Experts urge Vermont lawmakers to adopt substantive data‑minimization and enforceable remedies

A joint hearing of the Vermont House Commerce and Economic Development Committee and the Senate Committee on Economic Development, Housing and General Affairs brought together privacy scholars, industry experts and journalists who urged lawmakers to pursue privacy rules that go beyond notice‑and‑choice and include substantive limits on data collection and meaningful enforcement.

Neil Richards, Koch Distinguished Professor of Law at Washington University in St. Louis, told the committees that "privacy matters because information about people ... confers power over those people," and argued that ordinary consumers cannot protect themselves through lengthy privacy policies. Richards said the legislature should place the burden of protection on companies and called for two core features in any effective law: substantive restrictions on dangerous data practices and meaningful remedies, including public enforcement and a private right of action.

Jordan Francis, senior policy counsel at the Future of Privacy Forum, mapped three approaches state legislatures have taken to data minimization. He described 1) a procedural model used by many states that limits collection to what is "adequate, relevant, and reasonably necessary" in relation to disclosed purposes; 2) California's approach, refined by 2023 CCPA regulations, which adds a "reasonably necessary and proportionate" standard and factors tied to consumers' reasonable expectations; and 3) Maryland's 2024 Online Data Privacy Act, which ties collection limits to what is necessary to provide or maintain a specific product or service and imposes stricter rules for sensitive data.

Woodrow Hartzog, identified in testimony as the Andrew R. Bridal Professor of Law at Boston University School of Law, argued for substantive minimization as the most effective single rule to reduce breaches, shift burdens from consumers to firms, and blunt large platforms' marketplace advantages. "Data minimization is probably the single most important data privacy rule," Hartzog said, adding that it reduces the amount of data available to be hacked and limits the ability of platforms to siphon customers.

Industry perspectives acknowledged the technical and compliance work minimization requires but also pointed to real‑world harms resulting from current data practices. Bob Hedges, a former Visa global chief data officer, described categories of commercial data and cited recent reporting and studies on dynamic pricing. Hedges said a study of an online grocery service showed prices for items such as eggs could vary about "10 to 20%" based on inferred consumer price sensitivity.

Bob Sullivan, a longtime technology reporter now hosting the podcast The Perfect Scam, recounted the ChoicePoint breach and recent enforcement actions against data brokers. Sullivan said regulators found brokers offering lists that included highly sensitive groups — for example, postal lists tied to Alzheimer's patients — and warned that such data can be used by criminals.

Committee members asked presenters about communicating privacy information to consumers, the costs to small businesses of compliance, and whether the trade of data for free services meaningfully resembled a financial transaction. Presenters repeatedly emphasized that simplification of notices alone is insufficient and that clear rules about what firms may collect and how they may use data are necessary.

The committees asked witnesses to submit written testimony and source materials for the record. The hearing recessed for a short break and is expected to continue follow‑up work and review of submitted materials.