Data Minimization’s Wolf Problem: Learning from Constitutional History to Design Effective Privacy Remedies | Student Journal of Information Privacy Law

Data Minimization’s Wolf Problem: Learning from Constitutional History to Design Effective Privacy Remedies

Caroline Aiello

I. Introduction

Nearly every modern privacy law restricts or seeks to limit how much data companies can collect and how they can process that data. Collectively, these provisions are known as data minimization standards. A foundational feature of privacy law, the concept of data minimization dates back to the earliest guidance and drafting of privacy laws. Widely considered a pivotal segment of a law, determining its effectiveness and severity, these provisions are hotly contested by industry leaders and consumer advocates throughout the legislative process.

For all the attention devoted to crafting an effective data minimization standard, legislators have overlooked a fundamental lesson from constitutional law: vague standards without concrete rules and meaningful remedies do not protect rights. The Fourth Amendment’s journey from an ineffective guarantee to an enforceable constitutional protection illustrates this principle. For over a decade after the 1949 holding in Wolf v. Colorado, the Supreme Court acknowledged the application of a prohibition on unreasonable searches and seizures to the states but declined to impose the exclusionary rule as a remedy.^[1] During that period, the Court assumed that alternative mechanisms like tort suits and disciplinary actions would deter misconduct. As Justice Murphy warned in his dissent in Wolf, such alternatives were “deceptive,” and that alternatives to exclusion were effectively no remedy at all.^[2]

This Article argues that federal data privacy legislation must learn from the Fourth Amendment’s institutional history. A federal privacy law’s data minimization standard should not merely set vague standards and hope that disclosure requirements, consent mechanisms, and scattered enforcement actions will protect consumer privacy. Instead, Congress should establish specific, substantive data minimization requirements that enumerate prohibited uses of personal data, backed by federal enforcement authority and meaningful penalties that create genuine deterrence. Just as the exclusionary rule transformed the Fourth Amendment from an aspirational principle into an enforceable right, federal substantive standards with robust remedies can transform data minimization from a theoretical protection into a practical safeguard.

This Article proceeds in five parts. Part II introduces data minimization, explaining the mechanical components of the law and what business practices they regulate. Part III analyzes and introduces current data minimization laws and enforcement actions both in the United States and internationally. Part IV examines the Wolf v. Colorado to Mapp v. Ohio progression, detailing how the Supreme Court’s twelve-year experiment with state-level Fourth Amendment enforcement failed and why federalization of the exclusionary rule ultimately proved necessary. Part V makes the affirmative case for federal substantive data minimization standards, proposing specific prohibited uses rather than reliance on interpretation of a reasonableness principle, and arguing for enforcement mechanisms that go beyond nominal accountability. Part VI addresses counterarguments, including concerns about business flexibility and innovation. The Article concludes by explaining how Congress can avoid repeating constitutional history’s mistakes and instead create a federal privacy framework that makes data minimization rights real rather than rhetorical.

II. What is data minimization?

Data minimization principles and provisions are the cornerstone and defining provision of many emerging laws. A well-written data minimization provision limits the collection and processing of personal data while allowing businesses to operate, innovate, and improve their services.^[3] Limiting the collection and processing of personal data achieves several objectives. First, the individual’s expectation of privacy is respected by restricting overcollection and secondary uses of personal data to align with individual expectations. Second, in the event of a data breach, a business would only possess the minimal data needed to perform a task or function, thereby minimizing the exposure of the data subject or consumer.^[4] Third, when the processing of personal data is restricted to what a business needs in order to function or to what is compatible with consumer consent and expectations, a company may lower incidence of data misuse and build defenses against legal liability when in compliance with data minimization laws. Data minimization laws tend to follow the lifecycle of personal data, laying down standards from the moment a company collects a piece of information to when that data is no longer needed and if or when it should be deleted.^[5]

The origins of data minimization date back to the earliest data privacy laws and guiding principles. The Fair Information Practice Principles (“FIPPs”), developed in the 1970’s, encourage companies to collect only the data necessary to complete an action and to limit the use of the information.^[6] Although they are not binding law, the FIPPs guide internal government policies and their principles have been adopted by multiple state, federal, and international laws.^[7] Foundational privacy laws, like the European General Data Protection Regulation (the “GDPR”) codified strict data minimization provisions that became a key restriction under the law.^[8] The FIPPs have guided U.S. privacy laws as well. The Federal Privacy Act of 1974 was passed to maintain individual privacy in government records by embodying the Fair Information Practice Principles.^[9]

Data minimization restrictions are either procedural restrictions on data collection and processing or they are substantive restrictions.^[10] Procedural restrictions require a business to fulfill a procedural requirement, like a consent mechanism or risk assessment before processing and collecting personal data.^[11] Substantive requirements are restrictions on whether or not collection and processing can occur based on the reason that a company wants to use it.^[12] Substantive limitations are more onerous for a business and costs them more in lost profits on restrictions, potentially disallowing highly profitable data uses like targeted advertising.^[13] Some state privacy laws place a combination of procedural and substantive limitations on the collection and processing of data.^[14] California, for example, requires businesses to provide an opt-out mechanism for selling and sharing data at the point of collection.^[15] After collection, the law also sets out restrictions on how that data can be used, even with the procedural requirements met.^[16]

Achieving lawful data minimization and abiding by U.S. state law standards as well as international standards requires finding a balance between collecting enough information to function and restricting enough to prevent threats to an individual. Not collecting enough information and being unable to complete a customer request frustrates business and consumer needs and may lead to enforcement action. Collecting too much data, on the other hand, is more likely to be violative of data minimization provisions.

