open-agreements 0.7.7 → 0.8.0

package/skills/legal-explainers/data-privacy-law-explainer/content/louisiana.md

@@ -0,0 +1,209 @@
+---
+jurisdiction: "Louisiana"
+slug: louisiana
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/louisiana
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/louisiana · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# Louisiana Consumer Privacy Law (LDPA)[^about]
+
+The Louisiana Data Privacy Act (Act No. 502 of 2026) takes effect January 1, 2027, adding consumer data rights, privacy-notice contents, sensitive-data consent, and processor contracts to a regime that today consists of the breach-notification law, LUTPA, and the federal overlay.
+
+
+## At a glance
+
+| Question | Louisiana |
+| --- | --- |
+| **Law coverage** | Comprehensive law |
+| **Summary** | Louisiana enacted the Louisiana Data Privacy Act (Act No. 502 of 2026) effective January 1, 2027, requiring covered businesses to publish a six-item privacy notice, obtain consent for sensitive data, sign processor contracts, and honor consumer rights — enforced solely by the Attorney General with a cure period that sunsets July 31, 2027; until the act starts, the breach-notification law (with its own private right of action) and LUTPA govern. |
+| **Main law** | Louisiana Data Privacy Act, La. R.S. 51:1780.1–1780.5 (Act No. 502 of 2026), effective January 1, 2027; until then the Database Security Breach Notification Law (La. R.S. 51:3071–3077) and LUTPA (La. R.S. 51:1401 et seq.) are the operative state framework |
+| **Privacy policy required?** | From January 1, 2027, yes — a reasonably accessible and clear privacy notice with six fixed contents, plus scripted word-for-word notices if the business sells sensitive or biometric data; today no state checklist exists and the governing rule is that whatever the policy says must be true |
+| **Who does it cover?** | From January 1, 2027 — a person or entity doing business in Louisiana that has over $25 million in annual gross revenue, or annually handles the personal information of 75,000+ consumers, households, or devices, or derives 50%+ of annual revenue from selling personal information; state agencies, GLBA financial institutions, HIPAA entities, nonprofits, and higher education are exempt |
+| **Can consumers sue?** | Limited path |
+| **Privacy policy rule** | Policy contents fixed by law |
+| **Consent for sensitive data?** | Consent required first |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | No under the LDPA — it routes violations into LUTPA while expressly excluding the private actions in La. R.S. 51:1409 and 1409.1; but the breach law keeps its own private action for actual damages from untimely breach notice (La. R.S. 51:3075), and LUTPA § 1409 remains a general private-action hook for actual damages, with trebling only after Attorney General notice and knowing continuation |
+| **Who enforces it?** | Louisiana Attorney General (exclusive for the LDPA) |
+
+## Which privacy laws apply to your business in Louisiana? {#which-privacy-laws-apply}
+
+**Short answer.** Two regimes matter — one in force now, one arriving. Today Louisiana has no comprehensive consumer-privacy law in effect: the operative state statutes are the Database Security Breach Notification Law (La. R.S. 51:3071–3077) and the Unfair Trade Practices and Consumer Protection Law (LUTPA), both covered below. That changes on January 1, 2027, when the Louisiana Data Privacy Act (Act No. 502 of 2026, enacting La. R.S. 51:1780.1–1780.5) takes effect. The new act applies to a person or entity that does business in the state and meets any one of three thresholds: annual gross revenues over twenty-five million dollars, annually buying, receiving, selling, or sharing the personal information of seventy-five thousand or more consumers, households, or devices, or deriving fifty percent or more of annual revenue from selling consumers' personal information [^ldpa-thresholds].
+
+The thresholds are disjunctive, and the revenue prong stands alone — a company with more than twenty-five million dollars in gross revenue is covered even if it processes very little Louisiana data. Coverage is also bounded by who counts as a consumer: the act protects an individual Louisiana resident *acting only in an individual or household context* and expressly excludes people acting in a commercial or employment context [^ldpa-consumer-def], so employee and business-to-business data are outside the rights framework. *Personal data* means any information linked or reasonably linkable to an identified or identifiable individual, excluding deidentified and publicly available information [^ldpa-personal-data-def].
+
+The exemption list does a lot of work. The act does not apply to state agencies or political subdivisions, GLBA financial institutions and GLBA-regulated data, HIPAA covered entities and business associates, nonprofit organizations, institutions of higher education, electric public utilities, or registered public-opinion poll conductors [^ldpa-exemptions]. Data-level carve-outs separately cover HIPAA protected health information [^ldpa-data-carveout-hipaa], FCRA-regulated consumer-report activity, DPPA data, FERPA data, Farm Credit Act data, and employment, applicant, agent, and independent-contractor data used in that role [^ldpa-data-carveouts-sector-employment]. If your organization or data falls inside one of those exemptions, the new act changes little; the breach law and LUTPA still apply.
+
+> [!NOTE]
+> **Practice note.**
+>
+> **Unresolved statutory wording:** the act's volume and revenue thresholds turn on *personal information* — a term the chapter never defines — while every operative duty is written in terms of the defined term *personal data* [^ldpa-thresholds][^ldpa-personal-data-def]. Until the Attorney General or a court clarifies the mismatch, a conservative scoping analysis should treat the undefined threshold term as at least as broad as *personal data* rather than assume it narrows coverage.
+
+## What must your Louisiana privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** Today, no Louisiana statute fixes the contents of a general consumer privacy policy — the governing rule is that whatever you publish must be true, because a policy that misstates your practices can create deceptive-practices risk under LUTPA [^lutpa-1405-unlawful] and Section 5 of the FTC Act [^fed-ftc5-deceptive]. From January 1, 2027, that changes: the LDPA requires a reasonably accessible and clear privacy notice listing six items — the categories of personal data processed (including any sensitive data), the purposes of processing, how consumers exercise and appeal their rights, the categories of personal data sold to third parties, the categories of third parties involved in those sales, and a description of the methods for submitting rights requests [^ldpa-notice-contents].
+
+Treat the six-item list as a checklist: each element should appear on the face of the policy rather than be scattered through product screens. Two further disclosure duties sit on top of it. First, a controller that sells personal data to third parties or processes it for targeted advertising must clearly and conspicuously disclose that processing and how a consumer can opt out of it [^ldpa-targeted-ads-disclosure]. Second — the act's most distinctive drafting feature — selling certain data triggers scripted, word-for-word notices. A controller that sells sensitive personal data must post the exact sentence "NOTICE: We may sell your sensitive personal data."[^ldpa-sensitive-sale-notice] in the same manner as the privacy notice [^ldpa-sensitive-sale-notice], and one that sells biometric data must post "NOTICE: We may sell your biometric personal data."[^ldpa-biometric-sale-notice] [^ldpa-biometric-sale-notice]. There is no room to paraphrase either sentence — the statute supplies the language.
+
+For a business updating its policy before the effective date, the practical sequencing is to keep the policy accurate under the deception standard now and add the six enumerated items plus any required scripted notices so the policy is compliant on January 1, 2027.
+
+## Do you need consent to process sensitive data in Louisiana? {#sensitive-data-consent}
+
+**Short answer.** From January 1, 2027, yes. The LDPA forbids a controller from processing a consumer's sensitive data without the consumer's consent, and for a known child it requires handling the data in accordance with the federal Children's Online Privacy Protection Act [^ldpa-sensitive-consent]. Sensitive data covers personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; genetic or biometric data processed to uniquely identify a person; data collected from a known child; and precise geolocation [^ldpa-sensitive-def].
+
+Consent is a defined term with teeth: it means a clear affirmative act signifying freely given, specific, informed, and unambiguous agreement, and it expressly excludes acceptance buried in general terms of use, hovering over or closing content, and agreement obtained through dark patterns [^ldpa-consent-def]. Pre-checked boxes and silence do not qualify. A separate sensitive-data sale rule deserves attention from data-heavy businesses: an entity covered by the fifty-percent-of-revenue threshold may not sell sensitive personal data without the consumer's prior consent [^ldpa-broker-sensitive-sale], subject to otherwise applicable LDPA exemptions [^q3-ldpa-exemptions].
