Maine Data Privacy Laws: ISP Privacy & Consumer Rights (2026)

Maine has established one of the most distinctive data privacy frameworks in the United States. The state made national headlines in 2019 when it became the first and only state to require internet service providers to obtain opt-in consent before using or selling customer data. That law remains a landmark in American privacy regulation.

Beyond the ISP privacy law, Maine maintains data breach notification requirements, student data protections, health information confidentiality rules, and is actively pursuing comprehensive consumer data privacy legislation. This guide covers every major Maine data privacy statute, your rights as a consumer, business obligations, and the penalties for noncompliance.

Maine's ISP Privacy Law (35-A MRSA 9301)

The Act to Protect the Privacy of Online Customer Information, signed by Governor Janet Mills on June 6, 2019, created 35-A MRSA Chapter 94. The law took effect on July 1, 2020, and it remains unique among all fifty states.

Why This Law Is Unique

Maine is the only state in the country that requires broadband internet service providers to get affirmative, opt-in consent from customers before using, disclosing, selling, or permitting access to their personal information. Every other state with consumer privacy protections, including California, uses an opt-out model where companies can collect and use data unless the consumer takes action to stop it.

Under Maine's approach, all ISP customers are protected by default without taking any action. The burden falls entirely on the provider to obtain express consent.

Who the Law Applies To

The law applies to any provider of broadband Internet access service operating in Maine and serving customers physically located in the state. Broadband internet access service is defined as a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all internet endpoints. Dial-up internet access service is excluded.

What Information Is Protected

The law defines customer personal information broadly in two categories.

Personally identifying information includes a customer's name, billing address, Social Security number, and other direct identifiers.

Usage-based information includes web browsing history, application usage history, precise geolocation information, financial information, health information, information about children, device identifiers, and the content of communications.

This scope is far wider than many state privacy laws because it covers not just who you are but everything you do online through your ISP connection.

Core Prohibitions

A broadband provider may not use, disclose, sell, or permit access to customer personal information unless the customer expressly consents to that use, disclosure, sale, or access.

Critically, the law also prohibits providers from penalizing customers who refuse consent. A provider cannot refuse to serve a customer, charge a penalty, or offer a discount based on whether a customer consents to the use of their data. This prevents the kind of "pay for privacy" arrangements that undermine opt-in protections.

Permitted Uses Without Consent

Providers may access customer personal information without consent for a limited set of purposes:

• Providing the broadband service itself
• Marketing communications services directly to the customer
• Complying with court orders or other legal process
• Billing and collecting payment
• Preventing fraud
• Providing emergency services

Security and Transparency Requirements

Providers must take reasonable measures to protect customer personal information from unauthorized use, disclosure, or access, considering the nature and scope of the provider's activities, the sensitivity of the data, and the current state of technology.

Every provider must also give customers a clear, conspicuous, and nondeceptive notice at the point of sale and on the provider's publicly accessible website explaining the provider's obligations and the customer's rights under the law.

Enforcement

The Maine Public Utilities Commission oversees compliance with this statute. While the statute itself does not specify penalty amounts for violations, the Commission has rulemaking authority and can investigate complaints.

Data Breach Notification Law (10 MRSA Chapter 210-B)

Maine's Notice of Risk to Personal Data Act, codified at 10 MRSA 1346-1350, establishes the state's data breach notification requirements. The law has been amended several times, most recently in 2019 when municipalities and school administrative units were added to the list of covered entities.

What Triggers a Notification

A security breach is defined as the unauthorized acquisition, release, or use of an individual's computerized data that includes personal information and that compromises the security, confidentiality, or integrity of that information.

Good faith acquisition, release, or use of personal information by an employee or agent acting on behalf of the entity does not qualify as a breach, provided the information is not used for or subject to further unauthorized disclosure.

What Counts as Personal Information

Under 10 MRSA 1347, personal information means an individual's first name or first initial and last name combined with one or more of the following data elements when the data is not encrypted or redacted:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, credit card number, or debit card number (in combination with any required security code, access code, or password)

The definition excludes publicly available government records and third-party insurance claims databases.

Notification Timeline

Entities must provide notification as expediently as possible and without unreasonable delay, but no more than 30 days after becoming aware of the breach and identifying its scope.

If law enforcement determines that notification would compromise a criminal investigation, the entity may delay notification. Once law enforcement clears the notification, it must be sent within 7 business days.

Who Must Be Notified

The law requires notification to several parties:

Affected Maine residents whose personal information was compromised in the breach.

The Maine Attorney General or the appropriate state regulator must be notified of the breach.

Consumer reporting agencies must be notified if the breach affects 1,000 or more individuals.

Third-party data holders that maintain personal information on behalf of another person must immediately notify the data owner when a breach is discovered, so the data owner can begin its own notification obligations.

Methods of Notification

Entities can notify affected individuals through written notice, electronic notice (compliant with the federal E-SIGN Act at 15 U.S.C. 7001), or substitute notice.

