Maine Consumer Privacy Law

Primary law

Maine's broadband privacy law prohibits a provider from using, disclosing, selling, or permitting access to customer personal information except under the statute's consent and operational exceptions.

A provider may not use, disclose, sell or permit access to customer personal information

See 35-A M.R.S. § 9301(2).

Primary law

The broadband privacy law applies only to providers operating in Maine when serving customers physically located and billed for service in Maine — it does not reach general businesses.

The requirements of this section apply to providers operating within the State when providing broadband Internet access service to customers that are physically located and billed for service received in the State.

See 35-A M.R.S. § 9301(7).

Primary law

The Notice of Risk to Personal Data Act defines a covered person broadly — individuals, business entities, state agencies, municipalities, school units, and universities — with no size or revenue threshold.

“Person” means an individual, partnership, corporation, limited liability company, trust, estate, cooperative, association or other entity, including agencies of State Government, municipalities, school administrative units, the University of Maine System, the Maine Community College System, Maine Maritime Academy and private colleges and universities.

See 10 M.R.S. § 1347(5).

Primary law

The Maine Insurance Data Security Act requires every insurance licensee to develop and maintain a comprehensive written information security program based on its risk assessment.

a licensee shall develop, implement and maintain a comprehensive, written information security program based on the licensee's risk assessment and containing administrative, technical and physical safeguards for the protection of nonpublic information and the licensee's information systems

See 24-A M.R.S. § 2264(1).

Primary law

The Student Information Privacy Act prohibits K-12 ed-tech operators from using student data for targeted advertising, amassing student profiles outside K-12 school purposes, or selling student data without explicit written or electronic consent from a parent or eligible student.

An operator may not knowingly engage in any of the following activities with respect to the operator's website, service or application without explicit written or electronic consent from a student's parent or an eligible student: A. Use student data to engage in targeted advertising on the operator's website, service or application or targeted advertising on any other website, service or application when the targeting of the advertising is based upon any student data and state-assigned student identifiers or other persistent unique identifiers that the operator has acquired because of the use of the operator's website, service or application; ... B. Use student data, including state-assigned student identifiers or other persistent unique identifiers, created or gathered by the operator to amass a profile of a student except for kindergarten to grade 12 school purposes. For purposes of this paragraph, "amass a profile" does not include collection and retention of account information that remains under the control of a student, parent or school administrative unit; ... C. Sell student data.

See 20-A M.R.S. § 953(1)(A)-(C).

Primary law

A provider may use, disclose, sell, or permit access to customer personal information only on the customer's express, affirmative consent, revocable at any time — an opt-in regime.

A provider may use, disclose, sell or permit access to a customer's customer personal information if the customer gives the provider express, affirmative consent to such use, disclosure, sale or access. A customer may revoke the customer's consent under this paragraph at any time.

See 35-A M.R.S. § 9301(3)(A).

Primary law

A provider may not penalize or discount based on the customer's consent decision — Maine's ban on pay-for-privacy ISP pricing.

Charge a customer a penalty or offer a customer a discount based on the customer's decision to provide or not provide consent under paragraph A

See 35-A M.R.S. § 9301(3)(B)(2).

Primary law

Information that is not customer personal information runs on an opt-out basis: the provider may use it unless the customer gives written notice withholding permission.

A provider may use, disclose, sell or permit access to information the provider collects pertaining to a customer that is not customer personal information, except upon written notice from the customer notifying the provider that the customer does not permit the provider to use, disclose, sell or permit access to that information.

See 35-A M.R.S. § 9301(3)(C).

Primary law

The statute permits use of customer personal information without consent for listed operational purposes — providing the service, the provider's own communications marketing, billing, court orders, fraud protection, and emergency geolocation.

a provider may collect, retain, use, disclose, sell and permit access to customer personal information without customer approval

See 35-A M.R.S. § 9301(4).