+
+Sensitive-data processing also triggers paperwork. A controller must conduct and document a data protection assessment for the processing of sensitive data — alongside targeted advertising, the sale of personal data, higher-risk profiling, and any processing presenting a heightened risk of harm [^ldpa-dpa-assessments]. The assessment duty applies to processing activities as of January 1, 2027 and is not retroactive [^ldpa-dpa-not-retroactive], so the build-out can focus on go-forward processing rather than historical inventories.
+
+## What must your contracts with processors say? {#vendor-contracts}
+
+**Short answer.** Today, no Louisiana statute prescribes controller-to-processor contract terms — vendor data terms are driven by the sectoral regimes that apply to your business and by contract best practice. From January 1, 2027, the LDPA makes a written data processing agreement a statutory requirement: a contract between the controller and the processor must govern the processing and must include processing instructions, the nature and purpose of processing, the data types and duration, the parties' rights and obligations, and processor commitments to confidentiality, deletion or return of data, compliance demonstrations, assessments, and written subcontractor flow-downs [^ldpa-processor-contract].
+
+A compliant template tracks each statutory element. The act also assigns processors an assistance role that reaches beyond the contract: a processor must help the controller meet its obligations, including security and the notification of a breach of the processor's own system under the existing breach-notification chapter [^ldpa-processor-assist] — a useful reminder that the 2005 breach law remains live infrastructure underneath the new act rather than being replaced by it.
+
+Until the act takes effect, the contracting obligations that do exist come from the federal overlay. The GLBA Safeguards Rule requires financial institutions to oversee service providers by contract and to require them to maintain appropriate safeguards [^fed-glba-safeguards], and HIPAA requires a business-associate agreement with mandatory data-protection and breach-reporting terms before protected health information changes hands [^fed-hipaa-baa]. Outside those verticals, carrying the LDPA's contract elements into vendor agreements now is the low-cost way to be ready on the effective date.
+
+## What rights will Louisiana consumers have over their data? {#consumer-rights}
+
+**Short answer.** No LDPA-style access, correction, deletion, portability, or opt-out rights exist under current Louisiana law — and a full standard set starts January 1, 2027. From that date a controller must comply with an authenticated consumer request to confirm processing and access the data, correct inaccuracies, delete personal data provided by or obtained about the consumer, obtain a portable copy, and opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects [^ldpa-rights-list].
+
+The mechanics follow the pattern in-house teams will recognize. A controller must respond within forty-five days, extendable once by forty-five more with notice and a reason; a refusal must come within the same window with appeal instructions; and responses are free up to twice a year per consumer [^ldpa-request-deadlines]. A denied consumer can appeal, and the controller must answer the appeal in writing within sixty days with a written explanation [^ldpa-appeal-60-day]. Contract terms cannot drain these rights: any provision that waives or limits a consumer right is contrary to public policy and void [^ldpa-anti-waiver].
+
+On universal opt-out signals, the act takes a conditional path rather than a mandate. There is no requirement to honor a regulator-approved opt-out signal by a fixed deadline, so the survey classifies Louisiana as not requiring universal opt-out signals. Instead, a consumer may designate an authorized agent — including through a technology such as a browser setting, extension, or a global device setting — to opt out of targeted advertising and data sales, and the controller must comply when it can verify the consumer's identity and the agent's authority with commercially reasonable effort, unless a statutory exception applies [^ldpa-authorized-agent]. Those exceptions cover unclear agent requests, inability to verify Louisiana residency, lack of ability to process the request, and controllers that do not process similar requests under similar other-state laws [^ldpa-authorized-agent]. The statute then disciplines the signal itself: the opt-out technology may not rely on a default setting and must reflect the consumer's affirmative, freely given, unambiguous choice [^ldpa-optout-tech-no-default]. The practical read for compliance teams: build a pathway where the request can be verified and no statutory exception applies.
+
+## When must you notify people of a data breach in Louisiana? {#breach-notification}
+
+**Short answer.** Any person or agency that owns or licenses computerized data containing personal information must, after discovering a breach of the security of the system, notify every Louisiana resident whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person [^breach-notice-duty]. The notice must go out in the most expedient time possible and without unreasonable delay — and no later than sixty days from discovery of the breach [^breach-60-day].
+
+This is the Database Security Breach Notification Law, in force since 2006, and it remains fully operative alongside the new privacy act. For breach-law purposes, *personal information* means a resident's first name or initial and last name combined with an unencrypted, unredacted Social Security number, driver's license or state ID number, financial-account or card number with its access code, passport number, or biometric data [^breach-pi-def]. The same chapter imposes Louisiana's standing data-security duty — reasonable security procedures and practices appropriate to the nature of the information [^breach-reasonable-security] — plus a secure-destruction obligation for records no longer retained [^breach-secure-destruction].
+
+Two further features shape incident response. First, a risk-of-harm off-ramp: notice is not required if a reasonable investigation concludes there is no reasonable likelihood of harm to Louisiana residents, but the written determination must be kept for five years and produced to the Attorney General within thirty days of a written request [^breach-risk-of-harm]. Second, the chapter took effect only after the Attorney General promulgated implementing rules [^breach-rulemaking-3077], so an incident-response plan should not treat the statute as the only Louisiana authority to check.
+
+Unlike the new privacy act, the breach law carries its own private right of action: a civil action may be brought to recover actual damages resulting from a failure to disclose a breach in a timely manner [^breach-pra-3075]. Untimely notice is therefore not just a regulatory problem in Louisiana — it is a litigation exposure.
+
+## Who enforces Louisiana's new privacy law, and what are the penalties? {#enforcement-and-penalties}
+
+**Short answer.** The Attorney General alone enforces the LDPA [^ldpa-ag-enforce]. The act supplies no freestanding remedies of its own — instead, every violation constitutes an unfair and deceptive trade practice under LUTPA, expressly excluding the private rights of action in La. R.S. 51:1409 and 1409.1 [^ldpa-lutpa-routing]. The enforcement toolkit is therefore LUTPA's: injunctions issued without bond and a civil penalty the court may impose, with the statute authorizing up to five thousand dollars per violation where the court finds the practice was entered into with the intent to defraud [^lutpa-1407-remedies].
+
+The cure period is unusually short-lived. From January 1, 2027 through July 31, 2027, the Attorney General must give thirty days' written notice identifying the alleged violations before opening an investigation, and may not proceed if the business cures within thirty days, certifies the cure in writing, documents it, and adjusts internal policy [^ldpa-cure-window]. After July 31, 2027, no statutory cure right remains — so the grace window covers only the first seven months of the act's life, and compliance programs should be built for the post-sunset posture rather than the opening one. Money recovered through the Attorney General's enforcement is earmarked for consumer protection efforts and education [^ldpa-lutpa-routing].
+
+Today's enforcement hook works the same way at the structural level: a violation of the breach-notification chapter constitutes an unfair act or practice under LUTPA [^breach-utpa-tiein], putting breach-law failures in the same Attorney General toolkit now that LDPA violations will join in 2027.
+
+> [!NOTE]
+> **Practice note.**
+>
+> **Open statutory question — monetary exposure under the LDPA.** The act names no dollar penalty of its own; it routes violations into LUTPA, whose civil-penalty text authorizes the five-thousand-dollar-per-violation figure where the court finds the practice was entered into with the intent to defraud [^lutpa-1407-remedies][^ldpa-lutpa-routing]. One reading is that the Attorney General can obtain civil penalties for LDPA violations generally, with the stated cap tied to fraud findings; another is that a non-fraudulent violation exposes a business only to injunctive relief, not a dollar penalty. No court has resolved which reading controls, and the answer is the single biggest unknown for modeling LDPA risk.
