Maine Testimony in Support of LD 1822 the Maine Online Data Privacy Act EPIC Electronic Privacy Information Center

pTestimonyppMay 2025ppMay 5 2025 ppThe Honorable Anne Carney Senate Chair The Honorable Amy Kuhn House Chair Maine State Legislature Judiciary Committee ppDear Chair Carney Chair Kuhn and Members of the Committee ppEPIC writes in support of LD 1822 An Act to Enact the Maine Online Data Privacy Act because it would provide critical protections Mainers need to stay safe online We also write in opposition to LD 1224 LD 1088 and LD 1284 because they fail to accomplish that goal The Electronic Privacy Information Center EPIC is a nonprofit research organization established in 1994 to secure the fundamental right to privacy in the digital age for all people EPIC has long advocated for strong privacy laws at the state and federal levels and was heavily involved in last sessions deliberations on a data privacy bill in Maine1 ppLD 1822 builds on existing state privacy laws already enacted in nineteen states and incorporates essential provisions to provide Mainers with the protections they need to stay safe online Key provisions of LD 1822 include ppIn my testimony I will discuss why it is so critical that Maine enact a strong privacy law the current state of state privacy laws and go into detail on a few key protections that are crucial to keep Mainers safe online I also include an attachment with a few suggested amendments to the bill  ppAdvertisers and data brokers track our every move online and our data is constantly used against us harming our wallets opportunities and rights Examples of these harms include  ppSmall businesses are harmed by these systems as well As Check My Ads an advocacy group formed by former advertising industry employees recently wrote to Congress  ppPrivacy legislation that emphasizes data minimization and transparency leads to higherquality more relevant data Right now the advertising supply chain is bloated with thirdparty dataoften inaccurate outdated or collected without meaningful consent Acxiom one of the worlds largest data brokers even admitted their consumer data is made up of informed guesses with the hope it doesnt lead to credit denial or other harm This kind of data is not only unreliableit wastes ad spend Privacyfocused frameworks should encourage a shift to firstparty datainformation voluntarily shared by usersdelivering more accurate contextrich insights Advertising that uses highquality data performs better With privacy legislation in place to curb harmful data practices and enforce consent advertisers gain access to permissioned engaged audiencesthe kind that convert and stay loyal4 ppThese economic harms are on top of the harms to our rights Last year Senator Ron Wyden found that Near a location data broker sold location data to an antiabortion organization who used it to target misinformation and ads to people who visited reproductive health clinics including in Maine5  ppBecause there is no federal comprehensive privacy law states have been enacting laws to fill this void Since 2018 19 states have passed comprehensive privacy laws EPIC and US PIRG recently released a report grading these laws6 Nearly half failed and none received an A These laws do little to limit mass data collection and abuse ppMany of these state laws closely follow a model initially drafted by tech giants7 This draft legislation was based on a privacy bill from Washington state that was modified at the behest of Amazon Comcast and Microsoft8 An Amazon lobbyist encouraged a Virginia lawmaker to introduce a similar bill which became law in 2021 Unfortunately this Virginia law became the model that industry lobbyists pushed other states to adopt In 2022 Connecticut passed a version of the Virginia law with some additional protections which has now become the version often pushed by lobbying groups doing the bidding of Big Tech companies in select states Privacy laws should not be written by the very companies they are meant to regulate  ppLaws based on industrys model bill which includes LD 1224 and LD 1088 do not meaningfully limit what data companies can collect or what they can do with that data they merely require that companies disclose these details in their privacy policies which consumers rarely read Companies should not be allowed to determine for themselves what are the permissible purposes of collecting and using consumers personal information Unfortunately the limitations on data collection in LD 1224 and LD 1088 allow companies to do just that They read  ppA controller shall limit the collection of personal data to what is adequate relevant and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer ppThis reinforces the failed status quo of notice and choice businesses can list any purpose they choose in their privacy policies knowing that very few consumers will read them In fact it incentivizes companies to list as many purposes as possible and as broadly as possible to cover every conceivable reason they would ever want to collect your data And the only choice the consumer has is to not use the service at all The clearer limits on data collection in LD 1822 are critical because they require companies to better align their data practices with what consumers expect allowing Mainers to use online services without being forced to sacrifice their privacy  ppData Minimization ppLD 1822 relies on a concept that has long been a pillar of privacy protection data minimization When consumers interact with a business online they reasonably expect that their data will be collected and used for the limited purpose necessary to provide the goods or services that they requested For example a consumer looking up symptoms on WebMD does not expect that what theyre reading is sent in the background to Meta Google and over a dozen advertisers but thats exactly whats happening right now  ppTo incentivize better data practices LD 1822 set a baseline requirement that entities only collect data that is reasonably necessary and proportionate to provide or maintain a product or service requested by the consumer This standard is referred to as data minimization and it better aligns business practices with what consumers expect ppThe rule in LD 1822 is modeled on the rule in the Maryland Online Data Privacy Act which was enacted last year It is not as strict as the rule advanced by this Committee last session It doesnt go far as privacy advocates would like we prefer that data minimization rules cover both how much data a company can collect and how they can use that data LD 1822 takes a compromise position and applies to collection only which mirrors the rule in Marylands law Data minimization offers a practical solution to a broken internet ecosystem by providing clear limits on how companies can collect and use data  ppA Ban on the Sale of Sensitive Data Prevents Some of the Worst Data Harms ppLD 1822 sets heightened protections for sensitive data such that its collection and use must be strictly necessary to provide the product or service the consumer is asking for This is a critical provision that protects the data we all consider to be the most sensitive such as our location health and financial data It also bans the sale of sensitive data entirely Both of these rules are included in the recently enacted Maryland Online Data Privacy Act  ppMany an app has likely