The College Board has weighed in on two data privacy bills currently under consideration by the Maine Judiciary Committee, urging lawmakers to exempt non-profits from the scope of these provisions.
In their communications to the Judiciary Committee — which were shared on the Committee’s public listserv — the College Board took issue with both proposals, as neither provided an explicit exemption for non-profit organizations.
Both LD 1973 — sponsored by Rep. Lisa Keim (R-Oxford) — and LD 1977 — sponsored by Rep. Maggie O’Neil (D-Saco) — would create new sections of state law aimed at protecting consumer data in Maine.
The details of how to establish these protections differ, however, between these two pieces of legislation.
For example, LD 1977 provides for a “private right of action” — or the ability to bring civil charges and seek damages for alleged violations — while LD 1973 does not.
Furthermore, LD 1973 would apply to anyone conducting business in Maine or targeting Maine residents, while LD 1977 limits its applicability to those processing or controlling a volume of personal data above a given threshold.
Another point of divergence between the two bills is the inclusion of a mandatory 30-day “right to cure” in LD 1973, meaning that anyone who is deemed to be in violation of privacy protection laws would have 30 days to correct the violation to avoid action being brought against them.
Although LD 1977 does include a 60-day right to cure clause, the provision of this opportunity would be at the attorney general’s discretion.
In a letter to the Maine Judiciary Committee, the College Board addressed concerns with both LD 1973 and LD 1977, suggesting that some of the restrictions proposed in these bills would hinder their ability to effectively provide services to students.
“Since each student’s pathway is unique, personalizing students’ experience in their college and career planning is a critical element,” the College Board wrote. “In order to do this, we must collect and process data about minors under age 18.”
The non-profit went on to explain that their “data privacy principles are focused on providing notice, choice, transparency, and security to students, parents, and educators,” stating that they “protect all data with a self-imposed high standard that is available to the general public.”
With relation to LD 1973, the College Board noted concerns about the cause prohibiting the “processing [of] sensitive data concerning a consumer without obtaining a consumer’s consent,” defined as “a clear affirmative act.”
“College Board sometimes collects sensitive information to provide additional resources and supports for certain students,” the College Board said.
“Requiring affirmative consent each time a student visits our website and initiates any activity that requires these data elements to be processed (e.g. searches for a scholarship or a school) would be highly burdensome and potentially inoperable,” they wrote.
As far as LD 1977 is concerned, the College Board took issue with its more expansive definition of “sensitive data” that includes “any data of a minor under age 18.”
“This broad definition of targeted advertising, and the prohibition on using sensitive data (i.e., data about minors) could impact the ability to present personalized information to students to help them on their postsecondary journey,” the organization wrote.
“If LD 1973 or 1977 were to apply to nonprofits, Maine students’ data would fall under different rules depending on where a student was located when they provided the data,” the College Board said. “This compliance patchwork based on where data was collected could be unworkable in practice and cause problems for Maine students.”
“The overwhelming majority of consumer privacy laws exempt nonprofits, as they often collect data in pursuit of fulfilling their missions,” the College Board concluded. “Therefore, we respectfully request that nonprofits, or education nonprofits, be exempted from the scope of LD 1973 and LD 1977.”
According to an annotated comparison of the two bills shared on the Judiciary Committee’s public listserv, it appears that lawmakers have not yet had any substantive “preliminary discussions” or “straw votes” concerning the types of entities and data that would be exempt under each of the proposed statutes.
Fourteen states have passed data privacy laws that are comparable to those currently under consideration in Maine. Four of these states — including Colorado, Oregon, Delaware, and New Jersey — have not exempted non-profits from their new data privacy statutes.
The remaining ten states — including New Hampshire, California, Connecticut, Utah, Virginia, Tennessee, Iowa, Indiana, Montana, and Texas — have all opted to exempt non-profits from their consumer privacy laws.
The Maine Judiciary Committee has scheduled a work session for both LD 1973 and LD 1977 at 10 am on Monday, January 29 in Room 438 of the State House.
The work session can be streamed online here.