Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Limited methods of notification delivery
  • Data owners are responsible for breach reporting and notifications
  • Third Parties must notify the ME Data Owner immediately, if breached
  • Violations can incur large penalties
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply

Who Me?


Maine breach and notification laws may apply if you:

  • Are a person or an information broker that maintains computerized data containing PII 
  • Maintain computerized data containing PII, on behalf of a person, that you do not own 

 There are exemptions.

What is PII?


PII relevant to a breach in Maine include a person's name plus one of the following:

  • Social Security Number
  • Driver license or state identification number
  • Account number or credit  or debit card if can be used without access codes, etc.
  • Account passwords or personal identification numbers etc.
  • Any of the above without the individual's name, if it is sufficient for identity theft



A few applicable statutes include, but are not limited to:

Maine Revised Statutes

Title 10: Commerce And Trade, Part 3: Regulation Of Trade / Chapter 210-B: Notice Of Risk To Personal Data / §1346. Short Title: “The Notice of Risk to Personal Data Act,” and §1347 to §1350-b



State regulators within the Department of Professional and Financial Regulation enforces the law for any person that is licensed or regulated by those regulators. The attorney general enforces the law for all other persons. A person who violates the law commits a civil violation and is subject to a fine of not more than $500 per violation, up to a maximum of $2,500 for each day the person is in violation, equitable relief or enjoinment from further violations.



When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached;
  • If the data was computerized;
  • If the data was encrypted or redacted;
  • If the data included any kind of key or password;
  • If it was acquired by an unauthorized person.


The notification may be delayed if law enforcement indicates the notification may interfere with an investigation. Otherwise, notification is required to be made in the most expedient time possible and without unreasonable delay. If law enforcement delayed the notification for an investigation, notification must be made within seven (7) business days after the investigation is completed.


Requires detailed information and potential provision of services

The notification may be delivered in written form or electronically (consistent with US Code Section 7001 of Title 15).

A substitute notice, with specific requirements, may be sent if the cost of providing the notice would exceed $5,000, or the persons to be notified exceeds 1,000, or they do not have sufficient contact information.

Contact the Privacy Experts at CSR