AUGUSTA, Maine — A long-debated data privacy overhaul in Maine finally took a step forward Tuesday after months of meetings, amendments and pushback from Big Tech and businesses from L.L. Bean to a small-time candlemaker.
The Judiciary Committee voted 7-1 along party lines to advance a bill from Rep. Maggie O’Neil, D-Saco, that was favored by privacy advocates and Attorney General Aaron Frey. O’Neil’s bill initially sought to give Maine stronger data privacy protections than the nation- leading regulations in California before it was narrowed to some degree by amendments.
The meetings over dueling proposals began last year and came as states have contended with an absence of a federal data privacy law. O’Neil’s plan is similar to a bill that has stalled in Congress, while states including Connecticut have passed watered-down legislation that is more friendly to the tech industry.
Democrats on the committee narrowed down O’Neil’s bill as it competed with a proposal from Assistant Senate Minority Leader Lisa Keim, R-Dixfield, that is closer to Connecticut’s law. Rep. Rachel Henderson, R-Rumford, also worked closely on Keim’s measure and was the lone vote against O’Neil’s bill on Tuesday evening, with six members absent.
While both proposals have pulled pieces from one another and mirror Connecticut in some sections following dozens of recommendations from various state and national organizations, the Democratic-backed proposal has stricter “data minimization” standards that limit what companies can collect.
A company could only process and transfer data that is “strictly necessary” to provide or maintain a service for a customer under the O’Neil-Democratic caucus version, while the Keim-Henderson version left out a sensitive data restriction but limited personal data processing to what is “adequate, relevant and reasonably necessary.”
Tech industry giants and businesses, including L.L. Bean, have not liked either proposal’s data collection limits, arguing it could hamper their services to customers and put Maine on an island for data privacy rules while altering what Mainers see online.
O’Neil’s proposal initially gave citizens the right to sue companies for violating their data privacy rights. That provision was left out of the committee’s final product, although it lets the Maine attorney general take action against violators.
The Democratic plan also does not apply to companies that process the personal data of fewer than 50,000 customers, excluding data used solely for completing payment transactions, or to companies processing data for fewer than 10,000 customers but deriving more than 20 percent of gross revenue from selling personal data.
David LeDuc, vice president of public policy at the Network Advertising Initiative, an online advertising industry trade group, said companies may “kind of geofence around the state and offer a different set of services” under the Democratic plan.
“I think Mainers want and deserve similar services and obviously similar protections, but we don’t think the two are mutually exclusive,” LeDuc said in an interview.
Tuesday’s work session was another example of the length and complexity of the discussions over the data privacy proposals, with members huddling in private caucus discussions for more than an hour before returning late in the afternoon, breaking again and then finally voting.
California passed a comprehensive consumer data privacy law in 2018, with 13 states since adopting various laws that privacy advocates said follow models initially drafted by industry giants such as Amazon.
The Judiciary Committee’s vote means O’Neil’s bill can finally go to the House and Senate for floor votes, as lawmakers seek to adjourn by mid-April.