Substitute notice is permitted when the cost of direct notification exceeds $5,000, when more than 1,000 individuals must be notified, or when the entity lacks sufficient contact information. Substitute notice requires a combination of email notification, conspicuous posting on the entity's website, and notification through statewide media.

Penalties for Violations

Under 10 MRSA 1349, violations carry civil penalties of up to $500 per violation, up to a maximum of $2,500 per day a person remains in violation. Government entities and public educational institutions are exempt from monetary penalties.

The Attorney General enforces the law for most entities, while the Department of Professional and Financial Regulation enforces it for licensees and regulated entities.

There is an important safe harbor provision. Entities that comply with federal or state data security breach notification requirements that meet or exceed the standards in section 1348 are deemed in compliance with the Maine law.

Businesses can report breaches to the state through the Maine Bureau of Insurance breach notification form.

The Maine Online Data Privacy Act (LD 1822)

Maine is actively pursuing comprehensive consumer data privacy legislation through LD 1822, the Maine Online Data Privacy Act. The bill was introduced by Rep. Amy Kuhn (D-Falmouth) and passed the Maine House of Representatives on February 10, 2026, by a vote of 73-65. The Maine Senate advanced the bill on March 5, 2026, by a vote of 18-16.

As of March 2026, the bill has been tabled in the House pending further consideration due to a late amendment. It has not yet been signed into law by the governor. If enacted, it would take effect July 1, 2026.

Who the Act Would Apply To

The Act would apply to persons and companies that do business in Maine or target Maine residents and that, in the prior year, either controlled or processed personal data of at least 35,000 consumers (excluding payment transaction data) or controlled or processed personal data of at least 10,000 consumers while deriving more than 20% of revenue from selling personal data.

Consumer Rights

The Act would grant Maine consumers several rights:

• Right to confirm and access. Consumers can confirm whether a controller is processing their personal data and access it.
• Right to correct. Consumers can request correction of inaccurate personal data.
• Right to delete. Consumers can request deletion of personal data a controller holds about them.
• Right to data portability. Consumers can obtain copies of their personal data in a portable, readily usable format.
• Right to know third parties. In a provision unique among all state privacy laws, consumers would have the right to learn the actual names of every third party to which a controller has sold their personal data.
• Right to opt out. Consumers can opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects.

Data Minimization and Sensitive Data

The Act would set a baseline requirement that entities only collect personal data that is reasonably necessary to provide or maintain a specific product or service requested by the consumer. This is a stronger standard than most state privacy laws.

Sensitive data, which includes information about race, ethnicity, gender, religious beliefs, health conditions, sexual orientation, genetic data, biometric data, and precise geolocation, would face even stricter limitations. Collection and use of sensitive data must be strictly necessary to provide the requested product or service, and the sale of sensitive data would be banned entirely.

Children's Protections

The Act would prohibit selling minors' data or using it for targeted advertising. Processing data of children under 13 would require parental consent, and targeted advertising for children between 13 and 16 would be restricted.

Enforcement

Only the Maine Attorney General would have enforcement authority. The Act does not include a private right of action. The Attorney General must submit a report on implementation to the Legislature by January 1, 2028.

Political Organization Exemption

The bill has drawn criticism for explicitly exempting political parties and committees from its restrictions, a provision that opponents have highlighted as inconsistent with the bill's consumer protection goals.

Student Information Privacy Act (20-A MRSA Chapter 13)

Maine enacted the Student Information Privacy Act in 2015, with amendments added in 2017 to expand protections. The law regulates how online service operators, educators, and third parties collect and use the personal information of K-12 students enrolled in Maine educational institutions.

Prohibited Activities

Under 20-A MRSA 953, an operator may not knowingly do any of the following without explicit written or electronic consent from a student's parent or an eligible student (a student who has turned 18 or is in postsecondary education):

• Sell student data. Operators cannot sell student data, though acquisitions by successor entities are permitted if the restrictions continue to apply.
• Engage in targeted advertising. Operators cannot use student data to deliver targeted advertising on their own platform or any other website.
• Build non-educational profiles. Operators cannot create profiles of students unless the profiles are used strictly for K-12 educational purposes.
• Disclose personally identifiable information except for advancing educational purposes, complying with legal requirements, responding to judicial process, protecting security, ensuring user safety, or sharing with service providers under contractual restrictions.

Security and Data Deletion

Operators must implement and maintain reasonable security procedures and practices to protect student data from unauthorized access, destruction, use, modification, and disclosure.

When a school requests deletion of student data, the operator must delete it within 45 days.

Permitted Uses

Operators may use student data for maintaining and improving services, adaptive learning and personalized instruction, educational recommendations, legal compliance, and developing aggregated or de-identified data without restriction.

The Maine Department of Education provides additional guidance on student data privacy compliance, and the state participates in the Maine Student Privacy Alliance (MSPA).

