Bill Would 'Gut' Maryland Data Minimization Rule, Say Consumer Groups
A significant proposed edit to the Maryland privacy law’s data minimization rule would be “a huge boon to the companies that already exploit our data,” Eric Null, Center for Democracy and Technology (CDT) privacy & data project co-director, said Monday. However, Keir Lamont, Future of Privacy Forum (FPF) senior director-U.S. legislation, said the bill would bring clarity only for businesses that don’t handle sensitive data.
Sign up for a free preview to unlock the rest of this article
Del. Andrea Harrison (D) introduced HB-1365 on Friday. The House Economic Matters Committee plans to mull the measure during a March 4 hearing.
Among state comprehensive privacy laws, Maryland’s includes one of the most restrictive rules limiting what data companies may collect at the outset. In part, it says a controller shall limit “the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.”
Under HB-1365, the Maryland law that takes effect Oct. 1 would instead say that a controller shall limit collection to what is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer.” The bill wouldn’t modify the law’s data minimization rules for sensitive data.
“Maryland's privacy law is among the strongest in the nation because it includes data minimization protections that place the burden of limiting data collection on the companies that ultimately benefit from that data,” CDT’s Null said in an email. “This amendment would gut those protections and turn the Maryland law into another Virginia-like copycat, which places the privacy burden on individuals.”
“If anything,” added Null, “the law's protections should be strengthened by applying the minimization limits to processing and transfer of data as well." Harrison didn't comment.
"This bill is an effort to return to the status quo of companies having limitless ability to collect and abuse personal data," Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center, emailed us. "Maryland legislators set a higher standard in the Maryland Online Data Privacy Act to protect the constituents online, and this bill would reverse that work and make Marylanders more susceptible to data breaches and abuses of their personal data."
On the other hand, FPF's Lamont pointed out that the bill would only affect one prong of Maryland's data minimization rules. For non-sensitive data, the bill would return Maryland “to the standard approach where companies must identify and disclose upfront how they will collect and use data,” he said in an email.
“However, sensitive information is defined broadly under” Maryland’s privacy law, Lamont warned. “The amendment would leave significant questions in place for how Maryland's novel data minimization standard would be operationalized for sensitive information.”