A comprehensive data privacy bill that includes the country’s toughest data minimization standards is on the cusp of passing the Maryland state legislature, giving advocates hope that similar bills will follow nationwide.

The Maryland Online Data Privacy Act has passed both the state’s House and Senate, and will soon go to a conference committee where small differences between the versions will be ironed out. It is expected to pass by April 8, the bill’s sponsor, Maryland State Delegate Sara Love, told Recorded Future News in an interview. 

The bill stands out because of its requirement that the gathering, processing or sharing of sensitive information be “strictly necessary” when a vendor is completing a consumer’s service request. Under so-called data minimization laws, vendors typically must collect or use a minimal amount of information — only what’s needed to deliver a service — and may only retain the data they collect for as long as it takes to render the service.

Strong data minimization provisions in bills in Maine and Vermont are also progressing — Vermont’s House just unanimously passed a relatively tough bill — giving privacy advocates hope that after a string of 14 weak state comprehensive data privacy laws with toothless data minimization standards, the tide is finally turning. California is seen as the only state with tough data privacy regulations on the books, but its language is not as strong on the minimization issue as Maryland’s will likely be.

Love, formerly a policy director at the ACLU, said there is no reason that when an individual plays solitaire on their phone that that company should be collecting location data on the user, which now routinely happens. She said that data minimization is central to reform because if legislation blocks vendors from collecting irrelevant data, the personal information they can sell to data brokers and advertisers for monetization will be dramatically reduced as will the chances for consumer harm through data breaches.

The delegate said she has been concerned about data minimization for years, but her focus sharpened after a particularly “horrific” incident in which her sister was served an ad for her very ill husband’s doctor’s practice on Facebook the day after he filled out an appointment request on the doctor’s online portal.

“I subsequently learned that Meta has these agreements out there with a whole host of companies to get that data,” Love said. “That is unacceptable.”

Maryland lawmakers are expected to pass a bill in the next two weeks that would have tough data minimization provisions. Image: Martin Falbisoner via Wikimedia Commons (CC BY-SA 3.0)
Maryland lawmakers are expected to pass a bill in the next two weeks that would have tough data minimization provisions. Image: Martin Falbisoner via Wikimedia Commons (CC BY-SA 3.0)

A data free-for-all

Recorded Future News studied the privacy policies of organizations which recently suffered data breaches and discovered that a wide variety of them collect data far beyond what they reasonably need to do business with their customers. And all of the companies studied collect geolocation data even though it is irrelevant to their engagement with customers.

In September, for example, a hacker broke into Hershey email accounts. The confectionery giant disclosed that in addition to basic data like name and contact information, the cybercriminals in some cases obtained health and medical information, digital signatures, driver’s license numbers, credit card accounts and credentials for financial accounts, including routing numbers.

What Hershey did not say is that as of May, when its privacy policy was last updated, it also collected customers’ internet browsing history; device identifiers; geolocation data derived from their IP addresses; social media information and audio and visual Information, including “likeness as captured in photographs or video recordings if you visit any of our physical locations.” The policy says the audio data is derived from “phone call recordings.” 

Hershey is one of many companies collecting vast amounts of highly sensitive data that has nothing to do with the business they conduct with consumers. Their practices, and others like it, are spurring privacy advocates to push other states to enact tougher data minimization laws, making it harder for such data to be collected in the first place, much less stored indefinitely and sold to third parties as now happens.

As with many other companies, Hershey acknowledges in its privacy policy that it sells much of customers’ personal information, including geolocation data. Hershey also discloses that it retains personal data for “as long as necessary.” It says that it doesn’t always de-identify data. 

So why does the company collect, store and share this information, along with “inferences” it says it makes about customers based on their data? Although the company did not respond to a request for comment for this article, Hershey has acknowledged elsewhere that it is to profit off of targeted advertising, the driving force behind most of the data collection which tracks consumers across the web.

Privacy advocates decry this exhaustive data collection and say it far exceeds what consumers understand or would want.

“The US has spent the past few decades cultivating an online ecosystem premised on the boundless collection and retention of data about everyone,” Eric Null, co-director of the Privacy & Data Project at the Center for Democracy and Technology, said via email. 

Null pointed out that Hershey’s data breach further victimizes customers whose data was collected, retained and sold.

“What is their justification for collecting health and medical information, or drivers license numbers, in the first place?” Null said. “And even if they had justification, what justifies retaining that information indefinitely, making them a bigger, juicier target for data breaches?”

With strong data minimization requirements in place, fewer data breaches would expose sensitive, private data about people, resulting in significantly less harm, experts say. But until things change, “we’ll likely continue to see breaches of highly personal information that increases the risk of privacy-related harms, like identity theft and having to closely monitor and correct erroneous credit reports,” Null said.

Rampant geolocation collection

The prevalent collection of geolocation data is especially troubling, experts say, because while companies claim the data is anonymized, it is very easy to find out who an individual is from their location, including by analyzing the combination of home and work addresses.

