Maine Data Privacy Laws: ISP Privacy & Consumer Rights (2026)

Maine protects resident data through a set of sector-specific statutes rather than a single comprehensive privacy law. The most distinctive is 35-A MRSA 9301, which requires broadband internet service providers to obtain opt-in consent before using or selling customer data. Maine is the only state with this requirement.

Maine has built one of the most distinctive data privacy frameworks in the United States. In 2019, the state became the first and only state to require internet service providers to obtain opt-in consent before using or selling customer data. In 2021, Maine enacted the nation's strongest government facial recognition ban. These landmark laws sit alongside data breach notification requirements, student data protections, health information rules, and a new employer surveillance law taking effect in summer 2026.

Maine does not have a comprehensive consumer data privacy law. Three bills failed in the 2025-2026 legislative session: LD 1822 died on April 13, 2026, after the House refused to concur on Senate amendments; LD 1088 and LD 1224 each received Ought Not To Pass recommendations in June 2025. This guide covers every Maine privacy statute in force, your rights as a resident, business obligations, and what federal law adds on top.

Maine's ISP Privacy Law (35-A MRSA 9301)

The Act to Protect the Privacy of Online Customer Information, signed by Governor Janet Mills on June 6, 2019, created 35-A MRSA Chapter 94. The law took effect on July 1, 2020, and it remains unique among all fifty states.

Why This Law Is Unique

Maine is the only state in the country that requires broadband internet service providers to get affirmative, opt-in consent from customers before using, disclosing, selling, or permitting access to their personal information. Every other state with consumer privacy protections, including California, uses an opt-out model where companies can collect and use data unless the consumer takes action to stop it.

Under Maine's approach, all ISP customers are protected by default without taking any action. The burden falls entirely on the provider to obtain express consent.

Who the Law Applies To

The law applies to any provider of broadband Internet access service operating in Maine and serving customers physically located in the state. Broadband internet access service is defined as a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all internet endpoints. Dial-up internet access service is excluded.

What Information Is Protected

The law defines customer personal information broadly in two categories.

Personally identifying information includes a customer's name, billing address, Social Security number, and other direct identifiers.

Usage-based information includes web browsing history, application usage history, precise geolocation information, financial information, health information, information about children, device identifiers, and the content of communications.

This scope is far wider than many state privacy laws because it covers not just who you are but everything you do online through your ISP connection.

Core Prohibitions

A broadband provider may not use, disclose, sell, or permit access to customer personal information unless the customer expressly consents to that use, disclosure, sale, or access.

Critically, the law also prohibits providers from penalizing customers who refuse consent. A provider cannot refuse to serve a customer, charge a penalty, or offer a discount based on whether a customer consents to the use of their data. This prevents "pay for privacy" arrangements that undermine opt-in protections.

Permitted Uses Without Consent

Providers may access customer personal information without consent for a limited set of purposes: providing the broadband service itself, marketing communications services directly to the customer, complying with court orders or other legal process, billing and collecting payment, preventing fraud, and providing emergency services.

Security and Transparency Requirements

Providers must take reasonable measures to protect customer personal information from unauthorized use, disclosure, or access, considering the nature and scope of the provider's activities, the sensitivity of the data, and the current state of technology.

Every provider must also give customers a clear, conspicuous, and nondeceptive notice at the point of sale and on the provider's publicly accessible website explaining the provider's obligations and the customer's rights under the law.

Enforcement

The Maine Public Utilities Commission oversees compliance with this statute. The statute does not specify a penalty schedule, and legal commentators have noted the absence of an express enforcement provision gives the Commission rulemaking discretion. Customers with complaints about ISP data practices can contact the PUC directly.

Data Breach Notification Law (10 MRSA Chapter 210-B)

Maine's Notice of Risk to Personal Data Act, codified at 10 MRSA 1346-1350, establishes the state's data breach notification requirements. The law was amended in 2019 when municipalities and school administrative units were added to the list of covered entities.

What Triggers a Notification

A security breach is defined as the unauthorized acquisition, release, or use of an individual's computerized data that includes personal information and that compromises the security, confidentiality, or integrity of that information.

