Maine is stepping into the privacy mix with a possible biometric law, and a possible CCPA-like law.

The biometric law, proposed by State Representative Maggie O’Neil, is generally similar to Illinois’ BIPA, even including a private right of action. But there are some notable differences:

  • Processor exception: A processor is not required to comply with the requirements of this chapter with respect to the biometric identifiers that the processor stores, processes or otherwise uses under an agreement with another private entity with which the processor is not affiliated through common ownership.
  • However, a processor cannot deal with the biometric information unless: 1) received affirmative written consent from the individual to whom the biometric identifier pertains to perform the action; and 2) The action falls within the terms and conditions of an agreement between the processor and the private entity that owns or controls the biometric identifier.
  • Retention is similar to Texas’ CUBI: the earlier of (1) no longer necessary for the purpose or (2) one year since last interaction.
  • Employer exception: privacy notice not required if the employer only collects biometric information of employees and uses the information only internally.
  • However, an employer would still need to provide such notice if it a) has employees in CA, or b) Maine’s proposed CCPA-like bill passes.
  • Access request: A detailed disclosure to the individual is required upon request, including information regarding the source of the information, with whom it is shared, etc.