Primary law

Providers owe a freestanding duty to take reasonable measures to protect customer personal information, scaled to the provider's activities, data sensitivity, size, and technical feasibility.

A provider shall take reasonable measures to protect customer personal information from unauthorized use, disclosure or access.

See 35-A M.R.S. § 9301(5).

Primary law

A broadband provider must give each customer clear, conspicuous, nondeceptive notice of its obligations and the customer's rights under the opt-in law, at the point of sale and on its public website.

A provider shall provide to each of the provider's customers a clear, conspicuous and nondeceptive notice at the point of sale and on the provider's publicly accessible website of the provider's obligations and a customer's rights under this section.

See 35-A M.R.S. § 9301(6).

Primary law

Section 5 of the FTC Act supplies the general federal unfair-or-deceptive-practices hook by declaring unfair or deceptive acts or practices in or affecting commerce unlawful.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

The GLBA bars a financial institution from disclosing nonpublic personal information to nonaffiliated third parties unless it has delivered the required privacy notice to the consumer.

a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title

See 15 U.S.C. § 6802(a).

Primary law

A HIPAA covered entity must give individuals a notice describing the uses and disclosures of their protected health information and their rights and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520.

Primary law

The Insurance Data Security Act requires licensees to make each third-party service provider implement appropriate administrative, technical, and physical safeguards for the information systems and nonpublic information the provider holds.

Require each 3rd-party service provider to implement appropriate administrative, technical and physical safeguards to protect and secure the information systems and nonpublic information that are accessible to or held by the 3rd-party service provider

See 24-A M.R.S. § 2264(6)(B).

Primary law

No later than January 1, 2027, an insurance licensee must require third-party service providers to notify it of materially harmful cybersecurity events affecting nonpublic information obtained from the licensee.

No later than January 1, 2027, require each 3rd-party service provider to notify the licensee when the 3rd-party service provider becomes aware of any cybersecurity event affecting nonpublic information obtained from the licensee that has occurred in an information system maintained by the 3rd-party service provider or by an ancillary service provider if the cybersecurity event has a reasonable likelihood of materially harming any consumer or any material part of the normal operations of the licensee.

See 24-A M.R.S. § 2264(6)(C).

Primary law

A K-12 ed-tech operator may disclose student data to a service provider only under a contract that bars the provider from using the data for any purpose other than the contracted service.

Prohibits the service provider from using any student data for any purpose other than providing the contracted service to, or on behalf of, the operator

See 20-A M.R.S. § 953(1)(D)(6)(a).

Primary law

The GLBA Safeguards Rule requires a financial institution to oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards for customer information.

Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.

See 16 C.F.R. § 314.4(f).

Primary law

HIPAA requires a written business-associate contract that establishes the permitted uses and disclosures of protected health information and binds the business associate to safeguard it.

A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information

See 45 C.F.R. § 164.504(e)(2).

Primary law

A third party that maintains computerized personal information on another person's behalf must notify that person immediately after discovering a breach in which the data was, or is reasonably believed to have been, acquired by an unauthorized person.

A 3rd-party entity that maintains, on behalf of a person, computerized data that includes personal information that the 3rd-party entity does not own shall notify the person maintaining personal information of a breach of the security of the system immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

See 10 M.R.S. § 1348(2).

Primary law

Absent a law-enforcement delay, breach notices must go out no more than 30 days after the covered person becomes aware of the breach and identifies its scope.

If there is no delay of notification due to law enforcement investigation pursuant to subsection 3, the notices must be made no more than 30 days after the person identified in paragraph A or B becomes aware of a breach of security and identifies its scope.

See 10 M.R.S. § 1348(1).

Primary law

An ordinary business must investigate promptly and notify Maine residents if misuse of their personal information has occurred or is reasonably possible — a misuse-likelihood trigger.

If any other person who maintains computerized data that includes personal information becomes aware of a breach of the security of the system, the person shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of this State if misuse of the personal information has occurred or if it is reasonably possible that misuse will occur.

