Data privacy heating up! US states race for strongest laws, UK grapples with AI rights, and EU probes Meta's child safety.

Privacy Corner Newsletter: May 17, 2024

By Robert Bateman and Privado.ai

In this week’s Privacy Corner Newsletter:

• Significant privacy law developments in Maryland and Vermont (including a private right of action…)
• Another generative AI consultation from the UK ICO—but are they dodging the hardest questions?
• An investigation into how Facebook and Instagram treat child users by the European Commission
• What we’re reading: Recommended privacy content for the week.

Maryland enacted one of the strictest US privacy laws—then Vermont passed a bill that raises the bar even higher

In the past week, Maryland’s governor signed the Maryland Online Data Privacy Act (MODPA), and Vermont passed the comprehensive privacy bill H121.

• Both Maryland and Vermont’s laws impose data minimization requirements that tightly restrict how businesses process personal data.
• Maryland’s MODPA, which takes effect from October 2026, also imposes unprecedentedly strict rules on the processing of sensitive data.
• Vermont’s H121, which awaits a signature from the state’s governor, is the first privacy bill to pass since the California Consumer Privacy Act (CCPA) with a private right of action.

? More state privacy laws? Are these two more interesting than the last fifteen?

Yes, these laws are a little different from what we’re used to.

Both Maryland and Vermont’s laws include tight rules on “data minimization”. They move away from the standard “Virginia-style” model—which generally allows controllers to process non-sensitive data by default—and towards something much more prescriptive.

Under Maryland’s law, a controller may not collect personal data except where “reasonably necessary and proportionate” to provide or maintain a product or service requested by the consumer. Processing personal data for further incompatible purposes requires consent.

Maryland provides the same rule for sensitive data, except that it only applies when processing, collecting, or sharing sensitive data is “strictly” (as opposed to “reasonably”) necessary for providing or maintaining a product or service. And selling sensitive data is prohibited altogether.

Vermont expresses its data minimization rule somewhat differently, allowing controllers to process personal data:

• As reasonably necessary and proportionate for a “disclosed” purpose, consistent with the consumer’s “reasonable expectations”
• For further compatible purposes
• For further incompatible purposes with consent

Like most Virginia-style laws, Vermont only allows the processing of sensitive data with consent.

? What else is interesting about these two laws?

Both laws include practically every obligation on the Virginia-style menu, including data protection assessments, the full range of consumer rights, and a requirement to honor Universal Opt-Out Mechanisms (UOOMs).

Vermont’s bill is particularly special, though, as it would create the only comprehensive privacy law outside California that empowers consumers to sue businesses that violate it.?

? Vermont’s new private right of action

H.121’s “private right of action” has changed substantially over a series of amendments.?

This re-drafting is because a poorly constructed private right of action can have serious consequences. If it’s too broad, it encourages frivolous and disruptive litigation. Too narrow, and it becomes practically meaningless.

As it stands, the bill passes the buck to the Vermont Attorney General. By mid-January 2026, the AG must design “legislative language for implementing a private right of action” that focuses on the most serious harms and protects businesses acting in good faith.

Nonetheless, both Vermont’s and Maryland’s laws break the trend of copy/pasting Virginia’s privacy law, ensuring that 2024 turned out to be another very interesting year for state privacy law.

UK regulator opens consultation on data rights in generative AI (but dodges the hardest question)

The UK’s Information Commissioner’s Office (ICO) has published a “call for views” on “engineering individual rights into generative AI models”.

• The ICO presents some preliminary analysis of how data subject rights can be facilitated by generative AI developers and deployers (when fine-tuning or further developing AI).
• The call for views is the fourth part of an ongoing consultation that has also tackled lawfulness in web scraping, purpose limitation, and data accuracy in the generative AI context.
• The ICO is seeking evidence and views on how to uphold data subject rights in generative AI until 10 June.

? Does the ICO give its own views on generative AI and data subject rights?

