What 'data minimization' can mean: three state models and key questions for Vermont
February 05, 2026 | Economic Development, Housing & General Affairs, SENATE, Committees, Legislative , Vermont
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
Experts at the legislative hearing broke down three distinct approaches states have taken to data minimization and flagged interpretive questions Vermont lawmakers would need to answer.
Jordan Francis, senior policy counsel at the Future of Privacy Forum, framed the issue as three models. He called the most common approach "procedural data minimization," used by many states, where a controller limits collection to what is "adequate, relevant, and reasonably necessary in relation to the purposes disclosed to the consumer." That model ties what businesses can collect to the purposes they disclose.
Francis described California's current position, shaped by the California Consumer Privacy Act (CCPA) regulations issued in 2023, as embedding a "reasonably necessary and proportionate" test and adding an inquiry into consumers' reasonable expectations (factors include relationship to the business, data type, disclosures and awareness of other parties’ involvement). "How do you figure out what a consumer would expect?" Francis asked rhetorically, noting regulators have listed factors to guide that assessment.
The third model — the Maryland Online Data Privacy Act enacted in 2024 — links minimization to the product or service: controllers must limit collection to what is "reasonably necessary and proportionate" to provide or maintain a specific product or service requested by the consumer; sensitive data receives stricter limits. Francis flagged interpretive questions for lawmakers: what counts as a product or service, how to define "reasonably necessary" versus "strictly necessary," and whether simple click‑throughs should be treated as requests for a product or service.
Woodrow Hartzog, identified in testimony as the Andrew R. Bridal Professor of Law at Boston University School of Law, argued these distinctions matter: substantive approaches tied to use limits (the Maryland model) take dangerous practices "off the table," reduce breach risk and shift responsibility away from consumers who cannot realistically police dozens of privacy policies.
Presenters acknowledged implementation and compliance costs. Francis said effective minimization programs require data inventories, mapping, processing purpose documentation, retention schedules, vendor controls and technical safeguards such as differential privacy or de‑identification. He recommended lawmakers seek detailed examples of how each framework would apply in local contexts before adopting language.
The committee requested written testimony and curated source lists to better evaluate which model might fit Vermont's legal and economic context.
Jordan Francis, senior policy counsel at the Future of Privacy Forum, framed the issue as three models. He called the most common approach "procedural data minimization," used by many states, where a controller limits collection to what is "adequate, relevant, and reasonably necessary in relation to the purposes disclosed to the consumer." That model ties what businesses can collect to the purposes they disclose.
Francis described California's current position, shaped by the California Consumer Privacy Act (CCPA) regulations issued in 2023, as embedding a "reasonably necessary and proportionate" test and adding an inquiry into consumers' reasonable expectations (factors include relationship to the business, data type, disclosures and awareness of other parties’ involvement). "How do you figure out what a consumer would expect?" Francis asked rhetorically, noting regulators have listed factors to guide that assessment.
The third model — the Maryland Online Data Privacy Act enacted in 2024 — links minimization to the product or service: controllers must limit collection to what is "reasonably necessary and proportionate" to provide or maintain a specific product or service requested by the consumer; sensitive data receives stricter limits. Francis flagged interpretive questions for lawmakers: what counts as a product or service, how to define "reasonably necessary" versus "strictly necessary," and whether simple click‑throughs should be treated as requests for a product or service.
Woodrow Hartzog, identified in testimony as the Andrew R. Bridal Professor of Law at Boston University School of Law, argued these distinctions matter: substantive approaches tied to use limits (the Maryland model) take dangerous practices "off the table," reduce breach risk and shift responsibility away from consumers who cannot realistically police dozens of privacy policies.
Presenters acknowledged implementation and compliance costs. Francis said effective minimization programs require data inventories, mapping, processing purpose documentation, retention schedules, vendor controls and technical safeguards such as differential privacy or de‑identification. He recommended lawmakers seek detailed examples of how each framework would apply in local contexts before adopting language.
The committee requested written testimony and curated source lists to better evaluate which model might fit Vermont's legal and economic context.
View the Full Meeting & All Its Details
This article offers just a summary. Unlock complete video, transcripts, and insights as a Founder Member.
✓
Watch full, unedited meeting videos
✓
Search every word spoken in unlimited transcripts
✓
AI summaries & real-time alerts (all government levels)
✓
Permanent access to expanding government content
30-day money-back guarantee
