EPIC writes regarding HB807, Online and Biometric Data Privacy. Our letter in support of HB33 touches specifically on biometric privacy. This letter will focus on the need for a comprehensive privacy law.
The Electronic Privacy Information Center (EPIC) is an independent nonprofit research organization in Washington, DC, established in 1994 to protect privacy, freedom of expression, and democratic values in the information age. EPIC has long advocated for comprehensive privacy laws at both the state and federal level.
The United States now faces a data privacy crisis. For more than two decades, powerful tech companies have been allowed to set the terms of our online interactions. Without any meaningful restrictions on their business practices, they have built systems that invade our private lives, spy on our families, and gather the most intimate details about us for profit. These companies have more economic and political power than many countries and states. Through a vast, opaque system of databases and algorithms, we are profiled and sorted into winners and losers based on data about our health, finances, location, gender, race, and other personal characteristics and habits. The impacts of these commercial surveillance systems are especially harmful for marginalized and multi-marginalized communities, fostering discrimination and inequities in employment, government services, health and healthcare, education, and other life necessities.
And the enormity of the challenge we face is only going to grow. Though HB807 is a good start, I believe that there is a stronger model that the Committee should consider.
Last year in Congress, bipartisan leaders in both the House and Senate proposed the American Data Privacy and Protection Act (“ADPPA”). The bill went through extensive negotiations between members of Congress of both parties, industry, civil rights groups, and consumer protection and privacy groups. The ADPPA received overwhelming bipartisan support in the House Energy & Commerce Committee, where it was favorably approved on a 53-2 vote, including support from Maryland Congressman John Sarbanes. Unfortunately, Congress failed to enact ADPPA, but state legislators can now take advantage of the outcome of those negotiations by modeling a state bill on the bipartisan consensus language in ADPPA. EPIC has converted the federal bill into a proposed state bill in order to provide that opportunity.
Key provisions of the State Data Privacy and Protection Act include:
Data minimization: Establishes limits on the unfettered processing of personal data by setting a baseline requirement that entities only collect, use, and transfer data that is reasonably necessary and proportionate to provide or maintain a product or service requested by the individual (or pursuant to certain enumerated purposes.)
Strict restrictions on sensitive data collection and use: Sets heightened protections for collection and use of sensitive data (i.e., biometrics, geolocation, health data), which is only permitted when strictly necessary and not permitted for advertising purposes.
Civil Rights: Extends civil rights to online spaces by prohibiting entities from processing data in a way that discriminates or otherwise makes unavailable the equal enjoyment of goods and services on the basis of race, color, religion, national origin, sex, or disability.
Cross-context behavioral advertising prohibited: The collection, use, and transfer of information identifying an individual’s online activities over time and across third party websites and services is strictly limited and cannot be used for advertising.
Protections for children and teens: Prohibits targeted advertising to minors under age 17. Covered entities may not transfer the personal data of a minor without the express affirmative consent of the minor or the minor’s parent. Personal data of minors is considered “sensitive data.” These additional protections would only apply when the covered entity knows the individual in question is under age 17, though the standard for certain high-impact social media companies is “known or should have known,” and for large data holders is “knew or acted in willful disregard of the fact that the individual was a minor.”
Algorithmic fairness and transparency: Requires covered entities (who are not small businesses) to conduct algorithmic impact assessments, which include mitigation measures to avoid potential harms from the algorithms. Entities must also conduct algorithm design evaluations prior to deployment in some instances. The assessments and evaluations must be submitted to the Attorney General. A summary must be posted publicly.
Data security: Requires entities to adopt reasonable data security practices and procedures that correspond with an entity’s size and activities, as well as the sensitivity of the data involved.
Manipulative design restrictions: Prohibits obtaining consent in ways that are misleading or manipulative (e.g., dark patterns). Prohibits deceptive advertising.
Individual Rights: Gives consumers the rights to access, correct, and delete personal information about them. Consumers also have the right to opt out of both data transfers to third parties and targeted advertising. Also requires the Attorney General to recognize, and entities to honor, global opt-out mechanisms.
Service Providers: Establishes requirements for service providers handling personal data, including a prohibition on commingling data from multiple covered entities. Service providers can only collect, process, and transfer data to the extent necessary and proportionate to provide service requested by covered entity.
Data Brokers: Data Brokers must register with the Attorney General. The AG will create a public registry of data brokers.
Small business protections: Small businesses (as defined) are exempt from compliance with many provisions of the Act.
Executive responsibility: An executive must personally certify each entity’s compliance with the Act.
Enforcement: A State Attorney General, District Attorney, or City Corporation Counsel may bring cases in court for injunctive relief, to obtain damages, penalties, restitution, or other compensation, and to obtain reasonable attorney’s fees and other litigation costs.
Private Right of Action: Individuals may enforce their rights under the Act by bringing a case against a covered entity seeking compensatory damages, injunctive relief, declaratory relief, and reasonable attorney’s fees and litigation costs. This right applies to only certain provisions of the Act. Small businesses are exempt from this provision.
Rulemaking: The Attorney General is empowered to issue regulations for purposes of carrying out the Act.
The bill’s baseline data minimization requirement is what sets it apart from weak state privacy laws in states such as Virginia and Utah. Those laws were drafted by Amazon and do little to protect privacy. Maryland can and should do better.
Data minimization sets limits on processing which requires data to be used specifically to deliver the goods and services that an individual has requested, consistent with the consumer’s expectations. Companies complying with data minimization requirements must also delete personal information when it is no longer needed to serve the purpose for which it was collected.
Data minimization is essential for both consumers and businesses. Data minimization principles provide much needed standards for data security, access, and accountability, assign responsibilities with respect to user data, and restrict data collection and use. Indeed, a data minimization rule can provide clear guidance to businesses when designing and implementing systems for data collection, storage, use, and transfer. And data security will be improved because personal data that is not collected in the first place cannot be at risk of a data breach.
Data minimization is not a new concept; it just needs to be applied as a rule to all personal data collection online. Privacy laws dating back to the 1970s have recognized and applied this concept. The Privacy Act of 1974, a landmark privacy law regulating the personal data practices of federal agencies, requires data minimization. Each agency that collects personal data shall “maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President.”
The recently passed update to the California Consumer Privacy Act also includes provisions requiring a limited form of data minimization. The key with a data minimization provision is to ensure it is tied to the specific product or service requested by the individual, not simply to whatever purpose the collecting entity decides it wants to collect data for.
Individuals should be allowed to browse the internet or scroll through their favorite apps without worrying whether companies will use their own data in ways they do not anticipate. Data minimization offers a practical solution to a broken internet ecosystem by providing clear limits on how companies can collect and use data. The State Data Privacy and Protection Act sets out a model for data minimization that was subject to intense scrutiny by many parties as its federal counterpart moved through Congress. Maryland can now take advantage of that bipartisan consensus language.
Self-regulation is clearly not working, and since Congress has still been unable to enact comprehensive privacy protections despite years of discussion on the topic, state legislatures must act. The Maryland General Assembly has an opportunity to stand up and provide real privacy protections for Marylanders.
I have attached the proposed State Data Privacy and Protection Act bill text, a bill summary, and some background information.