Maine Data Privacy and Protection Act


Section 1 - Description


Section 2 - Scope


Section 3 - Requirements


Section 4 - Penalties


Section 5 - Status

Section 1


The proposed bill would provide consumers with additional rights related to how their data is collected and used. Organizations must comply with these additional rights and are also obligated to conduct impact assessments for algorithms that pose harm to individuals. 

This guide focuses on the aspects that relate to the usage and assessment of AI algorithms.

Section 2


Individuals who determine the means for collecting and using personal data on behalf of a company are required to conduct an impact assessment for any algorithm that poses a risk to individual rights. This bill defines “algorithms”  as any computational process that uses machine learning, natural language processing, or artificial techniques to make or facilitate decisions.

Section 3


The impact assessment must contain the following:

  • A description of the design of the algorithm, including a description of the input data and the outputs
  • A statement of the purpose of the algorithm
  • An assessment of the “necessity and proportionality” of the algorithm as it relates to the stated purpose
  • A detailed description of the potential harms posed by the algorithm and the steps taken to mitigate those harms.

While the bill isn’t prescriptive on how organizations should evaluate and mitigate against risk, it does mention a few areas of focus. In terms of applications, the bill mentions algorithms that impact access to housing, education, employment, healthcare, insurance and credit. And in terms of the protected categories, the bill mentions race, religion, nationality, sex, disability and political party registration status. 
The impact assessment must be conducted before the algorithm is implemented. The report must be submitted to Maine’s Attorney General within 30 days of conducting the assessment. A summary of the report must be made publicly available online. The bill does not require recertification for deployed algorithms on a regular basis.

Section 4


The Attorney General of Maine may bring civil action against any organization that fails to comply with any of the requirements in this bill, including the need for an impact assessment.

The bill also allows individuals to seek damages if they believe their rights under the proposed act have been violated. If the plaintiff prevails, the court may award damages of no less than $5,000 per individual per violation.

Section 5


The bill has not passed yet and is currently under consideration by the Maine House of Representatives. If passed, the requirements would take effect in December 2023.