Maine's Privacy Trifecta: An Overview of Maine's Three Proposed Data Privacy Laws

Maine appears poised to join the nineteen (19) states that have enacted comprehensive data privacy legislation as its legislature considers three (3) proposed data privacy laws. The laws vary and overlap in key ways, but in general HP710/LD1088 and HP799/HD1224 are more "business friendly," while HP1220/LD1822 adopts elements generally favored by privacy advocates.

Below is a broad overview of these three (3) laws with a focus on the more impactful elements of data privacy laws.

Basic Definitions

The three (3) laws generally agree on the more basic definitions, with only slight, and relatively immaterial, differences.

Consumer

All three (3) laws define "Consumer" as a resident of Maine" not acting in a commercial or employment context.

Consent

All three (3) laws define "Consent" to mean "a clear affirmative act signifying a Consumer's freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer."

HP1220/LD1822 differs slightly adding the phrase "for a particular purpose" at the end.

Controller

All three (3) laws define "Controller" to mean a "person that, alone or jointly with other persons, determines the purposes and means of processing personal data."

Personal Data

HP710/LD1088 and HP799/LD1224 define "Personal Data" as "information that is linked or reasonably linkable to an identified or identifiable individual.

HP1220/LD1822 broadens the scope of "Personal Data," defining it as "information that is linked or can be reasonably linked to an identified or identifiable Consumer or that is linked or reasonably can be linked to a device that is linked or reasonably can be linked to an identified or identifiable consumer."

All three (3) laws exclude de-identified and publicly available information.

Applicability

All three (3) laws would start to take effect on July 1, 2026, but the scope of application varies. In addition, two (2) of the laws have a tiered approach to applicability resulting in more entities falling under the laws' respective purview after the initial effective date.

HP710/LD1088 and HP799/LD1224

Beginning July 1, 2026 and extending through December 31, 2027, the two (2) laws would apply to:

• Entities that control or process the Personal Data of not fewer than 100,000 Consumers (excluding information solely for the purpose of completing a payment transaction); and

• Entities that control or process the Personal Data of not fewer than 25,000 Consumers and derived more than 25% of their gross revenue from the sale of Personal Data.

Beginning on January 1, 2028, entities the 100,000 threshold would lower to 50,000.

HP1220/LD1822

Beginning July 1, 2026, the law would apply to:

• Entities that control or process the Personal Data of not fewer than 35,000 Consumers (excluding information solely for the purpose of completing a payment transaction); and

• Entities that control or process the Personal Data of not fewer than 10,000 Consumers and derived more than 25% of their gross revenue from the sale of Personal Data.

Unlike the other two (2) proposed laws, this law does not have a tiered approach that would lower either threshold at a later date.

Key Exemptions

The three (3) laws contain very similar exemptions. Notably, each law exempts HIPAA regulated information (but none provide an entity level exemption) and employment data.

HP1220/LD1822 differs from both HP710/LD1088 and HP799/LD1224 in a couple of key ways. First, it contains a GLBA-related exemption but exemption only information (whereas the other two (2) laws provide for entity level exemptions). In addition, HP1220/LD1822 contains several exemptions pertaining to entities as defined by state law. For example, the law exempts:

A health care facility, a health care practitioner or an affiliate of a health care facility or health care practitioner that qualifies both as a business associate of that health care facility or health care practitioner and provides services only to covered entities. For purposes of this paragraph, "health care facility" and "health care practitioner" have the same meaning as in Title 22, section 1711-C, subsection 1, paragraphs D and F, respectively.

Should HP1220/LD1822 pass, businesses will have to carefully parse over the law's exemptions to understand their obligations under the law.

Consumer Health Data

Consumer health data has become more of a focal point for state legislatures, largely driven by concerns of non-HIPAA regulated health data. This is an area where the three (3) laws differ.

HP710/LD1088

The law defines Consumer Health Data as “personal data that a controller uses to identify a Consumer’s physical or mental health condition or diagnosis.”

