Citizen Portal
Sign In

What 'data minimization' can mean: three state models and key questions for Vermont

Joint hearing of the House Committee on Commerce and Economic Development and the Senate Committee on Economic Development, Housing & General Affairs · February 5, 2026

Get AI-powered insights, summaries, and transcripts

Subscribe
AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

Witnesses at the Vermont hearing described three state models for data minimization—procedural (disclosure‑tied), California's reasonable‑expectations approach, and Maryland's product/service‑linked standard—highlighting tradeoffs for consumer protection, enforcement, and business compliance.

Experts at the legislative hearing broke down three distinct approaches states have taken to data minimization and flagged interpretive questions Vermont lawmakers would need to answer.

Jordan Francis, senior policy counsel at the Future of Privacy Forum, framed the issue as three models. He called the most common approach "procedural data minimization," used by many states, where a controller limits collection to what is "adequate, relevant, and reasonably necessary in relation to the purposes disclosed to the consumer." That model ties what businesses can collect to the purposes they disclose.

Francis described California's current position, shaped by the California Consumer Privacy Act (CCPA) regulations issued in 2023, as embedding a "reasonably necessary and proportionate" test and adding an inquiry into consumers' reasonable expectations (factors include relationship to the business, data type, disclosures and awareness of other parties’ involvement). "How do you figure out what a consumer would expect?" Francis asked rhetorically, noting regulators have listed factors to guide that assessment.

The third model — the Maryland Online Data Privacy Act enacted in 2024 — links minimization to the product or service: controllers must limit collection to what is "reasonably necessary and proportionate" to provide or maintain a specific product or service requested by the consumer; sensitive data receives stricter limits. Francis flagged interpretive questions for lawmakers: what counts as a product or service, how to define "reasonably necessary" versus "strictly necessary," and whether simple click‑throughs should be treated as requests for a product or service.

Woodrow Hartzog, identified in testimony as the Andrew R. Bridal Professor of Law at Boston University School of Law, argued these distinctions matter: substantive approaches tied to use limits (the Maryland model) take dangerous practices "off the table," reduce breach risk and shift responsibility away from consumers who cannot realistically police dozens of privacy policies.

Presenters acknowledged implementation and compliance costs. Francis said effective minimization programs require data inventories, mapping, processing purpose documentation, retention schedules, vendor controls and technical safeguards such as differential privacy or de‑identification. He recommended lawmakers seek detailed examples of how each framework would apply in local contexts before adopting language.

The committee requested written testimony and curated source lists to better evaluate which model might fit Vermont's legal and economic context.