+
+## Can a consumer sue your business in Louisiana over privacy? {#consumer-lawsuit}
+
+**Short answer.** Not under the new privacy act — the LDPA routes its violations into LUTPA while expressly excluding the private rights of action in La. R.S. 51:1409 and 1409.1, leaving enforcement to the Attorney General alone [^q8-ldpa-pra-exclusion]. But Louisiana consumers are not without a courtroom path. The breach-notification law retains its own private right of action for actual damages caused by an untimely failure to disclose a breach [^q8-breach-pra-3075], and LUTPA itself gives any person who suffers an ascertainable loss from an unfair or deceptive practice an individual action for actual damages — trebled where the practice continued knowingly after Attorney General notice, with attorney fees [^q8-lutpa-1409-pra].
+
+The architecture is worth stating plainly because the pieces cut in different directions. For the duties the LDPA creates in 2027 — notices, consent, contracts, rights handling — exposure is regulatory only. For breach response, exposure is both regulatory and private: a late notification can draw an Attorney General action and a damages suit by affected residents at the same time. And for conduct that qualifies as an unfair or deceptive trade practice independent of the LDPA — a privacy policy that misrepresents actual practices, for example — LUTPA's general private action remains available today, subject to its one-year prescriptive period and its bar on representative actions. A marketing-channel wrinkle adds modest tail risk: where deceptive information is knowingly sent to an elder person or a person with a disability by telephone, email, or text, a court may add damages of up to ten thousand dollars per violation on top of the LUTPA recovery [^q8-lutpa-1409-1-elder].
+
+The durable takeaway for risk modeling: Louisiana has no omnibus-privacy class-action exposure on the horizon, but breach-notification timeliness and privacy-statement accuracy both carry genuine private-suit risk under statutes already in force.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Louisiana. This article synthesizes Louisiana primary law and is not legal advice from a Louisiana-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^ldpa-thresholds]: **La. R.S. 51:1780.2(A)** — "The provisions of this Chapter shall apply only to a person or entity that does business in the state and that satisfies one or more of the following thresholds: (1) Has annual gross revenues in excess of twenty-five million dollars. (2) Annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes the personal information of seventy-five thousand or more consumers, households, or devices. (3) Derives fifty percent or more of its annual revenues from selling consumers' personal information." *La. R.S. 51:1780.2(A) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-consumer-def]: **La. R.S. 51:1780.1(7)** — "‘Consumer’ means an individual who is a resident of this state acting only in an individual or household context. The term does not include an individual acting in a commercial or employment context." *La. R.S. 51:1780.1(7) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-personal-data-def]: **La. R.S. 51:1780.1(19)** — "‘Personal data’ means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term does not include deidentified data or publicly available information." *La. R.S. 51:1780.1(19) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-exemptions]: **La. R.S. 51:1780.2(B)** — "The provisions of this Chapter do not apply to any of the following items: (1) A state agency or a political subdivision of this state. (2) A financial institution and its affiliates or data subject to Title V, Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., and the rules and implementing regulations promulgated thereunder. (3) A covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 CFR Parts 160 and 164, established under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d et seq. (4) A nonprofit organization. (5) An institution of higher education. (6) An electric public utility as defined in R.S. 45:121. (7) A person, association, partnership, or corporation registered with the secretary of state as a conductor of public opinion polls pursuant to R.S. 14:325." *La. R.S. 51:1780.2(B) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-data-carveout-hipaa]: **La. R.S. 51:1780.2(C)(1)** — "Protected health information under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d et seq." *La. R.S. 51:1780.2(C)(1) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-data-carveouts-sector-employment]: **La. R.S. 51:1780.2(C)(11)–(15)** — "The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that the activity is regulated by and authorized under the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. (12) Personal data collected, processed, sold, or disclosed in compliance with the Driver's Privacy Protection Act of 1994, 18 U.S.C. 2721 et seq. (13) Personal data regulated by the Family Educational Rights and Privacy Act of 1974, 20 U.S.C. 1232g. (14) Personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act of 1971, 12 U.S.C. 2001 et seq. (15) Data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role." *La. R.S. 51:1780.2(C)(11)–(15) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^lutpa-1405-unlawful]: **La. R.S. 51:1405** — "Unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are hereby declared unlawful." *La. R.S. 51:1405(A).* <https://legis.la.gov/Legis/Law.aspx?d=104029>
+
+[^fed-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^ldpa-notice-contents]: **La. R.S. 51:1780.4(B)(1)** — "A controller shall provide consumers with a reasonably accessible and clear privacy notice that includes all of the following: (a) The categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller. (b) The purpose for processing personal data. (c) A process on how consumers may exercise their consumer rights pursuant to R.S. 51:1780.3, including the process by which a consumer may appeal a controller's decision with regard to the consumer's request. (d) If applicable, the categories of personal data that the controller sells to third parties. (e) If applicable, the categories of third parties with whom the controller sells personal data. (f) A description of the methods required pursuant to R.S. 51:1780.3(E) through which consumers can submit requests to exercise their consumer rights under this Chapter." *La. R.S. 51:1780.4(B)(1) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-targeted-ads-disclosure]: **La. R.S. 51:1780.4(C)** — "If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process." *La. R.S. 51:1780.4(C) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-sensitive-sale-notice]: **La. R.S. 51:1780.4(B)(2)** — "If a controller engages in the sale of personal data that is sensitive, the controller shall post the following notice in the same manner as the privacy notice described in Subsection B of this Section: ‘NOTICE: We may sell your sensitive personal data.’" *La. R.S. 51:1780.4(B)(2) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-biometric-sale-notice]: **La. R.S. 51:1780.4(B)(3)** — "If a controller engages in the sale of personal data that is biometric data, the controller shall post the following notice in the same manner as the privacy notice described in Subsection B of this Section: ‘NOTICE: We may sell your biometric personal data.’" *La. R.S. 51:1780.4(B)(3) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-sensitive-consent]: **La. R.S. 51:1780.4(A)(2)(d)** — "Process the sensitive data of a consumer without obtaining the consumer's consent, or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the rules, regulations, and the exceptions of the Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq." *La. R.S. 51:1780.4(A)(2)(d) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-sensitive-def]: **La. R.S. 51:1780.1(29)** — "‘Sensitive data’ means a category of personal data. The term includes any of the following: (a) Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status. (b) Genetic or biometric data that is processed for the purpose of uniquely identifying an individual. (c) Personal data collected from a known child. (d) Precise geolocation data." *La. R.S. 51:1780.1(29) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-consent-def]: **La. R.S. 51:1780.1(6)** — "‘Consent’ when referring to a consumer means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative action. The term does not include any of the following: (a) Acceptance in a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information. (b) Hovering over, muting, pausing, or closing a given piece of content. (c) Agreement obtained through the use of dark patterns." *La. R.S. 51:1780.1(6) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-broker-sensitive-sale]: **La. R.S. 51:1780.4(P)** — "A person or entity described by R.S. 51:1780.2(A)(3) may not engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer." *La. R.S. 51:1780.4(P)(1) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^q3-ldpa-exemptions]: **La. R.S. 51:1780.2(B)** — "The provisions of this Chapter do not apply to any of the following items: (1) A state agency or a political subdivision of this state. (2) A financial institution and its affiliates or data subject to Title V, Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., and the rules and implementing regulations promulgated thereunder. (3) A covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 CFR Parts 160 and 164, established under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d et seq. (4) A nonprofit organization. (5) An institution of higher education. (6) An electric public utility as defined in R.S. 45:121. (7) A person, association, partnership, or corporation registered with the secretary of state as a conductor of public opinion polls pursuant to R.S. 14:325." *La. R.S. 51:1780.2(B) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-dpa-assessments]: **La. R.S. 51:1780.4(E)(1)** — "A controller shall conduct and document a data protection assessment of