Data Minimization Under US State Privacy Laws: What It Means and How to Comply
What Is Data Minimization?
Data minimization is the principle that organizations should collect, process, and retain only the minimum amount of personal data necessary to fulfill a specific, stated purpose. If you do not need a piece of data to provide the product or service a consumer requested, you should not collect it.
While data minimization has long been a cornerstone of European privacy regulation under the GDPR, it is now becoming a defining feature of US state privacy laws — particularly Maryland's Online Data Privacy Act (MODPA), which takes an unprecedented approach by prohibiting all collection beyond what is strictly necessary. With Maryland enforcement beginning April 1, 2026, businesses need to understand this principle now.
Why Data Minimization Matters in 2026
The shift toward data minimization reflects a broader trend in privacy regulation: moving from a "notice and consent" model (where companies can collect anything as long as they disclose it) to a "purpose limitation" model (where collection itself must be justified). Three factors make 2026 a turning point:
- Maryland MODPA enforcement begins April 1, 2026 — the strictest data minimization law in the US takes effect, with up to $25,000-per-violation penalties
- California CPRA regulations are maturing — the CPPA's enforcement posture has tightened, with a record $2.75M Disney settlement in February 2026
- 20+ state privacy laws now in effect — each with its own version of purpose limitation, creating a de facto national standard
Which State Laws Require Data Minimization?
Not all state privacy laws approach data minimization the same way. The table below categorizes state approaches from strictest to most permissive. Use our state comparison tool to explore detailed differences.
| Approach | States | What It Means |
|---|---|---|
| Strict data minimization | Maryland | Collection limited to what is "reasonably necessary and proportionate" to provide the product or service requested. Cannot collect data for separate purposes even with consent. Sensitive data can NEVER be sold. |
| Purpose limitation with minimization language | California, Colorado, Connecticut, Oregon, Montana, Delaware, New Hampshire | Data collection must be "adequate, relevant, and reasonably necessary" for disclosed purposes. Businesses must specify purpose at collection; cannot use data for incompatible purposes without new consent. |
| Standard purpose limitation | Virginia, Indiana, Kentucky, Rhode Island, Tennessee, Iowa, Nebraska, Oklahoma | Must limit collection to what is "adequate, relevant, and reasonably necessary" for disclosed purposes. Less restrictive than Maryland — businesses have more flexibility in defining their purposes. |
| Minimal restrictions | Utah, Texas | General requirement to provide notice of data practices, but weaker or no explicit data minimization mandate. Most business-friendly approach. |
Maryland MODPA: The Strictest Approach
Maryland's Online Data Privacy Act stands out for its uniquely restrictive data minimization framework. Here is what makes it different:
- Collection limited to what is necessary for the requested service — you cannot collect data to support advertising, analytics, or any secondary purpose unless it is strictly necessary to deliver what the consumer asked for
- No "consent override" — unlike most state laws, Maryland does not allow businesses to collect unnecessary data simply because the consumer consented. Consent does not expand what you can collect.
- Sensitive data cannot be sold at all — racial, health, biometric, geolocation, and other sensitive data categories cannot be sold under any circumstances, regardless of consent
- Minors under 18 are protected from targeted advertising — businesses cannot process data of known minors for targeted advertising purposes
- Enforcement begins April 1, 2026 — the Maryland AG will begin enforcement with a 60-day cure period for initial violations, with fines up to $10,000 for first violations and $25,000 for subsequent ones
Check if your business is subject to Maryland's law with our Privacy Law Calculator.