prompted you to request access to your location Sometimes the app has a legitimate reason to access the information like displaying your local weather Sometimes it doesnt In either case the app may be selling your location data to a third party A top Catholic Church official was forced to resign a few years ago after a Catholic media site used cellphone data to show that the priest was a regular user of the queer dating app Grindr and visited gay bars9 ppThe recent bankruptcy of genetic testing company 23andMe further highlights the need for heightened protections for sensitive data 23andMe has genetic data on 15 million customers so a massive amount of highly sensitive informationnow 23andMes most valuable assetwill be sold off to the highest bidder After a federal judge gave permission for the company to sell its sensitive customer data millions of customers have no control over who their information is sold to While research shows that most Americans believeincorrectly that the personal health information they give to health apps and websites is protected by the Health Information Portability and Accountability Act HIPAA the law does not apply to 23andMes handling of consumer genetic information I suggest an amendment in the enclosure to ensure sensitive data is protected in the case of a merger or bankruptcy  ppEnforcement is Critical ppRobust enforcement is critical to effective privacy protection Strong enforcement by state government via Attorney General authority is an essential component of a strong privacy law Funds should be appropriated to ensure the Attorney General can meaningfully enforce the law particularly in the absence of a private right of action to supplement state enforcement  pp   ppEPIC also asks you to oppose LD 1284 which would repeal Maines ISP privacy law We feel that the laws protections are still critical even if a comprehensive privacy law is enacted in Maine because of the unique relationship between a consumer and their broadband service provider pp   ppLD 1822 is not a privacy advocates ideal bill EPIC would prefer that the data minimization rule cover data use in addition to collection Wed like to see a private right of action included so that individuals can enforce their rights under the law Wed prefer that the bill cover nonprofits But LD 1822 reflects a compromise that would provide Mainers with important privacy protections that they lack today and is the most consumerfriendly privacy bill before this Committee EPIC asks that you to support LD 1822 and oppose LDs 1224 1088 and 1284 I am happy to be a resource to the Committee as it navigates this issue ppSincerely pps Caitriona Fitzgerald Caitriona Fitzgerald Deputy Director EPIC ppEncl  pp98081G refers to obtaining consent for purposes that are not disclosed in the privacy policy which conflicts with the data minimization provision in 98081A limiting data collection to what is reasonably necessary and proportionate to provide or maintain the specific product or service requested by the consumer It is unclear how these two provisions would work together but at worst it provides a loophole for companies to simply ask for consent for any data use they desire Consent has been proven to be an ineffective way to protect privacy pp98086C appears to give controllers the option of providing an optout link or allowing consumers to optout via a universal optout preference signal This conflicts with 96072 which gives consumers the right to exercise their optout rights via a global device setting And nearly every other state that has a universal optout mechanism including CT and NH require both an optout link and the option of a universal optout preference signal   ppEPIC asks that you change the or to an and in line 28 on page 14 which would mirror CT NH and most other state laws ppThe recent bankruptcy of genetic testing company 23andMe revealed loopholes in many state privacy laws that fail to protect consumers from the sale of their sensitive data in the event of a merger acquisition or bankruptcy10 An exemption in the definition of sale that excludes the transfer of data during a bankruptcy proceeding renders consumers right to opt out of data sales useless in terms of 23andMes sale resulting from bankruptcy California amended its privacy law last year to remove this exemption and clarify that consumers can opt out of the sale of their data even in the context of a bankruptcy proceeding11  ppTo provide protections for Mainers in these situations we recommend 1 striking subsection B6 from the definition of sale and 2 adding the following to the exemptions in 96131 ppL Transfer assets to a third party in the context of a merger acquisition bankruptcy or similar transaction when the third party assumes control in whole or in part of the controllers assets only if the controller in a reasonable time prior to the transfer provides an affected consumer with ppA  A notice describing the transfer including the name of the entity receiving the consumers personal data and the applicable privacy policies of such entity and ppB  a reasonable opportunity to ppi  withdraw previously provided consent related to the consumers personal data and ppii request the deletion of the consumers personal data ppPublicly available information is exempted from coverage of the bill so it is critical that it is defined as narrowly as possible LD 1822 proposes adding a provision that includes in the definition any information about a consumer that a person obtains from a person to whom the consumer disclosed the information unless the consumer has restricted the information to a specific audience  ppThis addition is a dangerous extension of the definition and a big loophole in our view it would make a wide swath of information publicly available in a way that many consumers wouldnt expect to be And in many instances consumers might not even have the ability to restrict the audience For example this would mean any time a consumer provides data to a company eg signing up for an account or filling out an application and doesnt limit the audience it is public information and exempt from coverage under the law ppIt seems more like this should instead be an exemption to the definition ie Publicly available information does not include information that the consumer has restricted to a specific audience That would be our preference but at minimum EPIC would ask that it be amended to match the language in last sessions Committee bill which reads ppA website or online service made available to all members of the public either for free or for a fee including a website or online service in which all members of the public can log on to the website or online service either for free or for a fee unless the individual who made the information available via the website or online service has restricted the information to a specific audience ppThere is no definition of minor in the bill The summary indicates that it is meant to be under 18 years of age but theres no definition of it in the bill ppFebruary 6 2026ppJanuary 30 2026ppJanuary 30 2026ppFebruary 6 2026ppEPICs work is funded by the support of individuals like you who allow us to continue to protect privacy open government and democratic values in the information agepp1519 New Hampshire Avenue NWppWashington DC 20036ppPhone number 2024831140pp
Copyright
1994 2026 EPIC all rights reservedp