Maine Student Data Privacy Legal Compliance Guide

The following chart provides a brief overview of the laws of the state of Maine addressing privacy and security of student data, and the corresponding provisions of Microsoft’s standard operating documents that demonstrate compliance with those laws and regulations.

Maine’s Student Information Privacy Act is codified as 20-A M.R.S.A. §§ 951–953.  Microsoft’s standard Online Services Data Protection Addendum (“DPA”) addresses the requirements imposed on operators by Maine’s statutory framework.  The DPA sets forth Microsoft’s standard obligations with respect to the processing and security of customer data and personal data in connection with Microsoft’s provision of online services. 

The reference chart below briefly identifies those provisions of Maine law that are applicable to operators such as Microsoft, and the relevant provision(s) from Microsoft’s DPA that addresses Microsoft’s compliance with that requirement.

Maine Law ProvisionCompliant Microsoft Provision(s)
M.R.S.A. tit. 20-A § 953(1)(A)
Restriction on targeted advertising
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services

M.R.S.A. tit. 20-A § 953(1)(B)
Restriction on amassing user profile
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
M.R.S.A. tit. 20-A § 953(1)(C)
Restriction on sale of personal data
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services

Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> California Consumer Privacy Act (CCPA)
M.R.S.A. tit. 20-A § 953(1)(D)
Restriction on disclosure of personal data
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Disclosure of Processed Data

Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing for Microsoft’s Legitimate Business Operations
M.R.S.A. tit. 20-A § 953(2)
Security procedures and practices
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Practices and Policies
See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures
M.R.S.A. tit. 20-A § 953(3)
Circumstances under which disclosure of covered information is permissible
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Disclosure of Processed Data
M.R.S.A. tit. 20-A § 953(2)(B)
Deletion of student data within 45 days of a school’s or school administrative unit’s request
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Retention and Deletion