Maine’s House of Representatives Adopts Comprehensive Privacy Act

Maine’s House of Representatives, on February 10, 2026, passed LD 1822, the Maine Online Data Privacy Act (the “Act”). If enacted, the Act would go further in some ways than any state privacy law now in effect.

This article summarizes key features of the Act as passed by Maine’s House. If Maine’s Senate and Governor approve the bill, it may still undergo changes before becoming law.

The Act would take effect on July 1, 2026. A violation of the statute would amount to a violation of Maine’s Unfair Trade Practices Act. The Act would be enforced only by the state’s Attorney General; it provides no private right of action.

Scope

The Act would apply to people and companies that do business in Maine or target Maine residents and, in the past year, either (a) controlled or process personal data of 35,000 or more consumers (excluding payment transaction data) or (b) controlled or processed personal data of 10,000 or more consumers and made more than 20% of their revenue from selling personal data. “Consumers” means individual residents of Maine, excluding people acting in employment, commercial, or other internal-business roles.

The bill uses several definitions now well-established in most other state privacy laws:

• A “controller” is a person or organization that determines the purpose and means of processing personal data.
• A “processor” is a person or organization that processes personal data on a controller’s behalf.
• To “process” means to conduct nearly any operation on personal data, whether manually or by automation, including storing, sharing, analyzing, deleting, or modifying the data.
• “Personal data” is any information linked or linkable to an identified or identifiable human being. It does not include publicly available or de-identified data.
• “Sensitive data” is personal data that could be especially harmful to consumers if exposed, including information about their race, religion, sexual orientation, immigration status, precise location, genetic or biometric data, financial information, and more.

The Act has numerous entity-level exemptions for Indian tribes, governmental entities, nonprofits, and regulated companies, among others. It also has data-level exemptions that apply to certain types of data already regulated by other privacy laws.

Any Maine resident may invoke the rights conferred by the Act (described below), except where those residents act solely in employment, commercial, or certain internal company governance capacities.

New Statutory Privacy Rights for Consumers

The Act would give Maine residents rights similar to those that many other states now provide their residents. These include the rights to:

1. Confirm whether a controller is processing their personal data (and if so, access it).
2. Correct errors in the data that the controller maintains about the consumer.
3. Make a controller delete personal data it keeps about the consumer, except where the law requires retention.
4. Obtain copies of certain types of personal data kept by the controller about that consumer in a way that helps the consumer transmit it to another controller.
5. Obtain a list of the third parties to which the controller has sold the consumer’s personal data.
6. Opt out of the controller’s processing of that consumer’s personal data for certain purposes. Those purposes include targeted advertising, selling, or profiling in furtherance of automated decisions that produce legal or other significant effects for the consumer.

Obligations of Controllers

The Act would impose new obligations on controllers, including:

1. Data minimization. Controllers would need to “limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service request by the consumer to whom the data pertains…”. This language is identical to that in other states, including Maryland, Minnesota, New Hampshire, and Virginia.
2. Heightened protection for sensitive data. A controller may not process sensitive data unless the processing is “strictly necessary to provide or maintain a specific product or service requested by” the consumer to whom the data relates.
3. Data protection assessments. A controller that uses personal data in ways that “present a heightened risk of harm” to consumers must conduct data protection assessments. That “heightened risk” behavior includes processing personal data for targeted ads, selling personal data, and processing sensitive data. It also includes processing used in profiling (automated processing involving people’s health, behavior, location, interests, and other traits), where harm to consumers could result. Controllers, in some cases, may need to share these assessments with Maine’s Attorney General.
4. Compliance with consumer requests. Controllers must promptly comply with consumers’ requests to exercise their statutory rights described above.
5. Privacy notices. Controllers must publish privacy notices that contain more detail than the simple website privacy policies that most American firms have used for years.
6. Additional consumer notices. Further notice rules apply to any controller that sells personal data to third parties, uses it for targeted advertising, or processes it to make decisions that produce legal or other significant effects on a consumer. That controller must disclose those actions in specific ways that the Act dictates.
7. Controllers must use reasonable data security practices to protect the confidentiality, accessibility, and integrity of personal data.
8. Data processing agreements. A controller would be barred from using a processor to process personal data except under a written contract. These contracts, typically called “data processing agreements,” must include specific clauses similar to those required by similar laws in other states.

Obligations of Processors

The Act would impose duties on processors that, while less burdensome than those for controllers, would entail real compliance burdens. Processors must:

1. comply with their data processing agreements with controllers;
2. use internal data security safeguards; and
3. help controllers meet the controllers’ own obligations under the Act, including by following data breach notification rules and complying with controllers’ requests for security information.

The Maine Act Compared to Other State Privacy Acts

The Maine Act will feel broadly familiar to companies that have already become compliant with similar privacy statutes in other U.S. states. It contains several provisions, however, that would be either unique or uncommon among the states.

A unique new consumer right. The Maine Act would give consumers a right that no other state appears to grant today: the right to know the actual names of every third party to which a controller sells their personal data. Other states entitle residents to know simply the categories of third parties to whom their data is sold.

Extraordinary protection for sensitive data. Typically, to the extent most U.S. states provide special rules for usage-sensitive data, they simply bar controllers from processing that data without the consumer’s affirmative consent. Colorado, Indiana, Minnesota, New Hampshire, and Virginia take that approach. The Maine Act would further limit the processing of sensitive data; it would bar all processing that is not “strictly necessary to provide or maintain a specific product or service requested by” the consumer. Maryland appears to be the only other state using the same “strictly necessary” test.

Low bar for application. The application thresholds are easier to meet than in most other states. As of February 2026, most states with similar privacy statutes have “number of residents” tests set at 50,000, 100,000, or higher. Maine would join only Delaware, Rhode Island, and New Hampshire at the 35,000 level.

No mandatory warnings before enforcement. Some states require their regulators to give controllers advance notice of violations and a chance to fix them before enforcement begins. Not so in the Pine Tree state, where the Maine Act would give the Attorney General the discretion to skip that notice.

Businesses that collect or use data about Maine residents should begin reviewing their data inventories, contracts, and privacy notices now to assess how the Act could affect their operations if it becomes law. Organizations already subject to other state privacy regimes may be able to leverage existing compliance programs, but should not assume those frameworks will fully satisfy Maine’s stricter requirements around sensitive data, data minimization, and individual rights. Verrill’s Privacy and Data Security team is closely tracking LD 1822 as it advances through the Legislature and is available to help evaluate your current practices, prepare compliance roadmaps, and develop updates to internal policies and external disclosures tailored to Maine’s evolving privacy landscape.

Adam Nyhan is a Partner in Verrill’s Intellectual Property practice and Co-Chair of the firm’s Data Privacy and Security group. He advises companies and nonprofits on privacy, software licensing, Artificial Intelligence, compliance, and corporate matters in sectors that include health care, education, AdTech, MarTech, FinTech, and cybersecurity.