Data Minimization in Practice: 5 Real Examples
Understanding data minimization in theory is one thing — applying it is another. Here are practical examples of what compliant vs. non-compliant practices look like:
| Scenario | Non-Compliant | Compliant |
|---|---|---|
| E-commerce checkout | Requiring date of birth, gender, and phone number to complete a purchase | Collecting only name, shipping address, email, and payment info — the minimum needed to fulfill the order |
| Newsletter signup | Asking for name, email, company, job title, revenue range, and phone number | Asking for email only — additional fields should be optional and serve a clear purpose |
| SaaS onboarding | Collecting precise geolocation data when the service does not need location information | Collecting only the account info needed to provide the service; requesting location data only if the feature requires it |
| Mobile app | Requesting access to contacts, camera, microphone, and location on first launch for a note-taking app | Requesting only the permissions actually needed, and only when the user accesses the feature that requires them |
| Customer support | Retaining full chat transcripts indefinitely, including incidental sensitive data shared during support interactions | Retaining transcripts only as long as necessary for quality assurance; redacting or deleting sensitive information after resolution |
How to Comply: A Data Minimization Checklist
Whether you are subject to Maryland's strict rules or the broader purpose limitation requirements in other states, this checklist will help you assess and improve your data minimization posture:
| Step | Action | Details |
|---|---|---|
| 1 | Inventory your data collection | Map every data element you collect across all channels (web forms, mobile apps, APIs, third-party integrations). For each field, document why it is collected. |
| 2 | Define purposes for each data element | For every piece of personal data, write down the specific purpose it serves. If you cannot articulate a clear purpose tied to the product or service, you probably should not be collecting it. |
| 3 | Eliminate unnecessary collection | Remove form fields, tracking pixels, cookies, and data-sharing integrations that collect data beyond what is needed. Make optional fields clearly optional. |
| 4 | Audit third-party data sharing | Review all third-party vendors, SDKs, and analytics tools. Ensure they only receive the data they need. Under Maryland law, you are responsible for downstream use. |
| 5 | Implement retention schedules | Set maximum retention periods for each data category. Delete data when the purpose is fulfilled. Avoid the common practice of retaining data "just in case." |
| 6 | Review sensitive data handling | Identify all sensitive data categories you process. In Maryland, these can never be sold. In other states, sensitive data requires opt-in consent. |
| 7 | Update privacy policies | Disclose the specific purposes for which you collect each category of personal data. General statements like "to improve our services" are insufficient under most state laws. |
| 8 | Conduct a DPIA | If you process data in ways that present heightened privacy risks, conduct a data privacy impact assessment as required by 15+ state laws. |
Data Minimization vs. GDPR: Key Differences
If your business already complies with the GDPR's data minimization principle (Article 5(1)(c)), you have a head start — but US state laws have their own nuances:
- GDPR: Data must be "adequate, relevant and limited to what is necessary" for the stated purpose. Enforced by Data Protection Authorities with fines up to 4% of global revenue.
- Maryland MODPA: Similar standard ("reasonably necessary and proportionate") but goes further by prohibiting consent-based expansion and banning sensitive data sales entirely. Enforced by the state AG only.
- Other US states: Generally follow a purpose limitation approach — collection must be "adequate, relevant, and reasonably necessary" — but businesses have more flexibility in defining purposes than under GDPR or Maryland.
- Key difference: GDPR applies a single standard across the EU. US businesses must navigate 20+ state laws with varying standards, making a "comply to the strictest" strategy (i.e., Maryland) the most practical approach.
Frequently Asked Questions
What is data minimization in simple terms?
Data minimization means collecting only the personal information you actually need to provide your product or service. If a data field is not essential to what the consumer requested, do not collect it. Think of it as "need to know" for business data practices.
Does the CCPA require data minimization?
The CCPA/CPRA requires that personal information collection be "reasonably necessary and proportionate" to the disclosed purposes. This is a form of data minimization, though less strict than Maryland's approach. The CPPA has indicated it will enforce purpose limitation requirements, particularly around secondary uses of data. See our California privacy law guide for details.
What happens if I violate data minimization requirements?
Penalties vary by state. Under Maryland MODPA, the AG can seek $10,000 for first violations and $25,000 for subsequent ones, after a 60-day cure period. California has imposed fines of up to $7,500 per intentional violation. Most states follow a similar AG enforcement model — see our penalties guide for a complete breakdown.
How is data minimization different from purpose limitation?
Purpose limitation means you can only use data for the purposes you disclosed at collection. Data minimization goes further: even for a valid purpose, you may only collect the minimum amount of data needed. Maryland combines both — you must have a valid purpose AND limit collection to what is strictly necessary for that purpose.
Should I just comply with the strictest law (Maryland)?
If your business operates nationally or serves consumers in multiple states, complying with Maryland's stricter standard is the most practical approach. This ensures compliance across all 20+ state privacy laws and positions your business well for potential future federal legislation. Use our Privacy Law Calculator to check which specific laws apply to your business.
Last updated: March 29, 2026.Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.