each of the following processing activities involving personal data: (a) The processing of personal data for purposes of targeted advertising. (b) The sale of personal data. (c) The processing of personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of any of the following: (i) Unfair or deceptive treatment of or unlawful disparate impact on consumers. (ii) Financial, physical, or reputational injury to consumers. (iii) A physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of consumers, if the intrusion would be offensive to a reasonable person. (iv) Other substantial injury to consumers. (d) The processing of sensitive data. (e) Any processing activities involving personal data that present a heightened risk of harm to consumers." *La. R.S. 51:1780.4(E)(1) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-dpa-not-retroactive]: **La. R.S. 51:1780.4(E)(7)** — "Data protection assessments are required for processing activities as of January 1, 2027, and are not retroactive." *La. R.S. 51:1780.4(E)(7) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-processor-contract]: **La. R.S. 51:1780.4(D)(2)** — "A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall include all of the following: (a) Clear instructions for processing data. (b) The nature and purpose of processing. (c) The type of data subject to processing. (d) The duration of processing. (e) The rights and obligations of both parties. (f) A requirement that the processor shall do all of the following: (i) Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data. (ii) At the controller's direction, delete or return all personal data to the controller as requested after the provision of the service is completed, unless retention of the personal data is required by law. (iii) Make available to the controller, on reasonable request, all information in the processor's possession necessary to demonstrate the processor's compliance with the requirements of this Chapter. (iv) Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. (v) Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data." *La. R.S. 51:1780.4(D)(2) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-processor-assist]: **La. R.S. 51:1780.4(D)(1)(b)** — "Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing personal data, and in relation to the notification of a breach of security of the processor's system pursuant to R.S. 51:3071 et seq." *La. R.S. 51:1780.4(D)(1)(b) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^fed-glba-safeguards]: **GLBA Safeguards Rule** — "Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards." *16 C.F.R. § 314.4(f)(1)–(3).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Oversee%20service%20providers%2C%20by%3A%20(1),continued%20adequacy%20of%20their%20safeguards.>
+
+[^fed-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410;" *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,as%20required%20by%20%C2%A7%20164.410%3B>
+
+[^ldpa-rights-list]: **La. R.S. 51:1780.3(A)(2)** — "A controller shall comply with an authenticated consumer request to exercise the right to do any of the following: (a) Confirm whether a controller is processing the consumer's personal data and to access the personal data. (b) Correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data. (c) Delete personal data provided by or obtained about the consumer. (d) If the data is available in a digital format, obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance. (e) Opt out of the processing of the personal data for purposes of: (i) Targeted advertising. (ii) The sale of personal data. (iii) Profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer." *La. R.S. 51:1780.3(A)(2) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-request-deadlines]: **La. R.S. 51:1780.3(B)** — "A controller shall respond to the consumer request without undue delay, which may not be later than the forty-fifth calendar day after the date of receipt of the request. The controller may extend the response period once by an additional forty-five days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as the controller informs the consumer of the extension within the initial forty-five day response period, together with the reason for the extension. (3) If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, which may not be later than the forty-fifth calendar day after the date of receipt of the request, of the justification for declining to take action and provide instructions on how to appeal the decision in accordance with Subsection C of this Section. (4) A controller shall provide information in response to a consumer request free of charge, up to twice annually per consumer." *La. R.S. 51:1780.3(B)(2)–(4) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-appeal-60-day]: **La. R.S. 51:1780.3(C)(3)** — "A controller shall inform the consumer in writing of any action taken or not taken in response to an appeal under this Section not later than the sixtieth calendar day after the date of receipt of the appeal, including a written explanation of the reason or reasons for the decision." *La. R.S. 51:1780.3(C)(3) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-anti-waiver]: **La. R.S. 51:1780.3(D)** — "Any provision of a contract or agreement that waives or limits in any way a consumer right described in this Section is contrary to public policy and is void and unenforceable." *La. R.S. 51:1780.3(D) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-authorized-agent]: **La. R.S. 51:1780.3(E)(5)** — "A consumer may designate another person to serve as the consumer's authorized agent and act on the consumer's behalf to opt out of the processing of the consumer's personal data pursuant to Items (A)(2)(e)(i) and (ii) of this Section. A consumer may designate an authorized agent using a technology, including a link to a website, an internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer's intent to opt out of the processing for targeted advertising, for sale of personal data, or both. A controller shall comply with an opt-out request received from an authorized agent under this Subsection if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. A controller is not required to comply with an opt-out request received from an authorized agent under this Subsection if any one of the following applies: (a) The authorized agent does not communicate the request to the controller in a clear and unambiguous manner. (b) The controller is not able to verify, with commercially reasonable effort, that the consumer is a resident of this state. (c) The controller does not possess the ability to process the request. (d) The controller does not process similar or identical requests the controller receives from consumers for the purpose of complying with similar or identical laws or regulations of another state." *La. R.S. 51:1780.3(E)(5) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-optout-tech-no-default]: **La. R.S. 51:1780.3(E)(6)** — "The technology described by this Subsection: (a) Shall not unfairly disadvantage another controller. (b) May not make use of a default setting, but shall require the consumer to make an affirmative, freely given, and unambiguous choice to indicate the consumer's intent to opt out of any processing of a consumer's personal data." *La. R.S. 51:1780.3(E)(6) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^breach-notice-duty]: **La. R.S. 51:3074(C)** — "Any person that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information, shall, following discovery of a breach in the security of the system containing such data, notify any resident of the state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person." *La. R.S. 51:3074(C).* <https://legis.la.gov/Legis/Law.aspx?d=322030>
+
+[^breach-60-day]: **La. R.S. 51:3074(E)** — "The notification required pursuant to Subsections C and D of this Section shall be made in the most expedient time possible and without unreasonable delay but not later than sixty days from the discovery of the breach, consistent with the legitimate needs of law enforcement, as provided in Subsection F of this Section, or any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the reasonable integrity of the data system." *La. R.S. 51:3074(E).* <https://legis.la.gov/Legis/Law.aspx?d=322030>
+
+[^breach-pi-def]: **La. R.S. 51:3073(4)** — "‘Personal information’ means the first name or first initial and last name of an individual resident of this state in combination with any one or more of the following data elements, when the name or the data element is not encrypted or redacted: (i) Social security number. (ii) Driver's license number or state identification card number. (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. (iv) Passport number. (v) Biometric data." *La. R.S. 51:3073(4)(a).* <https://legis.la.gov/Legis/Law.aspx?d=322029>
+
+[^breach-reasonable-security]: **La. R.S. 51:3074(A)** — "Any person that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information, shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure." *La. R.S. 51:3074(A).* <https://legis.la.gov/Legis/Law.aspx?d=322030>
+
+[^breach-secure-destruction]: **La. R.S. 51:3074(B)** — "Any person that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data that includes personal information shall take all reasonable steps to destroy or arrange for the destruction of the records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means." *La. R.S. 51:3074(B).* <https://legis.la.gov/Legis/Law.aspx?d=322030>
+
+[^breach-risk-of-harm]: **La. R.S. 51:3074(I)** — "Notification as provided in this Section shall not be required if after a reasonable investigation, the person or business determines that there is no reasonable likelihood of harm to the residents of this state. The person or business shall retain a copy of the written determination and supporting documentation for five years from the date of discovery of the breach of the security system. If requested in writing, the person or business shall send a copy of the written determination and supporting documentation to the attorney general no later than thirty days from the date of receipt of the request." *La. R.S. 51:3074(I).* <https://legis.la.gov/Legis/Law.aspx?d=322030>