HP1220/LD1822

This law takes a more nuanced approach, defining Consumer Health Data as “personal data that a controller uses to identify a Consumer’s physical or mental health status, and includes, but is not limited to, data related to gender-affirming health care service and reproductive health care services.” The nuance here rests in that "reproductive health care services" is defined by state law, and is defined as follows (emphasis added):

[A]ll supplies, care and services of a medical, behavioral health, mental health, surgical, psychiatric, therapeutic, diagnostic, preventive, rehabilitative or supportive nature, including medication, relating to pregnancy, contraception, assisted reproduction, pregnancy loss management or the termination of a pregnancy in accordance with the applicable standard of care as defined by major medical professional organizations and agencies with expertise in the field of reproductive health care.

The highlighted language is a qualifier that will require guidance and clarification either in the drafting process or through the State Attorney General.

HP799/LD1224

Does not define Consumer Health Data.

Sensitive Personal Data

As is standard in state data privacy laws, all three (3) laws have a sub-category of Personal Data called "Sensitive Personal Data." The definitions of Sensitive Personal Data under all three (3) laws include the standard elements, such as information revealing racial or ethnic origins, religious beliefs, sexual orientation, or citizenship and immigration status. However, because of the focus on Consumer Health Data, below delves into some of the nuances in how each law includes certain health information into their respective definitions of Sensitive Personal Data.

HP710/LD1088

There is some confusion in the definition. Specifically, Sensitive Personal Data includes both Consumer Health Data as well as information "revealing . . . mental or physical health conditions or diagnoses." It's clear whether this is a drafting error or, if not, how entities are to delineate between the two (2) sets of data.

Sensitive Personal Data processing has an opt-in requirement, and entities that have not had contact with the Consumer for twenty-four (24) months most cease processing the Consumer's Sensitive Personal Data unless they obtain a new Consent. The law does not define or indicate what "contact" with the Consumer entails.

HP1220/LD1822

The definition includes Consumer Health Data and makes no mention of other health related information, as HP710/LD1088 does. In addition, Consent is not necessary but Controllers are limited to processing Sensitive Personal Data only to "provide or maintain a specific product or service requested by the consumer."

HP799/LD1224

As the law does not define it, Consumer Health Data is not considered Sensitive Personal Data. However, Sensitive Personal Data does include "medical history" and "mental or physical health conditions or diagnoses made by a medical professional." "Medical professional" is not defined and could have a narrowing effect on the scope of the definition if the term includes only traditional (i.e., licensed by the State) providers.

Like HP710/LD1088, Controllers must obtain Consent prior to processing, but there is no requirement to obtain subsequent Consent should the Controller not be in "contact" with the Consumer for a specified period of time.

De-identified Data

All three (3) laws exempt "De-identified Data" from the definition of Personal Data, data is only considered De-identified if Controllers take certain actions.

Specifically, all three (3) laws consider data to be de-identified if the data:

[C]annot be  reasonably be used to infer information about or otherwise be linked to an identified or identifiable consumer, or a device that may be linked to an identified or identifiable consumer, if the controller that possesses the data:

A. Takes reasonable measures to ensure that the de-identified data cannot be linked with a consumer;

B. Commits in a publicly available terms ad conditions document or in a publicly available privacy policy to maintain and use the data in its de- identified format; and

C. Contractually obligates recipients of the data to satisfy the criteria and commitments in paragraphs A and B.

If a Controller does not meet the obligations then data is not considered De-identified and the obligations of the respective law will apply.

Interestingly, all three (3) laws make a specific exemption for certain information that is de-identified. Specifically, they exempt "[i]nformation derived from health care-related information listed in this subsection that is de-identified in accordance with the requirements for de-identification pursuant to [HIPAA]." It appears this set of data differs from what is defined as De-identified Data, and a Controller will not have any of the obligations listed under the definition of De-identified Data.

Geofencing

Each law put restrictions on geofencing but the scope differs.

