United States of America: Introduced Data Privacy and Protection Act (LD 1977) including data protection regulation

On 25 May 2023, the Data Privacy and Protection Act (LD 1977) was introduced to the Maine Legislature. The Act prohibits a covered entity from collecting, processing or transferring data unless the collection, processing or transfer is limited to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the individual to whom the data pertains. Entities would also be required to make publicly available a privacy policy that provides a detailed and accurate representation of the data collection, processing and transfer activities of the entity. The Act also outlines mandatory security practices for covered entities and outlines the requirements and standards of covered data and sensitive data. Both types of data require clearly communicated consent from the user for any collection or processing. Businesses are required to provide an opt-out mechanism for consent that is as easy to communicate as providing consent. If a business engages in targeted advertising, consent is required. Targeted advertising is prohibited for minors. Individuals have the right to have access to their data, purpose descriptions, and lists of third parties that have received the data. The Act also outlines reporting requirements and management obligations of data brokers and larger data holders.