See 10 M.R.S. § 1348(1)(B).

Primary law

An information broker faces a stricter acquisition-based trigger: it must notify residents whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.

If an information broker that maintains computerized data that includes personal information becomes aware of a breach of the security of the system, the information broker shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of this State whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.

See 10 M.R.S. § 1348(1)(A).

Primary law

Whenever resident notice is required, the person must also notify the appropriate regulators within the Department of Professional and Financial Regulation or, if not regulated by the department, the Attorney General.

When notice of a breach of the security of the system is required under subsection 1, the person shall notify the appropriate state regulators within the Department of Professional and Financial Regulation, or if the person is not regulated by the department, the Attorney General.

See 10 M.R.S. § 1348(5).

Primary law

A security breach is the unauthorized acquisition, release, or use of computerized personal information that compromises its security, confidentiality, or integrity — with a good-faith employee-access carve-out.

“Breach of the security of the system” or “security breach” means unauthorized acquisition, release or use of an individual's computerized data that includes personal information that compromises the security, confidentiality or integrity of personal information of the individual maintained by a person.

See 10 M.R.S. § 1347(1).

Primary law

Personal information under the breach act means a first name or initial and last name combined with listed data elements only when either the name or data elements are not encrypted or redacted, plus standalone identity-assumption data elements.

"Personal information" means an individual's first name, or first initial, and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: A. Social security number; ... B. Driver's license number or state identification card number; ... C. Account number, credit card number or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes or passwords; ... D. Account passwords or personal identification numbers or other access codes; or ... E. Any of the data elements contained in paragraphs A to D when not in connection with the individual's first name, or first initial, and last name, if the information if compromised would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised.

See 10 M.R.S. § 1347(6).

Primary law

A breach requiring notice to more than 1,000 persons at a single time also requires notice to the nationwide consumer reporting agencies without unreasonable delay.

If a person discovers a breach of the security of the system that requires notification to more than 1,000 persons at a single time, the person shall also notify, without unreasonable delay, consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 United States Code, Section 1681a(p).

See 10 M.R.S. § 1348(4).

Primary law

An insurance licensee must notify the superintendent of a cybersecurity event as promptly as possible and no later than 3 business days after determining the event occurred if Maine is the carrier's domicile or producer's home state, or if the event involves 250 or more Maine consumers and is otherwise reportable or reasonably likely to materially harm a Maine consumer or a material part of operations.

Notwithstanding Title 10, chapter 210‑B, a licensee shall notify the superintendent as promptly as possible but in no event later than 3 business days from a determination that a cybersecurity event has occurred if: A. This State is the licensee's state of domicile, in the case of an insurance carrier, or this State is the licensee's home state, as that term is defined in section 1420‑A, subsection 2, in the case of an insurance producer; or ... B. The licensee reasonably believes that the nonpublic information involved concerns 250 or more consumers residing in this State and that the cybersecurity event is either of the following ... (1) A cybersecurity event affecting the licensee of which notice is required to be provided to any government body, self-regulatory organization or other supervisory body pursuant to any state or federal law; or (2) A cybersecurity event that has a reasonable likelihood of materially harming: (a) Any consumer residing in this State; or (b) Any material part of the normal operation of the licensee.

See 24-A M.R.S. § 2266(1).

Primary law

A person that complies with at-least-as-protective federal or state security-breach notification procedures is deemed compliant with Maine's resident-notice requirements.

A person that complies with the security breach notification requirements of rules, regulations, procedures or guidelines established pursuant to federal law or the law of this State is deemed to be in compliance with the requirements of section 1348 as long as the law, rules, regulations or guidelines provide for notification procedures at least as protective as the notification requirements of section 1348.

See 10 M.R.S. § 1349(4).

Primary law

The breach act is publicly enforced: Department of Professional and Financial Regulation regulators enforce it against their licensees, and the Attorney General enforces it against all other persons.

