Data Minimization

Democratic state lawmakers around the U.S. want to ban algorithmic pricing, but the “corporate lobby” is killing or watering down proposals, Colorado Rep. Javier Mabrey (D) said Wednesday.

Privacy Daily is providing readers with the top stories from last week, in case you missed them. All articles can be found by searching the title or clicking on the hyperlinked reference number.

Uncommon and broadly applicable data minimization requirements in the Maryland Online Data Privacy Act (MODPA) could pose major compliance challenges for companies when the law takes effect Wednesday, privacy attorneys representing businesses said in interviews. Some advertisers could opt out of the Maryland market rather than comply with the state's comprehensive privacy law, said David LeDuc, Network Advertising Initiative (NAI) public policy vice president.

A company complying with Maryland’s data minimization standard would be in compliance with a similar measure proposed in a Massachusetts comprehensive privacy bill that’s moving quickly toward passage, said Massachusetts Sen. Michael Moore (D) on the floor Thursday. However, Moore also said he’s fine with Massachusetts being an “outlier” among the 20 states with privacy laws.

DOJ received industry requests this month to scrutinize the Maryland Online Data Privacy Act (MODPA) and other state privacy measures as possibly burdening interstate commerce. The closely watched Maryland legislation takes effect Oct. 1. The chief privacy officer of one company that flagged MODPA told Privacy Daily that his business' main concern is the part of the law's unique data minimization requirement that bans sale of precise location data.

Although every state has a data breach notification law, each one imposes different regulations and reporting requirements, Emory Roane, associate director of policy at Privacy Rights Clearinghouse (PRC), said in a recent interview with Privacy Daily. While some protections exist at the federal level, a comprehensive breach law would help, as would data minimization principles, privacy pros added.

Even without a private right of action, a Massachusetts comprehensive privacy bill nearing a Senate floor vote could still be the strongest of about 20 states with such laws, Electronic Privacy Information Center (EPIC) Deputy Director Caitriona Fitzgerald said in an interview Friday. While legislators previously cut the right for individuals to sue -- limiting enforcement authority to the Massachusetts’ attorney general -- they kept data minimization requirements like those from Maryland’s privacy law.

European data retention rules for telcom companies are fragmented and should be addressed by the EU during its regulatory simplification push, the GSM Association and ConnectEurope said in comments posted this week. They were responding to a European Commission consultation on data retention by service providers for criminal proceedings.

While both the EU and U.K. use legitimate interest as a basis for processing personal data, the U.K. Data Use and Access Act (DUAA) has introduced "something interesting" -- a more flexible standard that can reduce administrative burden in some cases, said Daniel Vinerean, managing director of law firm David and Baias, during a webinar Thursday.

Some groups seek assurances that they won’t be covered by rules implementing the New Jersey Data Privacy Act, according to comments submitted to the New Jersey attorney general’s Division of Consumer Affairs by Sept. 2. Many other business sectors urged the division to withdraw or significantly overhaul draft rules released last May (see 2509120009), according to comments obtained by Privacy Daily (part one, part two, part three).