Privacy Law
Differing Data Minimization Standards: Comparing California’s CCPA and Maryland’s MODPA
By: Joe Brown
3L, Santa Clara University School of Law
Introduction
Data minimization is one of the core principles of privacy. While expressed differently across jurisdictions, the message has remained similar: entities should only collect, retain, and process personal data that is necessary for a specific purpose. This concept was designed to reduce the risk associated with excessive data collection by making sure that those who collect data do not gather more information than they need. Yet time and again, the failure to follow this principle has played a central role in some of the worst privacy incidents to date. For example, Marriott experienced a series of data breaches from 2014 to 2018 that was exacerbated by a lack of data minimization practices. These breaches exposed over 339 million guest account numbers, 5.25 million unencrypted passport numbers, and 5.2 million guest records worldwide. Much of the data that was exposed was either unnecessary for Marriott to collect or was held for significantly longer than needed. As part of the FTC settlement, Marriott is ordered to create a data minimization policy that requires personal information to be retained for only as long as reasonably necessary to fulfill the purpose for which it was collected. In response, states have considered redefining data minimization from the current majority standard. The state that has taken the boldest approach is Maryland.
This article will explore the current majority data minimization approach, examine Maryland’s newly adopted standard, and compare California and Maryland’s data minimization standards.
How The Term Data Minimization Came to Be
The idea of data minimization was first introduced by the Organization for Economic Co-operation and Development (OECD) in its Privacy Guidelines of 1980. This guideline laid the groundwork for almost every global privacy framework that we know today. It was first called the Collection Limitation Principle which stated: “There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.” From there, the principle evolved into what we know today as data minimization.
Eventually, the principle of data minimization was codified in Article 5(1)(c) of the General Data Protection Regulation (GDPR). Under GDPR, personal data must be “adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.” Article 5(1)(c) placed a legal obligation on controllers to avoid collecting more data than they need.
While the United States lacks a comprehensive federal privacy law, individual states have implemented their own privacy frameworks over the years that have all included some form of a data minimization standard. Of the 19 states that have enacted a comprehensive data privacy framework, 15 states have echoed a similar “GDPR approach” to data minimization. For example in Virginia’s VCDPA which follows the GDPR approach, a controller shall… “limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed by the consumer.”
While almost every state has followed the GDPR approach, some states like California and Colorado have created slightly different standards. One state in particular that has departed from the norm and created a stricter data minimization standard is Maryland. The state of Maryland’s new definition of data minimization could potentially have significant consequences for how data is collected.
Maryland’s New Approach
Maryland’s data minimization approach, found in the Maryland Online Data Privacy Act (MODPA) of 2024, has deviated from traditional standards in a few ways. It is less permissive in how companies can use collected data and virtually prohibits the sale of sensitive personal data.
First, in MODPA Section 14–4607(B)(1), “a controller shall limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.” This definition provides little to no leniency for how companies can use the data that they collected and leaves in question whether secondary uses such as targeted advertising, product development, or analytics are permissible.
In addition, Maryland has taken steps to prohibit the sale of sensitive personal data. Under MODPA Section 14–4607(A)(1), controllers cannot collect, process, or share sensitive data about a consumer unless it is “strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains.” Again, this is a much higher standard than the traditional norm that is usually based on consent. This new heightened threshold is an intentional policy shift toward stronger safeguards for sensitive information, creating an expectation for Maryland consumers to feel secure that their sensitive data will not be sold.
Maryland’s approach has privacy professionals curious if this new standard will create a new wave of stronger data minimization standards or if this is an isolated event. Many privacy advocates have applauded Maryland for taking a stronger consumer protection approach, while industry groups are raising concerns about the feasibility of redefining the common state level data minimization standard. MODPA becomes effective on October 1st, 2025, so by the end of the year there may be better insight on how Maryland enforces this new standard.
CCPA and Maryland Distinctions
California’s data minimization standard as codified in Section 7002 of the CCPA is slightly different from both Maryland and the other 15 states that follow the GDPR standard. Section 7002 states that, “a business’s collection, use, retention, and/or sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purpose for which the personal information was collected or processed”.
The “necessary and proportionate” standard has a clear set of standards in Section 7002(d) that someone who is collecting data can look to evaluate their practices:
- What is the minimum personal information that is necessary to achieve the purpose identified?
- The possible negative impacts on consumers.
- The existence of additional safeguards for the personal information to specifically address the possible negative impacts on consumers.
Compared to Maryland’s approach that generally permits data processing only when it is strictly necessary to provide a requested product or service, California allows for a more context-specific analysis. These two models reflect different policy priorities. Maryland emphasizes pushing data minimization to its limits, while the California approach involves evaluating data minimization practices by using a case-by-case context analysis.
Conclusion
Maryland’s deviation from the current data minimization standard is just one example of an additional layer of complexity that exists in the evolving U.S. privacy landscape. How other states and potentially the federal government respond to Maryland’s approach may determine whether they set a new precedent or remain an outlier. As AI systems increasingly rely on vast amounts of data, the tension between innovation and data minimization has become more contested than ever.