The appropriate state regulators within the Department of Professional and Financial Regulation shall enforce this chapter for any person that is licensed or regulated by those regulators. The Attorney General shall enforce this chapter for all other persons.

See 10 M.R.S. § 1349(1).

Primary law

A breach-act violation is a civil violation carrying fines of up to $500 per violation, capped at $2,500 per day, alongside equitable relief and injunctions.

A person that violates this chapter commits a civil violation and is subject to one or more of the following: A. A fine of not more than $500 per violation, up to a maximum of $2,500 for each day the person is in violation of this chapter, except that this paragraph does not apply to State Government, municipalities, school administrative units, the University of Maine System, the Maine Community College System or Maine Maritime Academy; ... B. Equitable relief; or ... C. Enjoinment from further violations of this chapter.

See 10 M.R.S. § 1349(2).

Primary law

The UTPA gives a consumer purchaser who suffers a loss of money or property from an unlawful practice a private action for actual damages, restitution, and equitable relief.

Any person who purchases or leases goods, services or property, real or personal, primarily for personal, family or household purposes and thereby suffers any loss of money or property, real or personal, as a result of the use or employment by another person of a method, act or practice declared unlawful by section 207 or by any rule or regulation issued under section 207, subsection 2 may bring an action either in the Superior Court or District Court for actual damages, restitution and for such other equitable relief, including an injunction, as the court determines to be necessary and proper.

See 5 M.R.S. § 213(1).

Primary law

A UTPA damages action requires a written pre-suit demand for relief mailed or delivered to the respondent at least 30 days before filing.

At least 30 days prior to the filing of an action for damages, a written demand for relief, identifying the claimant and reasonably describing the unfair and deceptive act or practice relied upon and the injuries suffered, must be mailed or delivered to any prospective respondent at the respondent's last known address.

See 5 M.R.S. § 213(1-A).

Primary law

A petitioner who establishes a UTPA violation is awarded reasonable attorney's fees and costs irrespective of the amount in controversy.

If the court finds, in any action commenced under this section that there has been a violation of section 207, the petitioner shall, in addition to other relief provided for by this section and irrespective of the amount in controversy, be awarded reasonable attorney's fees and costs incurred in connection with said action.

See 5 M.R.S. § 213(2).

Primary law

The Maine UTPA declares unfair methods of competition and unfair or deceptive acts or practices in trade or commerce unlawful, construed in line with FTC Act interpretations.

Unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are declared unlawful ... It is the intent of the Legislature that in construing this section the courts will be guided by the interpretations given by the Federal Trade Commission and the Federal Courts to Section 45(a)(1) of the Federal Trade Commission Act (15 United States Code 45(a)(1)), as from time to time amended.

See 5 M.R.S. § 207, § 207(1).

Primary law

The Attorney General may bring a UTPA action to restrain unlawful practices by temporary or permanent injunction and seek restoration of money or property acquired through the unlawful practice.

Whenever the Attorney General has reason to believe that a person is using or is about to use any method, act or practice declared by section 207 to be unlawful, and that proceedings would be in the public interest, the Attorney General may bring an action in the name of the State against the person to restrain by temporary or permanent injunction the use of the method, act or practice and the court may make such other orders or judgments as may be necessary to restore to any person who has suffered any ascertainable loss by reason of the use or employment of the unlawful method, act or practice, any moneys or property, real or personal, that may have been acquired by means of the method, act or practice.

See 5 M.R.S. § 209.

Primary law

The Attorney General may recover a civil penalty of up to $10,000 for each intentional violation of the UTPA shown to be unfair or deceptive.

Each intentional violation of section 207 in which the Attorney General establishes that the conduct giving rise to the violation is either unfair or deceptive is a violation for which a civil penalty of not more than $10,000 shall be adjudged.

See 5 M.R.S. § 209.