The ICO provides some basic analysis of the challenges of meeting data subject rights obligations when developing and using generative AI. The following statements are among the more noteworthy:

• AI deployers must provide a privacy notice when collecting data for fine-tuning or other post-deployment development.
• If an AI developer processes personal data collected by its clients, the client must provide a privacy notice.
• Scraping personal data to train an AI model is “likely to go beyond people’s reasonable expectations.”
• When providing notice under Article 14, “vague statements around data sources (eg just ‘publicly accessible information’)” are unlikely to be acceptable.
• “Where the lawful basis is legitimate interests, organizations must state the specific interests being pursued.”
• When considering how to tell people you’re processing their personal data, “resource or expense requirements should be factored into business decisions from the very start” (i.e., don’t use people’s data if you can’t afford to tell them about it).

The ICO also states that AI developers must be in a position to uphold the rights of access, deletion, and restriction of processing, and the right to object.

? What about the right to rectification?

The right to rectification, i.e., to correct inaccurate personal data, is particularly challenging in this context.?

Noyb’s complaint against OpenAI, covered in a previous edition of The Privacy Corner, suggests that this is one of the hardest aspects of the GDPR to reconcile with generative AI.

But this consultation “does not examine the right to rectification in detail,” the ICO says, as it “was examined in our previous consultation on accuracy.”

Refer back to that consultation, however, and there’s a similar message. “The analysis in this document does not cover the right to rectification,” the ICO said, promising to cover the topic in the next consultation.

So, it appears we might not give the regulator’s interpretation of this “hard GDPR question.” If you have views about it, you might wish to tell the ICO. This part of the consultation is open until June 10. The next part will examine controllership in the generative AI supply chain.

European Commission begins Digital Services Act investigation over Meta’s child safety and age verification practices

The European Commission has opened a formal investigation into Meta’s Facebook and Instagram platforms under the Digital Services Act (DSA).

• Facebook and Instagram are both Very Large Online Platforms (VLOPs) under the DSA, with a range of obligations relating to content moderation, privacy, and other issues.
• The Commission is concerned that Meta’s recommender algorithms encourage social media addiction among children and that the company has failed to meet the DSA’s privacy, security, and age verification requirements with respect to child users.
• A separate DSA investigation, which began on April 30, is looking at political advertising and content moderation on Meta’s platforms, among other issues.

? Why does the Commission think Meta may have violated the DSA?

The investigation will explore three main issues:

• Whether Meta’s algorithms “exploit the weaknesses and inexperience of minors,” “cause addictive behavior,” or “reinforce so-called ‘rabbit hole' effect.”?
• Whether Meta’s age-verification methods are a “reasonable, proportionate and effective” way to prevent children from accessing harmful content.
• Whether Meta has “put in place appropriate and proportionate measures” to ensure “a high level of privacy, safety, and security for minors,” including “default privacy settings.”

These issues fall under Articles 28, 34, and 35 of the DSA.

Regarding the privacy-related matters, the Commission has not revealed details of the potential “privacy, safety, and security” and age-verification problems.?

However, we do know how Meta verifies its users’ ages on Facebook and Instagram.

? How does Meta verify its users’ ages on Facebook and Instagram?

Meta verifies users’ ages, in its own words, by “asking people for their birthdays.”

Providing a date of birth is one of several ways users can verify their ages on Meta’s platforms, along with providing a government-issued ID or a selfie. But presumably, most users choose to simply provide their date of birth.

Is this method good enough to satisfy the DSA’s requirement to protect children’s rights? The DSA does not specify how platforms should verify children’s ages, only that they should factor age verification in as part of a risk assessment.

It’s not clear that some age verification solutions—such as collecting every user’s ID or using biometric age estimation—would comply with the GDPR’s “data minimization” principle.

While Meta is probably chiefly concerned with its user count, which would likely fall if every user had to show an ID, it’s fair to say that age verification is another “hard GDPR problem.”

What We’re Reading

• The Shifting Privacy Left Podcast: Debra Farber talks to Marie Potel-Saville about “Decision-Making Governance and Design: Combating Dark Patterns with Fair Patterns.”
• Privacy Nihilism is Pervasive, and Our Laws are to Blame: Privacat Insights makes a strong case for clearer, simpler data protection legislation.
• No regulatory wild west: how the ICO applies the law to emerging tech: The ICO makes some bold claims about its emerging tech enforcement record.