Health Care Information Confidentiality (22 MRSA 1711-C)

Maine's health care information confidentiality law, codified at 22 MRSA 1711-C, provides protections that supplement federal HIPAA requirements. The law applies to health care practitioners, facilities, pharmacies, home health providers, and hospice programs operating in Maine.

What Is Protected

The law protects health care information, defined as data that identifies an individual and relates to their physical, mental, or behavioral condition, medical history, or treatment received. This includes genetic information and individual cell components.

Consent Requirements

Written authorization requires a signed document specifying the recipient, the type of information, the purpose of disclosure, and the duration of the authorization (maximum 30 months for general authorizations).

Oral authorization is permitted when written consent is impractical. The practitioner must document the authorizing person's name, date, the information disclosed, and recipient details.

Key Protections

The statute includes a critical restriction on reproductive and gender-affirming health care communications. These records cannot be disclosed in civil proceedings without written consent or a court order showing good cause.

Penalties

Intentional violations carry civil penalties of up to $5,000 plus costs. Repeated violations increase penalties to $10,000 for individual practitioners and $50,000 for facilities. Individuals may also sue for injunctive relief and recover damages under common law.

The Maine DHHS Privacy Office provides guidance on compliance with both state and federal health information privacy requirements.

Employee Electronic Monitoring Law (LD 61)

Maine enacted LD 61, the Act to Regulate Employer Surveillance to Protect Workers, which takes effect approximately July 14, 2026. The law establishes new limitations on workplace electronic monitoring and creates mandatory disclosure obligations for all Maine employers.

Definition of Employer Surveillance

The law broadly defines employer surveillance as monitoring an employee through an electronic device or system, including computers, telephones, wire or radio systems, electromagnetic or photoelectronic systems, and similar technologies.

Prohibited Practices

Employers may not use audiovisual monitoring in an employee's residence, personal vehicle, or on the employee's private property unless the monitoring is required for duties of the job. Employers also cannot require employees to install surveillance software on personal devices, though they may request it. Employees have the right to decline.

Notice Requirements

Employers using surveillance must provide written notice:

• To prospective employees during the interview process
• To all current employees at least once per calendar year
• Before implementing any new surveillance systems

The Maine Department of Labor has published a required workplace poster with employee surveillance rights.

Exemptions

The law exempts security and safety camera systems, GPS tracking and vehicle safety systems installed on employer-owned vehicles, and monitoring in licensed personal care service settings.

Penalties

Violations are subject to a civil fine of $100 to $500 per violation, enforced by the Maine Department of Labor. Maine joins Connecticut, Delaware, and New York as one of only four states regulating workplace electronic monitoring.

Federal Privacy Framework in Maine

In addition to state laws, several federal privacy statutes apply to individuals and businesses in Maine:

• HIPAA governs health information held by covered entities and business associates, though not all Maine DHHS offices are covered entities since they perform many different functions.
• FERPA protects student education records at institutions receiving federal education funding.
• COPPA restricts online collection of personal information from children under 13.
• GINA prohibits the use of genetic information in employment and health insurance decisions and clarifies that genetic information qualifies as health information under HIPAA.
• The Gramm-Leach-Bliley Act regulates financial institutions' collection and disclosure of consumer financial information.

These federal laws set a baseline. Maine's state laws, particularly the ISP privacy law and the pending comprehensive privacy act, go further in several areas.

Penalty Comparison Table

Law	Statute	Penalty Per Violation	Maximum	Enforced By
ISP Privacy Law	35-A MRSA 9301	PUC authority	Varies	Public Utilities Commission
Data Breach Notification	10 MRSA 1348-1349	Up to $500	$2,500/day	AG / Dept. of Prof. & Financial Reg.
Health Information	22 MRSA 1711-C	Up to $5,000	$50,000 (facilities)	Courts / AG
Student Privacy	20-A MRSA Ch. 13	Statutory	Varies	AG
Employee Monitoring	LD 61	$100-$500	Per violation	Dept. of Labor

How to File a Data Privacy Complaint in Maine

If you believe your data privacy rights have been violated in Maine, you can file a complaint through the Maine Attorney General's Consumer Protection Division. The AG's office handles complaints related to data breaches, identity theft, and privacy violations.

For ISP-specific privacy concerns, complaints can be directed to the Maine Public Utilities Commission.

For workplace surveillance violations after LD 61 takes effect in summer 2026, complaints should be filed with the Maine Department of Labor.

More Maine Laws

Looking for information on other Maine legal topics? Explore related guides:

• Maine Recording Laws for rules on recording conversations
• Maine Surveillance Camera Laws for video surveillance rules
• Maine Background Check Laws for employment screening requirements
• [Maine Medical Records Retention Laws for health record storage rules
• Maine Whistleblower Laws for retaliation protections

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in Maine for advice about your specific situation. Last reviewed: March 2026.