+
+[^breach-rulemaking-3077]: **La. R.S. 51:3077** — "The provisions of this Chapter shall not take effect until rules are promulgated by the attorney general's office." *La. R.S. 51:3077.* <https://legis.la.gov/Legis/Law.aspx?d=322033>
+
+[^breach-pra-3075]: **La. R.S. 51:3075** — "A civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person's personal information." *La. R.S. 51:3075.* <https://legis.la.gov/Legis/Law.aspx?d=322031>
+
+[^ldpa-ag-enforce]: **La. R.S. 51:1780.5(A)** — "The attorney general shall enforce the provisions of this Chapter." *La. R.S. 51:1780.5(A) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^ldpa-lutpa-routing]: **La. R.S. 51:1780.5(C)** — "Any violation of the provisions of this Chapter shall constitute an unfair and deceptive trade practice pursuant to the Unfair Trade Practices and Consumer Protection Law, R.S. 51:1401 et seq., excluding private rights of action as provided in R.S. 51:1409 and 1409.1. Notwithstanding any other provision of law to the contrary, any monies received related to the attorney general's enforcement of this Chapter shall be used by the attorney general for consumer protection efforts or to promote consumer protection and education." *La. R.S. 51:1780.5(C) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^lutpa-1407-remedies]: **La. R.S. 51:1407** — "These courts are authorized to issue temporary restraining orders or preliminary and permanent injunctions to restrain and enjoin violations of this Chapter, and such restraining orders or injunctions shall be issued without bond. B. In addition to the remedies provided herein, the attorney general may request and the court may impose a civil penalty against any person found by the court to have engaged in any method, act, or practice in Louisiana declared to be unlawful under this Chapter. In the event the court finds the method, act, or practice to have been entered into with the intent to defraud, the court has the authority to impose a penalty not to exceed five thousand dollars for each violation." *La. R.S. 51:1407(A)–(B).* <https://legis.la.gov/Legis/Law.aspx?d=104031>
+
+[^ldpa-cure-window]: **La. R.S. 51:1780.5(D)** — "Beginning January 1, 2027, and ending July 31, 2027, before bringing an action pursuant to this Section, the attorney general shall notify a person in writing, not later than the thirtieth calendar day before initiating an investigation, identifying the specific provisions of this Chapter the attorney general alleges is being violated. The attorney general shall not initiate an investigation against the person if the person does all of the following: (1) Cures the alleged violation identified by the attorney general within the thirty-day period. (2) Provides the attorney general with a written statement that the person cured the alleged violation. (3) Submits supportive documentation to the attorney general to show how the privacy violation was cured. (4) Changes are made to the internal policy, if necessary, to ensure that no such further violations occur." *La. R.S. 51:1780.5(D) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^breach-utpa-tiein]: **La. R.S. 51:3074(J)** — "A violation of a provision of this Chapter shall constitute an unfair act or practice pursuant to R.S. 51:1405(A)." *La. R.S. 51:3074(J).* <https://legis.la.gov/Legis/Law.aspx?d=322030>
+
+[^q8-ldpa-pra-exclusion]: **La. R.S. 51:1780.5(C)** — "Any violation of the provisions of this Chapter shall constitute an unfair and deceptive trade practice pursuant to the Unfair Trade Practices and Consumer Protection Law, R.S. 51:1401 et seq., excluding private rights of action as provided in R.S. 51:1409 and 1409.1." *La. R.S. 51:1780.5(C) (Act No. 502 of 2026, eff. Jan. 1, 2027).* <https://legis.la.gov/legis/ViewDocument.aspx?d=1475339>
+
+[^q8-breach-pra-3075]: **La. R.S. 51:3075** — "A civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person's personal information." *La. R.S. 51:3075.* <https://legis.la.gov/Legis/Law.aspx?d=322031>
+
+[^q8-lutpa-1409-pra]: **La. R.S. 51:1409** — "Any person who suffers any ascertainable loss of money or movable property, corporeal or incorporeal, as a result of the use or employment by another person of an unfair or deceptive method, act, or practice declared unlawful by R.S. 51:1405, may bring an action individually but not in a representative capacity to recover actual damages. If the court finds the unfair or deceptive method, act, or practice was knowingly used, after being put on notice by the attorney general, the court shall award three times the actual damages sustained. In the event that damages are awarded under this Section, the court shall award to the person bringing such action reasonable attorney fees and costs." *La. R.S. 51:1409(A).* <https://legis.la.gov/Legis/Law.aspx?d=104033>
+
+[^q8-lutpa-1409-1-elder]: **La. R.S. 51:1409.1** — "In addition to any damages to which a person is entitled pursuant to R.S. 51:1409, the court may award damages not to exceed ten thousand dollars per violation if a person knowingly sends deceptive information to any elder person or person with a disability, as those terms are defined in R.S. 51:1402, who suffers damage or injury as a result of an offense or violation described in this Chapter through marketing by telephone, electronic mail, or text messaging." *La. R.S. 51:1409.1(B).* <https://legis.la.gov/Legis/Law.aspx?d=1148223>

package/skills/legal-explainers/data-privacy-law-explainer/content/maine.md

@@ -0,0 +1,163 @@
+---
+jurisdiction: "Maine"
+slug: maine
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/maine
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/maine · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# Maine Consumer Privacy Law[^about]
+
+Maine has no comprehensive consumer-privacy statute — LD 1822 was placed in the Legislative Files (DEAD) on April 13, 2026 after the chambers insisted on opposing enactment positions — but it has the nation's strictest ISP privacy law (35-A M.R.S. § 9301, opt-in consent) plus a 30-day breach-notice clock under the Notice of Risk to Personal Data Act.
+
+
+## At a glance
+
+| Question | Maine |
+| --- | --- |
+| **Law coverage** | Specific data types only |
+| **Summary** | Maine has no comprehensive consumer-privacy law — the Maine Online Data Privacy Act (LD 1822) was placed in the Legislative Files (DEAD) on April 13, 2026 after the chambers insisted on opposing enactment positions — but it does have the nation's strictest ISP privacy statute, which since July 1, 2020 has required broadband providers serving Maine customers to get opt-in consent before using, disclosing, or selling customer personal information. Every other business builds to the Notice of Risk to Personal Data Act's 30-day breach-notice clock, the Maine Unfair Trade Practices Act, and the federal overlay. |
+| **Main law** | 35-A M.R.S. § 9301 (broadband ISP opt-in privacy law, eff. July 1, 2020) plus the Notice of Risk to Personal Data Act, 10 M.R.S. §§ 1346–1350-B — Maine has no comprehensive consumer-privacy statute |
+| **Privacy policy required?** | No general mandate — broadband providers must post a clear notice of customers' opt-in rights at the point of sale and on their website; for everyone else, policy contents are driven by FTC Act § 5 and the GLBA, HIPAA, and COPPA overlay |
+| **Who does it cover?** | The ISP law reaches only broadband providers serving customers physically located and billed in Maine; the breach act reaches any person maintaining computerized personal information of Maine residents — including state agencies, municipalities, and universities — with no revenue or volume threshold |
+| **Can consumers sue?** | Limited path |
+| **Privacy policy rule** | Policy required only for specific data |
+| **Consent for sensitive data?** | Only for certain data types |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | None under the breach act (regulator/AG-enforced) and none stated in the ISP law; Maine UTPA § 213 gives consumer purchasers a restitution-oriented action for loss of money or property from unfair or deceptive practices |
+| **Who enforces it?** | Maine Attorney General; Department of Professional and Financial Regulation regulators for licensed entities (Bureau of Insurance superintendent for insurance licensees) |
+
+## Which privacy laws apply to your business in Maine? {#which-privacy-laws-apply}
+
+**Short answer.** Maine regulates privacy by sector, not across the board — there is no comprehensive consumer-privacy law. The state's headline statute is the broadband privacy law, 35-A M.R.S. § 9301, the strictest ISP privacy rule in the country: a broadband provider may not use, disclose, sell, or permit access to customer personal information without the customer's opt-in consent [^isp-ban], but it applies only to providers serving customers that are physically located and billed for service in Maine [^isp-scope]. For every other business, the operative state statute is the Notice of Risk to Personal Data Act, Maine's breach-notification law, which reaches essentially any person or entity — including government agencies and universities — that maintains computerized personal information [^breach-person].
+
+Maine came within a few votes of joining the comprehensive-statute states. LD 1822, the Maine Online Data Privacy Act, would have enacted a new 10 M.R.S. chapter 1057 — a strict data-minimization regime modeled on Maryland's law, enforced exclusively by the Attorney General — but it died between the chambers: on April 9, 2026 the House defeated the motion to recede and concur in enactment by a vote of 70 to 79 (Roll Call 800), the Senate insisted on its position on April 13, 2026, and the bill was placed in the Legislative Files, ending it for the session. It is dead, not pending. Given how close the margin was, a re-pass attempt in the next Legislature is plausible, so the comprehensive-bill question is a watch item — but as of this writing nothing is pending, and none of the duties the bill would have created are law.