HP710/LD1088 and HP1220/LD1822

Under both laws, geofencing is not permitted within 1,750 feet of any facility that provides in-person health care services for the purpose of identifying, tracking, collecting data from or denying any notification regarding the Consumer’s Consumer Health Data to that Consumer that enters within that virtual perimeter. However, the laws do not further restrict the use of geofencing.

HP799/LD1224

The law does not use the term "geofence" and instead uses "Precise Geolocation Data," which is defined as "information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet."

Furthermore, though the law does not prohibit geofencing or the use of Precise Geolocation Data, Precise Geolocation Data is considered Sensitive Personal Data, which requires Consent from the Consumer prior to processing.

Targeted Advertising

All three (3) laws define Targeted Advertising the same, with minor, immaterial differences. HP1220/LD1822 defines it as:

[D]isplaying advertisements to a consumer or on a device identified by a unique identifier when the advertisement is selected based on personal data obtained or inferred from the Consumer's activities over time and across nonaffiliated websites or online applications that are unaffiliated with each other in order to predict the onsumer's preferences or interests; and

Does not include:

1. Advertisements based on the context of a consumer's current search query or visit to a website or online application;

2. Advertisements based on a consumer's activities within a controller's own websites or online applications;

3. Advertisements directed to a consumer in response to the consumer's request for information or feedback; or

4. Processing personal data solely to measure or report advertising frequency, performance or reach.

As noted elsewhere, there are certain restrictions and obligations for processing Personal Data for Targeted Advertising purposes.

Consumer Rights

The three (3) laws grant largely the same basket of Consumer rights to individuals, but there are key differences with respect to both the Controller's obligations in responding to the requests and what rights an authorized agent may exercise.

HP710/LD1088

Consumers have the rights to:

• Confirm whether or not a Controller is processing the Consumer's Personal Data.

• Correct inaccuracies in the consumer's personal data.

• Delete personal data provided by, or obtained about, the Consumer.

• Obtain a copy of the Consumer's personal data processed by the Controller.

• Opt-out of:

  • Targeted Advertising.

  • The sale of personal data.

  • Profiling in furtherance of solely automated decisions that produces a legal or similarly significant effect on the Consumer.

An authorized agent is permitted to submit opt-out requests on behalf of the Consumer, and the Controller has an obligation to authenticate the identity of the Consumer and the agent's authority to act on the Consumer's behalf.

In addition, Controllers must respond to a Consumer rights request within forty-five (45) days of receipt of the request, and must allow Consumers to submit opt-out requests for any processing of the consumer's personal data for the purposes of Targeted Advertising or the sale of Personal Data through a universal opt-out mechanism by December 1, 2027.

HP1220/LD1822

Consumers have the right to:

• Confirm whether or not a Controller is processing the Consumer's Personal Data.

• Correct inaccuracies in the Consumer's Personal Data.

• Delete personal data provided by, or obtained about, the Consumer.

• Obtain a copy of the Consumer's Personal Data processed by the Controller.

• When processing of Personal Data is done by automatic means, obtain a copy of the Consumer's Personal Data processed by the Controller in a portable and, to the extent technically feasible, readily usable format that allows the Consumer to transmit the data to another Controller easily and without hindrance.

• Obtain a list of third parties to which the Controller has sold the Consumer’s data.

• Opt-out of:

  • Targeted Advertising.

  • The sale of Personal Data.

  • Profiling in furtherance of solely automated decisions that produces a legal or similarly significant effect on the Consumer.

An authorized agent is permitted to submit opt-out requests on behalf of the Consumer, and the Controller has an obligation to authenticate the identity of the Consumer and the agent's authority to act on the consumer's behalf.

Controllers must respond to Consumer rights requests within forty-five (45) days, although Controllers have the ability to extend this period by an additional forty-five (45) days provided they inform the Consumer prior to end of the initial forty-five (45) day period. In addition, Controllers must allow consumers to submit opt-out requests for any processing of the Consumer's Personal Data for the purposes of targeted advertising or the sale of Personal Data through a universal opt-out mechanism by July 1, 2026.

