shouldn’t get “swept up” in additional privacy laws for data that is ancillary to their business. Health industry companies have created complicated systems to comply with HIPAA requirements, said MAIC attorney Charles Soltan, of Soltan Bass. Laws requiring them to protect and sift through additional kinds of consumer information would make it “extraordinarily complex” for them to comply, Soltan said.
LD-1977’s provisions requiring companies to collect only data that is “strictly necessary” for their business needs are a way to protect consumer data without burdening consumers to opt in or out, said EPIC Deputy Director Caitriona Fitzgerald. The law would set a higher bar for more sensitive information such as social security numbers, said O’Neil. Such a provision could be a problem for retail businesses, said Picard. Sometimes stores need consumer data such as phone numbers or addresses to provide the best customer service, he said. A data minimization requirement would put Maine in step with the European Union and California, O’Neil said. “California is the fifth-largest economy in the world,” she said. "If they’re complying there, they can in Maine too.”