+
+The practical consequence: Maine residents have no general state-law rights to access, delete, or correct their personal data, no right to opt out of its sale by ordinary businesses, and no Maine law recognizes universal opt-out preference signals. What exists instead is a scoped framework. The broadband law governs ISPs. The breach act governs incident response for everyone. Two sectoral statutes add duties for specific industries: the Maine Insurance Data Security Act requires insurance licensees to maintain a comprehensive written information security program [^insurance-infosec], and the Student Information Privacy Act bars K-12 ed-tech operators from using student data for targeted advertising, profiling, or sale without parental or eligible-student consent [^student-privacy]. The Maine Unfair Trade Practices Act supplies the general deception backstop, and the federal overlay — FTC Act § 5, GLBA for financial institutions, HIPAA for covered health entities, COPPA for child-directed services — carries the rest of a Maine-facing privacy program.
+
+## Does Maine's broadband privacy law require opt-in consent? {#broadband-opt-in-consent}
+
+**Short answer.** Yes — if you are a broadband provider serving Maine customers. Since July 1, 2020, a provider may use, disclose, sell, or permit access to a customer's personal information only if the customer gives express, affirmative consent, which the customer may revoke at any time [^optin-consent]. The statute also bans pay-for-privacy: a provider may not refuse to serve a customer who withholds consent [^no-penalty], and may not charge a penalty or offer a discount based on the consent decision [^no-penalty]. This opt-in default is unusually strict for broadband privacy, and the FCC rules Congress repealed in 2017 were the model this statute revived at the state level.
+
+The scope is precise and narrow. The law covers *broadband Internet access service* — mass-market retail Internet service — and the duty runs only to providers operating in Maine when serving customers physically located and billed in the state. It does not apply to websites, apps, advertisers, or any ordinary business. *Customer personal information* is defined expansively: identifying information such as name, billing information, and Social Security number, plus usage data including web browsing history, application usage history, precise geolocation, financial and health information, device identifiers, and the content of communications.
+
+Three softer edges sit alongside the opt-in core. First, information that is *not* customer personal information runs on opt-out — a provider may use it unless the customer gives written notice withholding permission [^noncpi-optout]. Second, the statute carves out operational uses: a provider may collect, retain, use, disclose, sell and permit access to customer personal information without customer approval [^exceptions] for purposes such as providing the service itself, marketing the provider's own communications-related services, billing and collection, complying with court orders, fraud protection, and emergency-services geolocation. Third, providers owe a freestanding security duty — reasonable measures to protect customer personal information from unauthorized use, disclosure, or access, scaled to the provider's size, activities, and data sensitivity [^security-duty].
+
+How the law is enforced is a genuine open question. Section 9301 prescribes duties but states no penalty, no express enforcement mechanism, and no private right of action, and no Maine enforcement action or merits decision applying it to a provider appears in the public record. Plausible routes — an Unfair Trade Practices Act theory, Public Utilities Commission authority, or an implied action — remain untested. A federal First Amendment challenge by national ISP trade associations (*ACA Connects v. Frey*, D. Me.) would have tested the statute's validity; after the district court denied plaintiffs' motion for judgment on the pleadings, plaintiffs voluntarily dismissed the case on September 2, 2022 before final merits judgment. The statute remains intact and unenjoined, but its constitutionality was never finally adjudicated, and its enforcement machinery has never been exercised.
+
+## Does Maine require your business to post a privacy policy? {#privacy-policy-required}
+
+**Short answer.** For most businesses, no — no Maine statute of general application requires a consumer privacy policy or fixes its contents. The one Maine-specific posting duty falls on broadband providers, which must give every customer a clear, conspicuous, and nondeceptive notice — at the point of sale and on the provider's public website — of the provider's obligations and the customer's rights under the opt-in law [^isp-notice]. For everyone else, FTC Act § 5 supplies the general federal unfair-or-deceptive-practices hook, so whatever you publish has to match what you do [^ftc5-deceptive].
+
+The contents of a Maine-facing privacy policy are therefore overlay-driven. A financial institution may not share nonpublic personal information with nonaffiliated third parties without first delivering the GLBA privacy notice [^glba-notice]. A HIPAA covered entity must give individuals a notice of privacy practices describing the uses and disclosures of their protected health information, their rights, and the entity's duties [^hipaa-notice]. A service directed to children under 13 owes COPPA's online notice and verifiable parental consent. Outside those verticals, follow best practice — describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — and then honor it, because the enforceable obligation is consistency between the statement and the conduct. Maine's Unfair Trade Practices Act tracks FTC Act § 5 by design, so a deceptive policy is exposed under state law on the same theory. Had LD 1822 passed, Maine would have imposed a statutory notice with fixed contents on covered businesses; with the bill dead, no such state checklist exists.
+
+## What must your contracts with vendors say under Maine law? {#vendor-contracts}
+
+**Short answer.** There is no Maine omnibus data-processing-agreement requirement — no statute of general application prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs. The vendor duties that do exist are sectoral. An insurance licensee must require each third-party service provider to implement appropriate administrative, technical, and physical safeguards for the nonpublic information the provider holds [^insurance-vendor]. No later than January 1, 2027, an insurance licensee must also require third-party service providers to notify it of certain materially harmful cybersecurity events affecting nonpublic information obtained from the licensee [^insurance-vendor-notice]. A K-12 ed-tech operator disclosing student data to a service provider must contractually prohibit the provider from using the data for any purpose other than the contracted service [^student-vendor].
+
+The federal overlay supplies the rest. The GLBA Safeguards Rule requires financial institutions to oversee service providers by contract and to require them to implement and maintain appropriate safeguards [^glba-safeguards]; HIPAA requires a written business-associate agreement with mandatory data-protection, breach-reporting, and subcontractor flow-down terms before protected health information is shared [^hipaa-baa]. Outside those regimes, carrying the same protections forward — processing limited to documented instructions, confidentiality, reasonable security, breach notification back to your business, and return or deletion at the end of the engagement — is best practice rather than a Maine mandate.
+
+One Maine statute does reach every vendor relationship at the moment of failure: under the breach act, a third party that maintains computerized personal information on another person's behalf must notify that person immediately after discovering a breach in which the personal information was, or is reasonably believed to have been, acquired by an unauthorized person [^breach-thirdparty]. Writing that statutory duty into the contract — with a defined notice window and cooperation obligations — converts a bare legal floor into an enforceable workflow, and it matters because the notification clocks discussed in the next section start running against the data owner.
+
+## When must you notify people of a data breach in Maine? {#breach-notification}
+
+**Short answer.** Within 30 days of becoming aware of the breach and identifying its scope, if notice is required at all [^breach-30-day]. The trigger is two-tiered. An ordinary business must investigate promptly and notify affected Maine residents if misuse of their personal information has occurred or is reasonably possible [^breach-general-trigger]. An *information broker* — a business that compiles personal information about individuals to furnish to third parties — faces a stricter, acquisition-based trigger: it must notify residents whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person, with no misuse-likelihood screen [^breach-broker-trigger]. Whenever resident notice is required, you must also notify the appropriate state regulator — the Department of Professional and Financial Regulation for entities it licenses, otherwise the Attorney General [^breach-regulator-notice].
+
+The Notice of Risk to Personal Data Act defines a *security breach* as the unauthorized acquisition, release, or use of computerized data containing personal information that compromises its security, confidentiality, or integrity, with a good-faith-employee carve-out [^breach-definition]. *Personal information* is the familiar name-plus-data-element formula — name combined with an unencrypted or unredacted Social Security number, driver's license or state ID number, account or card number usable without additional credentials, or passwords and access codes — plus a catchall for data elements that alone would let someone assume the resident's identity [^breach-personal-info]. Encryption and redaction take data outside the definition, which makes them the practical safe harbor [^breach-personal-info].
