Md. Privacy Law 'Raises the Bar' for Congress, EPIC Says
The number of states with privacy laws reached 18 after Maryland Gov. Wes Moore (D) signed SB-541/HB-567 on Thursday. Vermont and Minnesota could soon join the ranks. While not first, Maryland “sets the new standard” for state privacy laws and “raises the bar” for Congress, said Caitriona Fitzgerald, Electronic Privacy Information Center (EPIC) deputy director, in an interview. Meanwhile, in California, the first state with a privacy law, board members of the California Privacy Protection Agency (CPPA) slammed the preemptive current draft of a privacy bill from Congress.
“It’s a big step forward,” Fitzgerald said of Maryland's privacy law. Structured like Connecticut's or Delaware’s laws, Maryland's added strong civil rights protections and data minimization requirements that say companies may collect only data that's “reasonably necessary” for a product or service, she said. For sensitive data, it must be “strictly necessary.” Those rules require “companies to better line up their data collection with what I expect as a consumer.” By contrast, Virginia, Connecticut and most other state laws say companies may collect only what’s disclosed in their privacy policies, said Fitzgerald: But “no one reads” privacy policies, “so that really means nothing.”
Maryland's data minimization language came from Congress -- specifically the previous federal privacy bill, the American Data Privacy and Protection Act, Fitzgerald said. This year’s U.S. bill, the American Privacy Rights Act, has similar data minimization requirements, the EPIC official said. “The big deal of a state passing a law like this is now any federal bill can’t go below it.” California is the only other state with data minimization requirements, but they’re structured somewhat differently from Maryland's, she said.
The Maryland bill's data minimization requirements earlier drew praise from Consumer Reports when the legislation passed (see 2404080059). However, citing an ever-expanding state patchwork, industry groups raised compliance concerns due to its differences with other state laws. On Thursday, Moore also signed a kids online safety bill that tech companies opposed (see 2405090049).
The signed privacy bill makes “fundamental changes to how consumers currently experience the internet,” said Margaret Durkin, TechNet executive director for Pennsylvania and the Mid-Atlantic. “Consumers … could be alarmed at some of these changes, which will undoubtedly impact their online user experience.” Also, she said TechNet members “offer strong consumer protections in other jurisdictions where current and forthcoming state privacy laws are more interoperable.”
Vermont could be the next state with a privacy law. Its state Senate was scheduled to consider House changes to H-121 Friday, its last day of the session. The House voted 139-3 Thursday for the bill, which will also need Gov. Phil Scott's (R) signature before it becomes law. Like Maryland, the Vermont bill contains data minimization requirements.
Minnesota could soon have a comprehensive law, too. The Minnesota House voted 68-59 Thursday for a commerce omnibus (SF-4942) that includes comprehensive privacy rules. Its Senate passed the omnibus earlier last week (see 2405070043) but the chambers must still agree on final language. Minnesota’s legislative session concludes May 20.
Meanwhile, the Massachusetts Data Privacy Protection Act returned with a new bill number (SB-2770) on Thursday. That same day, the Senate Advanced Information Technology Committee reported the bill favorably and sent it to the Ways and Means Committee. Massachusetts lawmakers still have much time to pass the measure before they adjourn Jan. 2.
California isn’t ready to support a U.S. privacy law. The California privacy agency opposed the discussion draft of a privacy bill from Congress in an April 16 letter because it preempted most of California’s privacy law, Deputy Director-Policy and Legislation Maureen Mahoney said during the CPPA board’s Friday meeting. The CPPA had also opposed Congress’ previous privacy bill (see 2207280041). California Attorney General Rob Bonta (D) and 14 other Democratic AGs opposed preempting state privacy laws earlier last week (see 2405090048).
CPPA Chair Jennifer Urban said she hopes Congress will improve its bill so that the state watchdog can support it. California protections "can be built on, but they cannot be diminished,” Urban said. More than 9 million people in California voted for a “floor” for privacy protections, she said. “Congress should do the same."
Board member Alastair Mactaggart is glad the agency opposed the draft, he said. The bill didn’t seem bad at first glance, but Mactaggart later noticed loopholes for industry that would greatly weaken California’s standards, he said. "Once again, it's sort of the wolf in sheep's clothing."