Good faith acquisition, release, or use of personal information by an employee or agent acting on behalf of the entity does not qualify as a breach, provided the information is not used for or subject to further unauthorized disclosure.

What Counts as Personal Information

Under 10 MRSA 1347, personal information means an individual's first name or first initial and last name combined with one or more of the following data elements when the data is not encrypted or redacted:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, credit card number, or debit card number (in combination with any required security code, access code, or password)

The definition excludes publicly available government records and third-party insurance claims databases.

Notification Timeline

Entities must provide notification as expediently as possible and without unreasonable delay, but no more than 30 days after becoming aware of the breach and identifying its scope.

Entities must also immediately notify the appropriate state regulators within the Department of Professional and Financial Regulation, or, if not regulated by that department, the Attorney General.

If law enforcement determines that notification would compromise a criminal investigation, the entity may delay notification. Once law enforcement clears the notification, it must be sent within 7 business days.

Who Must Be Notified

Affected Maine residents whose personal information was compromised in the breach must receive notice.

The Maine Attorney General or the appropriate state regulator must be notified immediately upon discovery of the breach.

Consumer reporting agencies must be notified if the breach affects 1,000 or more individuals.

Third-party data holders that maintain personal information on behalf of another person must immediately notify the data owner when a breach is discovered, so the data owner can begin its own notification obligations.

Methods of Notification

Entities can notify affected individuals through written notice, electronic notice (compliant with the federal E-SIGN Act at 15 U.S.C. 7001), or substitute notice.

Substitute notice is permitted when the cost of direct notification exceeds $5,000, when more than 1,000 individuals must be notified, or when the entity lacks sufficient contact information. Substitute notice requires a combination of email notification, conspicuous posting on the entity's website, and notification through statewide media.

Penalties for Violations

Under 10 MRSA 1349, violations carry civil penalties of up to $500 per violation, up to a maximum of $2,500 per day a person remains in violation. Government entities and public educational institutions are exempt from monetary penalties.

The Attorney General enforces the law for most entities, while the Department of Professional and Financial Regulation enforces it for licensees and regulated entities.

There is an important safe harbor provision. Entities that comply with federal or state data security breach notification requirements that meet or exceed the standards in section 1348 are deemed in compliance with the Maine law.

Businesses can report breaches to the state through the Maine AG Data Security Breaches page or the Maine Bureau of Insurance breach notification form.

Government Facial Recognition Ban (25 M.R.S. 6001)

Maine enacted 25 M.R.S. 6001 in 2021 as the nation's strongest government facial recognition restriction. The law was approved unanimously by the Maine House and Senate on June 16 and 17, 2021, enacted unsigned on July 1, 2021, and took effect October 1, 2021.

Scope: Who Is Covered

The prohibition applies to all state, county, and municipal government departments, agencies, and their employees and officials. This includes law enforcement agencies. The ban extends to all government subdivisions and public instrumentalities. Private sector use of facial recognition is not restricted by this statute.

What Is Prohibited

No government department or official may use or possess facial surveillance technology, or enter into any agreement with a third party to obtain, access, or use such technology. Facial surveillance is defined as any automated or semi-automated process that assists in identifying or verifying an individual, or in capturing information about an individual, based on the physical characteristics of the individual's face.

Any data obtained through facial surveillance in violation of this section must be deleted upon discovery and is inadmissible in any proceeding before any public official, department, regulatory body, or authority.

Limited Law Enforcement Exception

Law enforcement agencies may request a facial recognition search of the FBI's databases or the Bureau of Motor Vehicles database when they have probable cause to believe an unidentified person depicted in an image has committed a crime. The results of that search may not be used as the sole basis for establishing probable cause to arrest or for obtaining a search warrant.

Remedies

A person injured or aggrieved by a violation may bring an action for injunctive or declaratory relief or a writ of mandamus. A public employee or official who violates the law may be subject to disciplinary action, including retraining, suspension, or termination.

Maine's Comprehensive Privacy Bill Failures (2025-2026)

Maine does not have a comprehensive consumer data privacy law in force. Three bills attempted to establish one in the 132nd Legislature's 2025-2026 session; all three failed.

