Privacy Daily is a service of Warren Communications News.
Subscriber Login

Reasonableness Considered Key to Complying with State Privacy Laws, Panelists Say

May 8, 2025 by Kara Thompson|Privacy Notes

Employing reasonable practices and security measures can help companies comply with the multitude of state privacy laws, said HP and Maryland attorneys during a panel at the Privacy + Security Forum Spring Academy on Thursday.

Sign up for a free preview to unlock the rest of this article

Start My Free Preview

“The lovely word reasonable … should really always be in your back" pocket, said Liz Lyons, global privacy senior counsel at HP. “When people ask for a list of things that you should do, your answer is make it reasonable.”

This means: “What would a reasonable security policy be? What would a reasonable technical and physical data security policy be?” she said. “That's how it should be followed for the majority” of companies.

Hanna Abrams, assistant attorney general in the Maryland Office of the Attorney General, said the “reasonableness” standard applies to the consumer-facing side too, for example, with privacy notices and cookie banners. “They're supposed to be a primer for consumers to quickly identify what their rights are and how to implement them,” she said. “It should be easy to find, easy to read, easy to understand, and the actual mechanism of implementing those rights should also be relatively simple.”

The reasonable approach also works with data minimization, since several states limit data collection to what is “reasonably necessary” for various functions. For instance, Abrams said Colorado law limits data collection to what's required for “processing purposes," while inn Maryland, businesses can collect data for “maintenance of consumer requests." However, Maryland's comprehensive privacy law, coming into effect this October, contains strict data-minimization rules that differ from other states' laws.

Even if a company operates in a state without a privacy law or without strict regulations, it can help in the long run to establish reasonable programs and safeguards around data, the panelists said.

“As a lawyer, I would never say you have a legal obligation to do what you don't have to do,” but it can be beneficial, said Libbie Canter, a Covington cybersecurity and privacy attorney. “If you have the resources, having a more privacy-centric process to inventory systems with personal data is helpful.”

Given that many state laws are based on what legislators deem reasonable, there are more similarities between the state approaches to privacy than typically thought, said Canter: “There are some differences” between “some of the states, but ... the good news is" they're more similar than different.