Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Maine: Bill for the Data Privacy and Protection Act introduced to House of Representatives

On May 22, 2023, Legislative Document 1977 for An Act to Create the Data Privacy and Protection Act was introduced to the Maine House of Representatives.

Scope

The bill would apply to persons that meet the following criteria for the period of the three preceding calendar years, or for the period during which the person has been in existence if the person is an entity that has been in existence for less than three years:

  • the person's average annual gross revenues during the period did not exceed $20,000,000;
  • the person, on average, did not annually collect or process the covered data of more than 75,000 individuals during the period beyond the purpose of initiating, billing for, finalizing, or otherwise collecting payment for a requested service or product, as long as all covered data for that purpose was deleted or de-identified within 90 days, except when necessary to investigate fraud or as consistent with a covered entity's return policy; and
  • no component of the person's revenue comes from transferring covered data during a year or part of a year, if the person is an entity that has been in existence for less than one year.

Consumer rights

The bill would entitle consumers to:

  • the right to access;
  • the right to rectification;
  • the right to erasure; and
  • the right to data portability.

Controller obligations

Lastly, the bill imposes several obligations on controllers, including the obligation to establish, implement, and maintain reasonable policies, practices, and procedures that reflect the role of the covered entity or service provider in the collection, processing, and transferring of covered data and that:

  • mitigate privacy risks;
  • implement reasonable training and safeguards within the covered entity and service provider to promote compliance with all privacy laws applicable to covered data; and
  • make publicly available, in a clear, conspicuous, and readily accessible manner, a privacy policy that provides a detailed and accurate representation of the data collection, processing, and transfer activities of the covered entity.

You can read the bill here and track its progress here.

Update: August 1, 2023

Bill carried over to subsequent session by House of Representatives

On July 26, 2023, the bill was carried over by the Maine House of Representatives, in the same posture, to any special or regular session of the 131st Legislature, after being referred to the Committee on Judiciary of the Maine Senate on May 25, 2023.

You can read the bill here and track its progress here.

Feedback