The Maine Event: The Good, The Bad and The Unenforceable

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!

A Discussion of Maine’s new Privacy Law

Maine is a beautiful State. Ever since I visited for the first time, in 2005, I wanted to come back. If you invite me, I will!

Maine also just passed a very interesting law that I want to talk about today. The Act To Prevent Predatory Marketing Practices against Minors is, perhaps, the first of its kind by a State in the USA. You can find a link to the act here and also at my   USA Privacy Laws page I love this act, but I think its reach exceeded its grasp. If I am wrong (which a part of me hopes I am), than all our work as security professionals has just received a new, major, challenge.


The Good

This act is an example of an enlightened act, which seeks to clearly define its scope. No more vague references (not many, in any case) to “private information. This act takes the step of calling out what “private information” is, and thusly covered, by it. For example:


An individual’s first name, or first initial, and last name;

B.  A home or other physical address;

C.  A social security number;

D.  A driver’s license number or state identification card number


 another example:

"Health-related information" means any information about an individual or a member of the individual’s family relating to health, nutrition, drug or medication use, physical or bodily condition, mental health, medical history, medical insurance coverage or claims or other similar data.


This is very cool. It not only lets judges in court make the CORRECT decision (unlike the ones I don’t agree with, such as here), but allows us, the practitioners that must assure compliance, to know exactly what is and what is not included, thus making our job easier.

Next, from my lay-man’s read of “Verifiable parental consent”, it seems that the law allows me, as a parent, to have a say in what my kids see, do and how their information gets disclosed or shared on the Tubes. Very very good. I had my share of issues with Facebook and with Microsoft not complying with my read of the COPPA act (see, and I am very sensitive to these issues.

Also, as a parent, I very much appreciate the clause “It is unlawful for a person to knowingly collect or receive health-related information or personal information for marketing purposes from a minor without first obtaining verifiable parental consent of that minor’s parent or legal guardian.” Cool. I don’t need spammers to have easy access to my kids’ address. This is very important, especially when you consider the next sentence, specially calling out health-related information. That phrase goes even further. By my read, if the health information is about a minor, and if it identifies the kid, it does NOT matter if you obtained it legally. You still may NOT transfer or sell it.

The law also creates what is known as a private cause for action whereby an effected individual (and presumably here, his parents) can sue the seller or sharer of such private information This cause of action is great to assure compliance of this law.


The Bad

Ironically, the same "Verifiable parental consent" clause that I love above, is a black hole of despair here. The sentence “any reasonable effort, taking into consideration available technology,…” seems so ripe to be misunderstood as to literally require the services of a corporate attorney to untangle.

Further, just like many other laws, it might be easier to laugh at this law and choose not to comply. The damages, other than injunction, specified here are up to $250 per incident, or $750 if the sharing was done aforethought. The persons who will get rich by this law are the attorneys: where they can provide proof of class-action, these $750 per disclosure can really add up..


The Unenforceable?

My readers know just how much value I place in this compact that we call The US Constitution.

Unfortunately for this law, the same sentence stating that if the health information is about a minor, and if it identifies the kid, it does NOT matter whether you obtained it legally. You still may NOT transfer or sell it. Seems to me to potentially conflict with what is called “The Commerce Clause”. I do not know whether Maine, with its approximately 400,000 kids, has the right to legislate what enterprises across the country, or the world, can and can not do with what even Maine says is legally acquired information.


In Sum:

Maine: Good law. Good first and second steps to help assure privacy, especially for kids. But… what happened if you talk about a student, who is a minor, at a University’s health clinic? How is this information coming from the clinic to the Insurance Company?


Let’s think a little more about this and bake an even better pie.  I’d be delighted to help.


The usual disclaimer:  I am not a lawyer.  I don’t even play one on TV.  This is not a legal advice.