Stacy Stitham, Brann & Isaacson
Updated: May 1, 2023
How Maine small businesses can navigate state privacy laws
By David Swetnam-Burland and Stacy O. Stitham
Online life has blurred many boundaries, making it just as easy for a San Franciscan to buy Maine blueberry jam as a Portlander. Legal boundaries are also blurring, particularly when it comes to privacy.
Six states have recently enacted comprehensive privacy and security laws designed to protect the personal information of their residents from the activities of businesses throughout the country.
California, Virginia, Colorado, Connecticut, Utah and Iowa all have laws that are either in effect or will take effect in the next two years. In the view of regulators in these states, any Maine-based business that collects and uses the personal information of a sufficient number of their residents is bound to comply with their laws. And in the event of a data breach affecting California residents, a Maine business of sufficient size might even be subject to a private class action suit. Here’s what you need to know about these new privacy laws, and how they might affect your business.
Are you covered? If your business has personal information about more than 100,000 residents of any of these six states, you will likely be deemed subject to that state’s law. These residents needn’t be customers. Because “personal information” can include IP addresses, a company using Google Analytics could meet this threshold even if the business doesn’t know the names and mailing addresses of each visitor.
What “personal information” is protected? The statutes generally protect information that relates to, describes, or could reasonably be associated with an individual or household. Several states have a more elevated level of protection for “sensitive personal information,” which includes information such as identifiers (e.g., driver’s license or social security number), racial or ethnic origin, religious affiliation, and genetic or biometric data.
David Swetnam-Burland, Brann & Isaacson
What rights do consumers have? Consumers generally have a right to know what personal information a business has; a right to delete it (subject to exemptions for information needed to serve them); and a right to opt out of sale, sharing, or use of that data in certain circumstances (often related to targeted advertising). Some states add a right to correct errors.
What must regulated businesses do? Covered businesses must provide adequate notice of what personal information they collect about consumers in an online privacy policy. They must honor verified consumer requests in a timely fashion. And they must make sure that any third-party agents comply with the same requirements, both as a matter of contract and statutory obligation. Businesses need to provide mechanisms for opting out of (or into) targeted online marketing activities.
The proliferation of cookie pop-ups — text boxes that appear on the screen when you visit a website advising you that the website uses cookies and asking you to accept or manage your preferences — is a direct response to these requirements. Finally, some states — notably California and Colorado — require periodic cybersecurity audits and documented data protection assessments.
Who enforces these statutes? With the exception of California, enforcement is by state (and sometimes local) officials. California provides a limited private right of action for consumers to sue businesses directly for violations relating to data breaches.
What are the penalties? Many states require or allow businesses to have a reasonable period of time to cure any identified violation, at least in the initial period after the law takes effect. Where that is not possible — or when those provisions sunset — businesses can face significant per-violation financial penalties. As noted, California consumers can directly seek statutory or actual damages for violations related to a data security incident.
These are the key elements of the privacy laws of states outside Maine that may directly concern your Maine business. If you haven’t yet, it’s a good time for you to review your privacy practices with your technical team and experienced counsel.
Most Recent
Most Recent
0 Comments