HP799/LD1224

Consumers have the rights to:

• Confirm whether or not a Controller is processing the Consumer's Personal Data.

• Correct inaccuracies in the Consumer's Personal Data.

• Delete Personal Data provided by, or obtained about, the Consumer.

• Obtain a copy of the Consumer's Personal Data processed by the Controller.

• Opt-out of:

  • Targeted Advertising.

  • The sale of Personal Data.

  • Profiling in furtherance of solely automated decisions that produces a legal or similarly significant effect on the Consumer.

An authorized agent is permitted to submit opt-out requests for targeted advertising and the sale of Personal Data on behalf of the Consumer, and the Controller has an obligation to authenticate the identity of the Consumer and the agent's authority to act on the Consumer's behalf.

In addition, Controllers must respond to a Consumer rights request within forty-five (45) days of receipt of the request, and must allow Consumers to submit opt-out requests for any processing of the Consumer's Personal Data for the purposes of targeted advertising or the sale of Personal Data through a universal opt-out mechanism by December 1, 2027.

Data Minimization

One of the more impactful differences between the laws is on the issue of data minimization.

HP710/LD1088 and HP799/LD1224

Both laws adopt a notice and Consent approach vs actual data minimization. Specifically, they require Controllers to limit the collection of Personal Data to the purposes disclosed in the privacy notice.

HP1220/LD1822

Conversely, data minimization is explicitly required, requiring Controllers to limit their collection of Personal Data to "what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the Consumer to whom the data pertains."

Controller Duties

All three (3) laws have similar obligations for Controllers, including:

• Establish, implement, and maintain reasonable administrative, technical, and physical safeguards.

• Post a privacy notice, with specific requirements for certain processing (e.g., sale of pPersonal Data).

• Provide Consumers with an effective mechanism (although the timeframe within which a Controller must respond to the request varies--HP710/LD1088 and HP799/LD1224 require fifteen (15) days while HP1220/LD1822 requires thirty (30) days.

A significant difference is that HP710/LD1088 requires Controllers to establish and implement a data retention schedule that includes a schedule for the deletion or de-identification of Personal Data.

Data Protection Assessments

All three (3) laws require Data Protection Assessments for certain processing activities, although there is a split around profiling.

HP710/LD1088

Data Protection Assessments are required for processing that presents a heightened risk of harm to a Consumer, which includes :

• Processing Sensitive Personal Data.

• Using data to conduct Targeted Advertising.

• Using data to conduct profiling (defined as "any form of automated process performed on Personal Data to evaluate analyze or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location or movements").

• Selling Personal Data.

There is reciprocity, meaning that a Controller can meet its obligations by performing a Data Protection Assessment to meet the requirements of another state's law provided the Data Protection Assessment performed to meet that other state's law is reasonably similar in scope and effect to the Data Protection Assessment required by HP710/LD1088.

HP1220/LD1822 and HP733/LD1224

As with the previous law, Data Protection Assessments are required for processing that presents a heightened risk of harm to a Consumer, which includes:

• Processing Sensitive Personal Data.

• Using data to conduct targeted advertising.

• Selling Personal Data.

• Using data to conduct profiling (same definition as found in HP710/LD1088) when the profiling presents a reasonably foreseeable risk of:

  • Unfair, abusive, or deceptive treatment of a Consumer.

  • Having an unlawful disparate impact on a Consumer.

  • Financial, physical, or reputational injury to a Consumer.

  • A physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of a Consumer, when the intrusion would be offensive to a reasonable person.

  • Other substantial injury to a Consumer.

As with HP710/LD1088, there is reciprocity with the same conditions applying.

Enforcement

All three (3) laws permit enforcement by the State Attorney General with none providing for a private right of action. Violations of each law is deemed to be a violation of the State's Unfair Trade Practices law.

HP1220/LD1822 permits a cure period for violations occurring prior to April 1, 2028.