“It’s very, very difficult to anonymize your movements to the world,” the data surveillance expert Byron Tau said in a recent interview with Recorded Future News. Geolocation “really does reveal a tremendous amount about [individuals], about their patterns and their habits in the world and the vendors aren’t being honest when they say that these datasets are anonymized.”

  • The Worldwide Australian Labradoodle Association, whose breach became public in December, says it may collect geolocation data based on members’ IP addresses
  • Brightline, a virtual mental health digital platform for families that announced it had been breached in May, said it may take IP addresses; unique device identifiers; web and search browsing history; app usage; geolocation data; and social media usage. The policy notes that if a child uses the adult’s account, information is collected directly from the child. The information can be shared with advertising networks.
  • Vi Living, which runs communities for seniors and announced it had been breached in September, says it may collect geolocation, IP address, MAC address, site usage, type of device and operating system used, marital status, homeowner status, shopping habits, and data from affiliates, advertising partners and other third parties. Some of this data is shared with Google and used for targeted advertising.

None of the organizations referred to above responded to a request for comment.

A broken notice and consent system

A major advantage of data minimization laws is that they help overcome ineffective notice and consent systems under which consumers typically have no idea what they are agreeing to.

Notice and choice, also known as notice and consent, is a fundamentally flawed construct, according to Federal Trade Commission (FTC) Commissioner Rebecca Kelly Slaughter, who in 2019 remarks cited reporting that it would take consumers 76 working days to plow through all of the privacy policies they are exposed to in a given year.

Slaughter also pointed to a 2016 study showing that 98 percent of potential users of a social media site blithely agreed to a privacy policy and terms of service saying they would share their activity with the National Security Agency and fund their use of the service by giving up their first born child.

FTC Commissioner Rebecca Kelly Slaughter. Image: Paul Morigi/Brookings Institution
FTC Commissioner Rebecca Kelly Slaughter. Image: Paul Morigi/Brookings Institution

“I am concerned that today, when it comes to our digital lives, neither notice nor consent is meaningful,” Slaughter said. “These studies and myriad others simply validate what we all already know: clicking through these policies presents little value to consumers.” 

And if a consumer actually digests and doesn’t like the privacy terms, Slaughter said, the individual “often has no choice but to consent in order to reach a digital service that has become necessary for participation in contemporary society.”

Null echoed Slaughter’s point saying that with few substantive limits on data practices, “companies can and do collect almost any data they want and use it for almost any purpose, so long as it is disclosed in a lengthy, unreadable privacy policy.”

The problem is often seen across a given industry. Car companies have recently come under scrutiny for collecting consumers’ biometric, phone data and geolocation, and in some cases have been found selling driver behavior patterns to data brokers who then sell it to insurers, according to recent New York Times reporting. The manufacturers’ privacy policies are densely written, very long and often unclear, experts say.

The state of play

Maryland’s bill isn’t the first time that lawmakers in the U.S. have tried to put tighter data minimization rules in place. 

The stalled federal American Data Privacy and Protection Act (ADPPA) had very strong data minimization language when it passed out of the House Energy and Commerce Committee in July 2022 with a nearly unanimous bipartisan vote, but died in January 2023 without a floor vote. It is now languishing in committee.

The federal legislation featured stronger data minimization language than all 15 states to have enacted comprehensive privacy laws, including California, according to privacy experts closely tracking the bills. However, the Maryland bill was modeled after ADPPA and is very similar to it, though not quite as strong. ADPPA puts limits on use of data, and Maryland limits only collection.

Advocates are also closely tracking bills underway in Illinois and Massachusetts, in addition to Vermont and Maine, all of which they say have momentum and relatively strong data minimization language. These bills are at various stages of development.

Another reason these bills matter: In her 2019 speech Slaughter highlighted an additional problem — without specific statutes governing practices in this area, companies and courts are often unclear on where to draw the line.

The unfair  practices language in Section 5 of the FTC Act is now more than a hundred-years-old and hardly anticipated today’s technological revolution. The agency has been exploring a new rule to more strongly regulate commercial surveillance since 2022 but the process is ongoing with no clear end in sight.

But the agency has had some important wins. In addition to a string of recent settlements with data brokers selling geolocation data, in 2017 it settled with the TV manufacturer VIZIO for $2.2 million upon discovering that on a “second-by-second basis” the company collected screen pixels to discover what customers were watching, raking in as many as 100 billion data points each day from millions of TVs.

Privacy advocates are excited about the state-level momentum.

“We’re happy to see states like Maryland and Vermont prioritizing consumers’ expectations about how their data will be used rather than simply allowing companies to collect and use data however they want, as long as they disclose what they’re doing in their privacy policies,” said Caitriona Fitzgerald, the deputy director of the Electronic Privacy Information Center. “This shift in the status quo will encourage innovation that protects privacy.”