Data minimization is the key to a meaningful privacy law

This is the sixth blog post in EPIC’s series on Data Minimization. We have previously discussed data minimization as a framework to curb harmful commercial surveillance practices, harms that stem from out of context secondary data uses, data minimization as a pillar of data security, data minimization as a tool to protect health data privacy, and data minimization as a way to regulate surveillance advertising. This post discusses existing data minimization rules in state and federal laws. 

Strong data minimization rules exist in laws and legislative proposals.

Data minimization has been a pillar of privacy laws dating back to the Privacy Act of 1974, a landmark privacy law regulating the personal data practices of federal agencies. Over the past few years, a series of privacy laws have passed and been proposed that focus on data minimization as a core principle. For example, the EU passed the General Data Privacy Regulation (GDPR) in 2016, California passed the California Consumer Privacy Act in 2018, and Maryland passed the Maryland Online Data Privacy Act this session, which was just signed by the governor today. Proposals in Congress, including the (APRA) currently being discussed and the American Data Privacy and Protection Act of 2022 (ADPPA), are also grounded in the concept of data minimization. State bills that include data minimization requirements have also been considered in Maine, Massachusetts, Illinois, and Vermont this session and in the past couple of years. 

ADPPA took a two-tiered approach to data minimization. In ADPPA, covered entities were prohibited from collecting, processing, or transferring personal data beyond what is reasonably necessary and proportionate to provide the requested product or service (or for certain enumerated permissible purposes). On top of this baseline protection, ADPPA placed heightened restrictions on sensitive data: Covered entities could only collect and process sensitive data if it was strictly necessary to provide the product or service the consumer requested (or for a limited subset of the enumerated permissible purposes). The transfer of sensitive data is even further limited to only a handful of specific permissible purposes or with the consumer’s affirmative express consent. The Maryland Online Data Privacy Act is modeled largely on ADPPA and contains similar restrictions on data collection and heightened protections for sensitive data. 

Despite Congress’ failure to pass ADPPA in 2022, data minimization remains a core concept in federal privacy proposals, including APRA. APRA contains similar requirements to ADPPA, although it eliminates the two-tiered structure in favor of a single standard. In APRA, covered entities and service providers are prohibited from collecting, processing, retaining, or transferring personal data beyond what is necessary, proportionate, and limited to provide the requested product or service (or for certain enumerated permissible purposes). The term “proportionate” helps provide sensitive data with heightened protection because proportionality will be impacted by the type of data being collected. While APRA is still only in discussion draft form, it has data minimization requirements at its core, which means that if it gains traction, it could lead to a strong federal privacy law.

But most states are failing to enact true data minimization.

Of the 17 states that have passed “comprehensive” privacy legislation in recent years, only California’s and Maryland’s contain meaningful data minimization rules. 

Despite the frequent claims of technology companies and industry lobbyists, the Virginia/Connecticut “model” and the state laws that have followed do not contain real data minimization. These laws contain provisions that purport to be data minimization but only include language requiring controllers to limit collection of personal data to what is “adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.” The key words “as disclosed to the consumer” mean that businesses are not really limited at all—they may collect and use data for any purposes they disclose in their privacy policies that no one ever reads.

The core of data minimization is limiting the data that companies can collect and use to what consumers would expect based on the context of their interaction with the business. In contrast, the core of the framework found in states with laws based on the Virginia/Connecticut “model” is disclosures in privacy policies. These laws allow businesses to continue collecting whatever personal data they want and using it for any reason they want as long as they disclose that reason in their privacy policy—ensuring that the status quo of massive data collection and sale continues uninterrupted. In fact, it encourages companies to write those purposes as broadly as possible to cover any possible use of data they may want in the future. 

To illustrate the difference, consider a person using a ride-share app to request a ride to a doctor’s office or a place of worship. That person expects the app to use their location to allow the driver to pick them up at their location and drop them off at their destination. The user does not expect the app to continuously track their location long after the ride has ended or to sell the fact that they were dropped off at these sensitive destinations to data brokers. 

True data minimization would not allow these unexpected secondary uses of personal data. The so-called data minimization found in the Virginia/Connecticut “model” and the other states that have adopted similar laws would allow these unexpected and unfair data practices to continue unchecked, as long as these data uses were disclosed in a boilerplate privacy policy. 

To meaningfully protect privacy, laws and regulations should include real data minimization protections like those found in the GDPR, the CCPA, Maryland’s Online Data Privacy Act, and proposed federal legislation. EPIC is happy to be a resource to any policymaker considering privacy legislation or regulation to help incorporate data minimization rules.