LD 1822 (Maine Online Data Privacy Act): Introduced by Rep. Amy Kuhn (D-Falmouth), LD 1822 passed the House on February 10, 2026, and the Senate on March 5, 2026 (18-16). Because the Senate amended the bill, it returned to the House for concurrence. On April 9, 2026, the House voted not to recede and concur on the Senate's amendments. The bill was placed in Legislative Files as DEAD on April 13, 2026.

LD 1088 (Maine Consumer Data Privacy Act): Referred to the Judiciary Committee, LD 1088 received a divided committee report in June 2025. The Ought Not To Pass recommendation was accepted on a roll-call vote of 18 Yeas to 14 Nays. The bill was carried over to the next session.

LD 1224 (An Act to Comprehensively Protect Consumer Privacy): The Judiciary Committee reported LD 1224 with an Ought Not To Pass recommendation on June 16, 2025, and the bill received a final disposition of Ought Not To Pass Pursuant To Joint Rule 310 on June 17, 2025.

The failure of all three bills leaves Maine without comprehensive consumer-facing data rights covering most private-sector businesses, beyond the sectoral statutes described in this article. Legislation may be re-introduced in future sessions.

Maine Right to Repair Data Law

In November 2023, Maine voters approved Question 4 (the Right to Repair Law) by an 84% margin. The law requires automakers selling vehicles in Maine to provide owners and independent repair shops with access to mechanical data from those vehicles through an owner-authorized, standardized, interoperable platform.

The implementation has been disputed. The Alliance for Automotive Innovation filed suit in January 2025 challenging Attorney General Aaron Frey's enforcement of the law, arguing that compliance is impossible because the Attorney General has not designated the "independent entity" the law requires to establish the standardized access platform. A Right to Repair Working Group convened by the Legislature has been considering proposed amendments and recommendations.

Student Information Privacy Act (20-A MRSA Chapter 13)

Maine enacted the Student Information Privacy Act in 2015, with amendments in 2017 to expand protections. The law regulates how online service operators, educators, and third parties collect and use the personal information of K-12 students enrolled in Maine educational institutions.

Prohibited Activities

Under 20-A MRSA 953, an operator may not knowingly do any of the following without explicit written or electronic consent from a student's parent or an eligible student:

• Sell student data. Operators cannot sell student data, though acquisitions by successor entities are permitted if the restrictions continue to apply.
• Engage in targeted advertising. Operators cannot use student data to deliver targeted advertising on their own platform or any other website.
• Build non-educational profiles. Operators cannot create profiles of students unless the profiles are used strictly for K-12 educational purposes.
• Disclose personally identifiable information except for advancing educational purposes, complying with legal requirements, responding to judicial process, protecting security, ensuring user safety, or sharing with service providers under contractual restrictions.

Security and Data Deletion

Operators must implement and maintain reasonable security procedures and practices to protect student data from unauthorized access, destruction, use, modification, and disclosure.

When a school requests deletion of student data, the operator must delete it within 45 days.

The Maine Department of Education provides guidance on student data privacy compliance, and the state participates in the Maine Student Privacy Alliance.

Health Care Information Confidentiality (22 MRSA 1711-C)

Maine's health care information confidentiality law, codified at 22 MRSA 1711-C, provides protections that supplement federal HIPAA requirements. The law applies to health care practitioners, facilities, pharmacies, home health providers, and hospice programs operating in Maine.

What Is Protected

The law protects health care information, defined as data that identifies an individual and relates to their physical, mental, or behavioral condition, medical history, or treatment received. This includes genetic information and individual cell components.

Consent Requirements

Written authorization requires a signed document specifying the recipient, the type of information, the purpose of disclosure, and the duration of the authorization (maximum 30 months for general authorizations).

Oral authorization is permitted when written consent is impractical. The practitioner must document the authorizing person's name, date, the information disclosed, and recipient details.

Key Protections

The statute includes a critical restriction on reproductive and gender-affirming health care communications. These records cannot be disclosed in civil proceedings without written consent or a court order showing good cause.

Penalties: Intentional violations carry civil penalties of up to $5,000 plus costs. Repeated violations increase penalties to $10,000 for individual practitioners and $50,000 for facilities. Individuals may sue for injunctive relief and recover damages under common law.