+
+Two more clocks sit alongside the resident notice. If a single breach requires notifying more than 1,000 persons at once, you must also tell the nationwide consumer reporting agencies without unreasonable delay [^breach-cra-notice]. And if you are an insurance licensee, the Maine Insurance Data Security Act — in force since January 1, 2022 — adds a much faster regulator clock: notice to the Bureau of Insurance superintendent as promptly as possible and no later than 3 business days after determining a cybersecurity event occurred, where Maine is the carrier's domicile or producer's home state, or where the event involves 250 or more Maine consumers and either is otherwise reportable to a government, self-regulatory, or supervisory body or is reasonably likely to materially harm a Maine consumer or a material part of operations [^insurance-3day]. Notification may be delayed for law enforcement, but once an investigation no longer requires delay, the statute allows no more than 7 business days after law enforcement clears it. A person that complies with at-least-as-protective federal or state notification procedures is deemed compliant with the Maine resident-notice section, which may be relevant for entities subject to those federal or state procedures [^breach-deemed-compliance].
+
+## Can a consumer sue your business in Maine over privacy? {#consumer-lawsuit}
+
+**Short answer.** Not under the breach act, and not expressly under the broadband privacy law. The Notice of Risk to Personal Data Act is enforced publicly: the Department of Professional and Financial Regulation enforces it against the entities it licenses, and the Attorney General enforces it against everyone else [^breach-enforcement]. A violation is a civil violation punishable by a fine of not more than $500 per violation, up to a maximum of $2,500 for each day the person is in violation [^breach-penalties], plus equitable relief and injunctions. The route a Maine consumer does have is the Unfair Trade Practices Act: a person who buys goods or services for personal, family, or household purposes and suffers a loss of money or property from an unfair or deceptive practice may sue for actual damages, restitution, and equitable relief [^utpa-pra].
+
+The UTPA's private remedy is real but restitution-oriented and narrower than the data-rights actions in comprehensive-statute states. Standing is limited to consumer purchasers; the plaintiff must show a loss of money or property — a contested hurdle in pure data-exposure cases where no fraud or out-of-pocket loss has occurred; and at least 30 days before filing a damages action, the claimant must mail or deliver a written demand for relief describing the practice and the injuries [^utpa-demand]. The statute's draw for plaintiffs is mandatory fee-shifting: a petitioner who establishes a violation recovers reasonable attorney's fees and costs irrespective of the amount in controversy [^utpa-fees].
+
+Public enforcement carries the heavier artillery. The substantive prohibition is broad — unfair methods of competition and unfair or deceptive acts or practices in trade or commerce are unlawful and construed in line with FTC interpretations [^utpa-207] — and the Attorney General can seek injunctions and restitution [^utpa-ag-remedies], plus a civil penalty of up to $10,000 for each intentional violation [^utpa-ag-penalty]. How any of this maps onto the broadband privacy law remains the open question flagged above: § 9301 prescribes duties without its own penalty or enforcement provision, so whether a violation would be pursued as an unfair trade practice, through utility regulation, or otherwise is untested. A business subject to it should assume the AG would find a route rather than treat the silence as a free pass — but a consumer plaintiff invoking § 9301 directly would be in uncharted territory.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Maine. This article synthesizes Maine primary law and is not legal advice from a Maine-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^isp-ban]: **35-A M.R.S. § 9301** — "A provider may not use, disclose, sell or permit access to customer personal information" *35-A M.R.S. § 9301(2).* <https://legislature.maine.gov/statutes/35-A/title35-Asec9301-3.html>
+
+[^isp-scope]: **35-A M.R.S. § 9301** — "The requirements of this section apply to providers operating within the State when providing broadband Internet access service to customers that are physically located and billed for service received in the State." *35-A M.R.S. § 9301(7).* <https://legislature.maine.gov/statutes/35-A/title35-Asec9301-3.html>
+
+[^breach-person]: **10 M.R.S. § 1347** — "‘Person’ means an individual, partnership, corporation, limited liability company, trust, estate, cooperative, association or other entity, including agencies of State Government, municipalities, school administrative units, the University of Maine System, the Maine Community College System, Maine Maritime Academy and private colleges and universities." *10 M.R.S. § 1347(5).* <https://legislature.maine.gov/statutes/10/title10sec1347.html>
+
+[^insurance-infosec]: **24-A M.R.S. § 2264** — "a licensee shall develop, implement and maintain a comprehensive, written information security program based on the licensee's risk assessment and containing administrative, technical and physical safeguards for the protection of nonpublic information and the licensee's information systems" *24-A M.R.S. § 2264(1).* <https://legislature.maine.gov/statutes/24-A/title24-Asec2264.html>
+
+[^student-privacy]: **20-A M.R.S. § 953** — "An operator may not knowingly engage in any of the following activities with respect to the operator's website, service or application without explicit written or electronic consent from a student's parent or an eligible student:" *20-A M.R.S. § 953(1)(A)-(C).* <https://legislature.maine.gov/statutes/20-A/title20-Asec953.html>
+
+[^optin-consent]: **35-A M.R.S. § 9301** — "A provider may use, disclose, sell or permit access to a customer's customer personal information if the customer gives the provider express, affirmative consent to such use, disclosure, sale or access. A customer may revoke the customer's consent under this paragraph at any time." *35-A M.R.S. § 9301(3)(A).* <https://legislature.maine.gov/statutes/35-A/title35-Asec9301-3.html>
+
+[^no-penalty]: **35-A M.R.S. § 9301** — "Charge a customer a penalty or offer a customer a discount based on the customer's decision to provide or not provide consent under paragraph A" *35-A M.R.S. § 9301(3)(B)(2).* <https://legislature.maine.gov/statutes/35-A/title35-Asec9301-3.html>
+
+[^noncpi-optout]: **35-A M.R.S. § 9301** — "A provider may use, disclose, sell or permit access to information the provider collects pertaining to a customer that is not customer personal information, except upon written notice from the customer notifying the provider that the customer does not permit the provider to use, disclose, sell or permit access to that information." *35-A M.R.S. § 9301(3)(C).* <https://legislature.maine.gov/statutes/35-A/title35-Asec9301-3.html>
+
+[^exceptions]: **35-A M.R.S. § 9301** — "a provider may collect, retain, use, disclose, sell and permit access to customer personal information without customer approval" *35-A M.R.S. § 9301(4).* <https://legislature.maine.gov/statutes/35-A/title35-Asec9301-3.html>
+
+[^security-duty]: **35-A M.R.S. § 9301** — "A provider shall take reasonable measures to protect customer personal information from unauthorized use, disclosure or access." *35-A M.R.S. § 9301(5).* <https://legislature.maine.gov/statutes/35-A/title35-Asec9301-3.html>
+
+[^isp-notice]: **35-A M.R.S. § 9301** — "A provider shall provide to each of the provider's customers a clear, conspicuous and nondeceptive notice at the point of sale and on the provider's publicly accessible website of the provider's obligations and a customer's rights under this section." *35-A M.R.S. § 9301(6).* <https://legislature.maine.gov/statutes/35-A/title35-Asec9301-3.html>
+
+[^ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^glba-notice]: **GLBA Privacy Notice** — "a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title" *15 U.S.C. § 6802(a).* <https://www.law.cornell.edu/uscode/text/15/6802#:~:text=a%20financial%20institution%20may%20not%2C,section%206803%20of%20this%20title>
+
+[^hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520.* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+
+[^insurance-vendor]: **24-A M.R.S. § 2264** — "Require each 3rd-party service provider to implement appropriate administrative, technical and physical safeguards to protect and secure the information systems and nonpublic information that are accessible to or held by the 3rd-party service provider" *24-A M.R.S. § 2264(6)(B).* <https://legislature.maine.gov/statutes/24-A/title24-Asec2264.html>
+
