Might the Pine Tree State in 2024 become the fourteenth state to pass a comprehensive data privacy law – and thereby further compound the problem of multiple, conflicting state statutes? It's possible. The Maine legislature's bicameral Judiciary Committee considered "An Act to Create the Data Privacy and Protection Act" (LD 1977) at a hearing two weeks ago.
LD 1977 is modeled on the American Data Privacy and Protection Act (ADPPA), a piece of federal legislation that easily cleared the House Commerce Committee back in August 2022 before losing forward momentum. That LD 1977 takes its lead from the ADPPA is somewhat ironic, as one of the primary motivating factors driving the ADPPA was the problem of a "patchwork" of state-specific laws, a problem that LD 1977 threatens to exacerbate.
To make matters worse, LD 1977 problematically diverges from the ADPPA by including an extremely broad private right of action. Specifically, Section 9620(2) states that:
A violation of this chapter or a rule adopted under this chapter with respect to the covered data of an individual constitutes an injury to that individual. The injured individual may bring a civil action against the party that commits the violation, except that an individual may not bring a civil action against a small business.
Possible remedies include actual damages or statutory damages starting at $5,000 per violation, whichever are greater; punitive damages; attorney's fees and costs; and injunctive and declaratory relief. A "small business" is a "covered entity" or "service provider" (but not a "data broker") that (1) generates less than $41 million in annual revenues, and (2) does not collect or process the personal data or more than 200,000 individuals.
Something else to consider: as I described in "Maine's ISP-Only Privacy Law Will Not Protect Consumers," an April 2020 Perspectives from FSF Scholars, Maine adopted a privacy law in June 2019 that singles out broadband Internet service providers (ISPs), requiring them – but not other participants in the broader online ecosystem, such as "edge providers" like Alphabet, Meta, and Amazon – to obtain "opt-in" consent from customers before using their personal information.
At an absolute minimum, any additional privacy legislation must acknowledge – and address – this disparate treatment of broadband ISPs.