HIPAA isn’t enough to protect the privacy of consumer health information in the digital age, the Electronic Privacy Information Center said in a report released Wednesday. Requiring a strong data minimization standard may be the best solution, EPIC said. “We face a health data privacy crisis caused by unregulated digital technologies, weak privacy laws and the criminalization of many forms of health care,” Sara Geoghegan, EPIC senior counsel, said during a Wednesday webinar about the report.
Data Minimization
Data minimization is a core privacy principle requiring organizations to limit the personal data they collect, process and retain to only what is necessary for a specific purpose. Maryland’s data privacy law sets one of the nation’s strictest standards mandating that companies collect only the minimum data needed and prohibiting use beyond that stated purpose. The approach has drawn attention from other states with several exploring similar provisions to curb overcollection and reduce the risks of misuse, breaches and noncompliance.
The “expectations of the reasonable consumer” may guide how the Maryland attorney general interprets the data minimization standard in the state’s comprehensive privacy law, according to a FAQ for businesses from the AG office. While questions about how the AG would interpret that section of the law have continued, a Maryland AG spokesperson said Wednesday that the office posted the FAQ on Nov. 20 last year.
Processes around consumer and customer data often get most of the attention of privacy professionals, yet employee data provides an equally attractive target for cybercriminals, judging by the rising number of incidents in this category, according to a post by Nelson Mullins lawyer Mike Rahmn.
Privacy and data security will be top-of-mind in 2026 for state regulators and the FTC, especially concerning children and teens, said Holland & Knight lawyer Anthony DiResta in a consumer protection podcast episode recently.
A Belgian case making its way to the European Court of Justice (ECJ) could have important implications for transfers of EU residents' banking data to the U.S. under the Foreign Account Tax Compliance Act of 2010 (FATCA), Mayer Brown attorneys said in a Jan. 6 analysis.
The FTC should strengthen the data minimization requirements in its proposed settlement with education technology provider Illuminate Education, the Electronic Privacy Information Center said in comments posted Tuesday.
Though much in the privacy space has yet to be “resolved,” some aspects have become more mainstream, especially concerning consumer online privacy, said Laura Riposo VanDruff, a privacy and data security lawyer at Kelley Drye, in an interview with Privacy Daily.
Privacy Daily is providing readers with our top 20 most read stories published in 2025. All articles can be found by searching the titles or clicking on the hyperlinked reference numbers.
Many states that have had leading roles in the privacy space will continue to do so in 2026, but several newcomers will be noteworthy owing to laws coming online, potential enforcement and litigation, privacy lawyers said.
All 20 U.S. comprehensive privacy laws will be in effect Jan. 1 when Kentucky, Indiana and Rhode Island join 17 other states with broad privacy statutes. However, those three new state laws coming online are unlikely to significantly reshape the U.S. consumer privacy landscape, privacy experts said in interviews with Privacy Daily.