The Maine DHHS Privacy Office provides guidance on compliance with both state and federal health information privacy requirements.

Employee Electronic Monitoring Law (LD 61)

Maine enacted LD 61, the Act to Regulate Employer Surveillance to Protect Workers. The law takes effect approximately July 14, 2026, 90 days after the close of the current legislative session.

Definition of Employer Surveillance

The law broadly defines employer surveillance as monitoring an employee through an electronic device or system, including computers, telephones, wire or radio systems, electromagnetic or photoelectronic systems, and similar technologies.

Prohibited Practices

Employers may not use audiovisual monitoring in an employee's residence, personal vehicle, or on the employee's private property unless the monitoring is required for duties of the job. Employers also cannot require employees to install surveillance software on personal devices, though they may request it. Employees have the right to decline.

Notice Requirements

Employers using surveillance must provide written notice: to prospective employees during the interview process, to all current employees at least once per calendar year, and before implementing any new surveillance systems.

The Maine Department of Labor has published a required workplace poster with employee surveillance rights.

Exemptions and Penalties

The law exempts security and safety camera systems, GPS tracking and vehicle safety systems installed on employer-owned vehicles, and monitoring in licensed personal care service settings. Violations carry a civil fine of $100 to $500 per violation, enforced by the Maine Department of Labor. Maine joins Connecticut, Delaware, and New York as one of four states regulating workplace electronic monitoring.

Federal Privacy Framework in Maine

Several federal statutes apply directly to individuals and businesses in Maine.

TAKE IT DOWN Act (Pub. L. 119-12, signed May 19, 2025): This federal law makes it a crime to knowingly publish nonconsensual intimate images or AI-generated sexual deepfakes of real people online. The criminal prohibitions took effect immediately upon signing. Platforms that host user-generated content must remove flagged material within 48 hours of a valid takedown notice. Platform obligations are enforced by the FTC beginning May 19, 2026, with civil penalties up to $53,088 per violation. This law applies to Maine-based platforms and benefits Maine residents equally.

HIPAA governs health information held by covered entities and business associates, supplemented by Maine's 22 MRSA 1711-C.

FERPA protects student education records at institutions receiving federal education funding, supplemented by Maine's Student Information Privacy Act.

COPPA restricts online collection of personal information from children under 13. Maine's student privacy act extends additional protections in the K-12 context.

The Gramm-Leach-Bliley Act regulates financial institutions' collection and disclosure of consumer financial information, with enforcement by the FTC and federal financial regulators.

FTC Act Section 5 prohibits unfair or deceptive acts or practices. The FTC has brought enforcement actions against companies in all states for privacy and data-security failures based on this authority, independent of state law.

APRA (American Privacy Rights Act): A bicameral comprehensive federal privacy draft in 2024 did not pass. Revised versions were discussed in 2025. As of May 2026, no federal comprehensive consumer privacy law has been enacted.

Penalty Comparison Table

How to File a Data Privacy Complaint in Maine

If you believe your data privacy rights have been violated in Maine, you can file a complaint through the Maine Attorney General's Consumer Protection Division. The AG's office handles complaints related to data breaches, identity theft, and privacy violations.

For ISP-specific privacy concerns, complaints can be directed to the Maine Public Utilities Commission.

For workplace surveillance violations after LD 61 takes effect in July 2026, complaints should be filed with the Maine Department of Labor.

For health information violations, you can file complaints with the Maine DHHS Privacy Office or, where HIPAA applies, with the U.S. Department of Health and Human Services Office for Civil Rights.

More Maine Laws

Looking for information on other Maine legal topics? Explore related guides:

• Maine AI Meeting Recording Laws
• Maine Alimony Laws
• Maine At-Will Employment Laws
• Maine Car Accident Laws
• Maine Car Seat Laws
• Maine Child Custody Laws
• Maine Child Support Laws
• Maine Common Law Marriage Laws
• Maine Deepfake Laws
• Maine Divorce Laws
• Maine Dog Bite Laws
• Maine Emancipation Laws
• Maine Expungement Laws
• Maine Hit and Run Laws
• Maine Landlord-Tenant Laws
• Maine Lemon Laws