+[^insurance-vendor-notice]: **24-A M.R.S. § 2264** — "No later than January 1, 2027, require each 3rd-party service provider to notify the licensee when the 3rd-party service provider becomes aware of any cybersecurity event affecting nonpublic information obtained from the licensee that has occurred in an information system maintained by the 3rd-party service provider or by an ancillary service provider if the cybersecurity event has a reasonable likelihood of materially harming any consumer or any material part of the normal operations of the licensee." *24-A M.R.S. § 2264(6)(C).* <https://legislature.maine.gov/statutes/24-A/title24-Asec2264.html>
+
+[^student-vendor]: **20-A M.R.S. § 953** — "Prohibits the service provider from using any student data for any purpose other than providing the contracted service to, or on behalf of, the operator" *20-A M.R.S. § 953(1)(D)(6)(a).* <https://legislature.maine.gov/statutes/20-A/title20-Asec953.html>
+
+[^glba-safeguards]: **GLBA Safeguards Rule** — "Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards." *16 C.F.R. § 314.4(f).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Oversee%20service%20providers%2C%20by%3A%20(1),continued%20adequacy%20of%20their%20safeguards.>
+
+[^hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information" *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,with%20respect%20to%20such%20information>
+
+[^breach-thirdparty]: **10 M.R.S. § 1348** — "A 3rd-party entity that maintains, on behalf of a person, computerized data that includes personal information that the 3rd-party entity does not own shall notify the person maintaining personal information of a breach of the security of the system immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person." *10 M.R.S. § 1348(2).* <https://legislature.maine.gov/statutes/10/title10sec1348.html>
+
+[^breach-30-day]: **10 M.R.S. § 1348** — "If there is no delay of notification due to law enforcement investigation pursuant to subsection 3, the notices must be made no more than 30 days after the person identified in paragraph A or B becomes aware of a breach of security and identifies its scope." *10 M.R.S. § 1348(1).* <https://legislature.maine.gov/statutes/10/title10sec1348.html>
+
+[^breach-general-trigger]: **10 M.R.S. § 1348** — "If any other person who maintains computerized data that includes personal information becomes aware of a breach of the security of the system, the person shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of this State if misuse of the personal information has occurred or if it is reasonably possible that misuse will occur." *10 M.R.S. § 1348(1)(B).* <https://legislature.maine.gov/statutes/10/title10sec1348.html>
+
+[^breach-broker-trigger]: **10 M.R.S. § 1348** — "If an information broker that maintains computerized data that includes personal information becomes aware of a breach of the security of the system, the information broker shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused and shall give notice of a breach of the security of the system following discovery or notification of the security breach to a resident of this State whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person." *10 M.R.S. § 1348(1)(A).* <https://legislature.maine.gov/statutes/10/title10sec1348.html>
+
+[^breach-regulator-notice]: **10 M.R.S. § 1348** — "When notice of a breach of the security of the system is required under subsection 1, the person shall notify the appropriate state regulators within the Department of Professional and Financial Regulation, or if the person is not regulated by the department, the Attorney General." *10 M.R.S. § 1348(5).* <https://legislature.maine.gov/statutes/10/title10sec1348.html>
+
+[^breach-definition]: **10 M.R.S. § 1347** — "‘Breach of the security of the system’ or ‘security breach’ means unauthorized acquisition, release or use of an individual's computerized data that includes personal information that compromises the security, confidentiality or integrity of personal information of the individual maintained by a person." *10 M.R.S. § 1347(1).* <https://legislature.maine.gov/statutes/10/title10sec1347.html>
+
+[^breach-personal-info]: **10 M.R.S. § 1347** — "‘Personal information’ means an individual's first name, or first initial, and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:" *10 M.R.S. § 1347(6).* <https://legislature.maine.gov/statutes/10/title10sec1347.html>
+
+[^breach-cra-notice]: **10 M.R.S. § 1348** — "If a person discovers a breach of the security of the system that requires notification to more than 1,000 persons at a single time, the person shall also notify, without unreasonable delay, consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 United States Code, Section 1681a(p)." *10 M.R.S. § 1348(4).* <https://legislature.maine.gov/statutes/10/title10sec1348.html>
+
+[^insurance-3day]: **24-A M.R.S. § 2266** — "Notwithstanding Title 10, chapter 210‑B, a licensee shall notify the superintendent as promptly as possible but in no event later than 3 business days from a determination that a cybersecurity event has occurred if:" *24-A M.R.S. § 2266(1).* <https://legislature.maine.gov/statutes/24-A/title24-Asec2266.html>
+
+[^breach-deemed-compliance]: **10 M.R.S. § 1349** — "A person that complies with the security breach notification requirements of rules, regulations, procedures or guidelines established pursuant to federal law or the law of this State is deemed to be in compliance with the requirements of section 1348 as long as the law, rules, regulations or guidelines provide for notification procedures at least as protective as the notification requirements of section 1348." *10 M.R.S. § 1349(4).* <https://legislature.maine.gov/statutes/10/title10sec1349.html>
+
+[^breach-enforcement]: **10 M.R.S. § 1349** — "The appropriate state regulators within the Department of Professional and Financial Regulation shall enforce this chapter for any person that is licensed or regulated by those regulators. The Attorney General shall enforce this chapter for all other persons." *10 M.R.S. § 1349(1).* <https://legislature.maine.gov/statutes/10/title10sec1349.html>
+
+[^breach-penalties]: **10 M.R.S. § 1349** — "A person that violates this chapter commits a civil violation and is subject to one or more of the following:" *10 M.R.S. § 1349(2).* <https://legislature.maine.gov/statutes/10/title10sec1349.html>
+
+[^utpa-pra]: **5 M.R.S. § 213** — "Any person who purchases or leases goods, services or property, real or personal, primarily for personal, family or household purposes and thereby suffers any loss of money or property, real or personal, as a result of the use or employment by another person of a method, act or practice declared unlawful by section 207 or by any rule or regulation issued under section 207, subsection 2 may bring an action either in the Superior Court or District Court for actual damages, restitution and for such other equitable relief, including an injunction, as the court determines to be necessary and proper." *5 M.R.S. § 213(1).* <https://legislature.maine.gov/statutes/5/title5sec213.html>
+
+[^utpa-demand]: **5 M.R.S. § 213** — "At least 30 days prior to the filing of an action for damages, a written demand for relief, identifying the claimant and reasonably describing the unfair and deceptive act or practice relied upon and the injuries suffered, must be mailed or delivered to any prospective respondent at the respondent's last known address." *5 M.R.S. § 213(1-A).* <https://legislature.maine.gov/statutes/5/title5sec213.html>
+
+[^utpa-fees]: **5 M.R.S. § 213** — "If the court finds, in any action commenced under this section that there has been a violation of section 207, the petitioner shall, in addition to other relief provided for by this section and irrespective of the amount in controversy, be awarded reasonable attorney's fees and costs incurred in connection with said action." *5 M.R.S. § 213(2).* <https://legislature.maine.gov/statutes/5/title5sec213.html>
+
+[^utpa-207]: **5 M.R.S. § 207** — "Unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are declared unlawful" *5 M.R.S. § 207, § 207(1).* <https://legislature.maine.gov/statutes/5/title5sec207.html>
+
+[^utpa-ag-remedies]: **5 M.R.S. § 209** — "Whenever the Attorney General has reason to believe that a person is using or is about to use any method, act or practice declared by section 207 to be unlawful, and that proceedings would be in the public interest, the Attorney General may bring an action in the name of the State against the person to restrain by temporary or permanent injunction the use of the method, act or practice and the court may make such other orders or judgments as may be necessary to restore to any person who has suffered any ascertainable loss by reason of the use or employment of the unlawful method, act or practice, any moneys or property, real or personal, that may have been acquired by means of the method, act or practice." *5 M.R.S. § 209.* <https://legislature.maine.gov/statutes/5/title5sec209.html>
+
+[^utpa-ag-penalty]: **5 M.R.S. § 209** — "Each intentional violation of section 207 in which the Attorney General establishes that the conduct giving rise to the violation is either unfair or deceptive is a violation for which a civil penalty of not more than $10,000 shall be adjudged." *5 M.R.S. § 209.* <https://legislature.maine.gov/statutes/5/title5sec209.html>