FPF: 'Substantive' Data Minimization in State Laws May Be 'Blip' or 'Paradigm Shift'

“The core of this debate is really the societal value of different uses of data, and whether certain data uses should be allowed, encouraged, discouraged, or prohibited by default, which itself is a proxy for major economic and political decisions with vast societal implications,” the report said. “For its proponents, this substantive turn promises to better align companies’ collection and use of personal data with consumers’ reasonable expectations. For its detractors, however, this trend threatens to upend longstanding business practices, introduce legal uncertainty, and threaten socially beneficial uses of data.”

Out of all the states that have enacted comprehensive privacy laws, a majority take the same approach to data minimization: “Collecting personal data is permitted as long as the purpose for collection is adequately disclosed; obtain consent to process personal data for new, unrelated purposes; and obtain consent to process sensitive data,” the report said. This type of framework is also called procedural data minimization, FPF said, because the three rules -- minimizing data collected and the consent requirement for both secondary uses and processing sensitive data -- all relate to the technical processes employed.

As for the other states, Utah, Iowa and Rhode Island do not have clear data minimization requirements, and Maryland and California each have their own unique rules, the report said. The Maryland Online Data Privacy Act, enacted in 2024 and set to go into effect this October, brought about the idea of substantive data minimization, which “limit[s] the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains,” the report said.

Under the Maryland law, controllers can only collect or process personal data when it is strictly necessary and they cannot sell sensitive data. These rules are considered substantive because “compliance entails a meaningful examination of the commercial relationship with the consumer, their expectations, what is ultimately being delivered to the consumer, and how each act of data collection, use, and disclosure benefits the consumer,” said FPF. Maryland’s law set an example some other states are trying to follow (see 2412300043 and 2504290048).

Privacy advocates are beginning to turn away from the traditional procedural model, labeling it as “being little more than a codification of notice-and-choice,” where “entities are free to collect whatever personal data they want, regardless of whether that data is in any way necessary for a legitimate business need, so long as the entity discloses the purpose for which it collects and uses the data in its privacy notice,” the report said. But there are still some proponents of procedural data minimization, who argue that it is “a meaningful check on unconstrained data collection,” while still being practical enough to implement.

California’s approach, under the California Consumer Privacy Act (CCPA), was a hybrid approach of both methods, FPF said. It has a “reasonable expectations” standard instead of “strictly necessary” when it comes to the type of information that can be processed, according to the report.

In addition to Maryland’s act, Washington’s My Health My Data Act -- in effect since March 2024 (see 2505130056) -- and the New York Child Data Protection Act -- set to go into effect this year (see 2406070065) -- both reflect substantive data minimization rules, FPF said. While these laws could lead to a “reworked information economy where businesses’ data practices align with consumer expectations,” the report warns that they could instead prove to be burdensome and lead to uncertainty or overcompliance that impedes beneficial uses of data.

“Substantive data minimization rules could be a welcome relief for covered entities who find opt-in consent requirements for sensitive data use to be overly burdensome,” said the report. While the Maryland, Washington and New York laws "all break new ground with their substantive data minimization requirements, it remains to be seen whether other states will follow suit or if this is a brief legislative blip.”

“Even if other states follow, however, the proof of the pudding is in the eating,” the FPF continued. “We will not know whether substantive data minimization truly offers a paradigm-shift until these requirements go into effect and are publicly enforced.”