Data Privacy Detective Podcast Episode 43 - What You Need to Know about Maine’s New Privacy Law

August 28, 2019
Data Privacy Detective Podcast

Sometimes it seems the United States is more a loose federation than a national government. States have a major role in law-making. Data privacy is no exception. A recent law adopted by the State of Maine differs greatly from the California act that will come into force on January 1, 2020. Maine’s law will be effective on July 1, 2020. This podcast hits the highlights of it.

Melissa Kern, Co-Chair of Frost Brown Todd LLC’s Privacy and Data Security Team explains that the Maine law applies to broadband internet access services – the folks who bring us access to the internet – not website hosts, not everyone holding personal data – but providers like ATT and Spectrum as well as regional internet access providers. If a provider has even one customer in Maine that is billed for service there, the Maine law applies. There’s no safe harbor threshold.

With certain exceptions, the Maine law requires express “opt-in” consent before customer personal information can be used or shared. This is unlike the California Consumer Privacy Act (CCPA), which goes into effect January 1, which requires most users to “opt-out” if they do not want to have their personal information sold. 

 “Customer personal information” means:

 In addition to obtaining express consent, providers must:

Providers cannot refuse to serve customers who do not provide consent, charge a customer a penalty for not providing consent, or offer a discount for providing consent.

Exceptions? Yes, providers can collect, retain, use, disclose, sell and permit access to customer personal information without express approval:

Oddly – and sure to be clarified through future court cases – Maine’s statute is silent about who can enforce it how. There are no prescribed penalties or fines for non-compliance. It’s silent about whether there’s a private right of action by individuals.

It’s quite different from the new California law that is gathering substantial attention. Maine’s law is more restrictive than the California Consumer Privacy Act (CCPA) by requiring “opt-in.” But, unlike CCPA, Maine’s law only applies to internet service providers and does not explicitly provide a private right of action. Unlike CCPA, Maine’s statute expressly imposes security requirements on impacted providers, though what does “reasonable” mean? It’s probably recognition that decent protection today will be unreasonably lax in the future as quantum computing and other tools give hackers better and better ways to steal personal information. But vague standards like “reasonable” will also lead to litigation when standards are foggy.

Podcast 43 explores Maine’s different state approach to privacy protection. And it makes one wonder - How can a business keep up to date on the checkboard of differing state laws that affect the digital age? With enough complexity from differing state approaches, when will the U.S. Congress act to create nationally binding, preemptive rules that enable interstate and global commerce while providing adequate personal data protection for all U.S. persons? Can we unite around a common code for personal data protection that gives clear guidance and protection on a national basis?

If you have ideas for more interviews or stories, please email