This Article focuses on data minimization provisions in privacy laws for three main reasons. First, data minimization provisions are widely considered one of the most important substantive restrictions for drafting an effective privacy law and are among the most contested provisions when drafting or considering new legislation.^[17] Second, most data minimization provisions in U.S. privacy laws have made the mistake of providing a vague standard for this critical provision and failed to provide concrete rules and restrictions meant to enforce the standard.^[18] Finally, data minimization is a preventative privacy protection, rather than a reactive one. Done right, data minimization rules deter conduct that violates an individual’s expectation of privacy and rights over the use their information.

a. Collection limitations

Obligations between a consumer and a business arise at the moment of collection.^[19] Collection can occur when a consumer logs into public Wi-Fi, purchases from an online store, or drives past a billboard on a highway. In these and endless other scenarios, a business is faced with several questions: What data are they going to collect from this interaction? And how are they going to collect it? Laws range from limiting collection to the strictly necessary data categories^[20] to remaining silent on the issue.^[21] Certain categories of data reveal intimate details of a person’s life and are prohibited from collection.^[22] Under COPPA, for example, games may not collect any personal information from children under the age of thirteen without verifiable parental consent.^[23] Under HIPAA, entities may only collect the minimum necessary protected health information to achieve a specified purpose.^[24] Collecting more information from children, healthcare patients, and others may result in substantial penalties and businesses, regardless of how they intend to use it.

In many state laws, collection limitations often align with processing limitations and fall under the same standard. For example, in Virginia, collection of information must be “adequate, relevant, and reasonably necessary” for the disclosed purposes,^[25] and processing activity must be “reasonably necessary and compatible with disclosed purposes.”^[26] Although the phrasing differs slightly, both standards operate on the same reasonableness framework, leaving businesses to determine what qualifies as “reasonably necessary” at each stage of the data lifecycle.

b. Processing limitations

Once the business collects the data, more questions arise. Primarily, what is a business allowed to do with personal data they’ve collected? If they know a user’s precise location, can they use that information to advertise local businesses? As mentioned, the collection and processing standard are often rolled into a single provision. Some states, however, have written special provisions to heighten the processing standard for certain types of data or to prohibit data processing for certain purposes. The Maryland Online Data Protection Act, for example, prohibits the selling of sensitive data, even with consent as well as the processing of minor’s data for targeted advertising.^[27]

Processing restrictions are often the most onerous, liability-laden provisions of data minimization laws. Standards are vague, with only some states publishing guidance and regulations to assist courts and companies with interpreting this portion of the law.^[28] Processing limitations have vast implications for the business and their ability to improve their product, provide new services, or analyze consumer behavior. In the following sections, this Article will detail how various jurisdictions approach the problem of processing limitations and the kinds of restrictions placed on businesses. For courts tasked with interpreting these provisions, the lack of clear statutory guidance creates challenges in consistently applying data minimization standards across different cases and industries, potentially leading to unpredictable outcomes that make compliance even more difficult for businesses to navigate.

c. Retention limitations

After collection and processing are complete, many businesses retain data for future uses or in case they need it down the line. Most data stored is archival, meaning it is not being used currently, but is stored for a future purpose.^[29] This creates risk for consumers and data subjects. Indefinitely storing personal information leaves itat a high risk of exposure, corruption, or accessibility issues.^[30] Companies with poor retention practices or unclear retention policies face a significantly higher risk of a costly data breach than those with automated and process-oriented deletion procedures.^[31] Although retention is less discussed in the data minimization debate, it is equally important to protect individuals from harms associated with poor data hygiene.^[32]

The standard for retaining personal data is generally a reasonableness requirement. Unless retention is required by law, regulations like the GDPR require that companies delete personal information when a contract expires or an agreement lapse.^[33] Retention and deletion have created some practical issues for businesses. Some state laws have implemented provisions that allow a business to retain enough consumer information to continue functioning and effectuating consumer rights despite deletion requests. In Maryland’s law, for example, companies are allowed to retain enough personal information to effectuate a consumer request to opt-out of processing or advertising.^[34] This acts as a safeguard to make sure that consumers who make a certain choice about their personal data have their request honored continuously.

Understanding these three pillars: collection, processing, and retention is essential background for evaluating whether data minimization laws effectively protect privacy. But understanding the mechanics of data minimization standards reveals only some of the story. The other half concerns standards and enforcement: how do existing laws address these mechanics? And how do we ensure these standards are followed? This question is not new to American law. More than seventy years ago, the Supreme Court confronted a remarkably similar problem in the context of the Fourth Amendment. That constitutional experience offers profound lessons for privacy law today.

III. Current Data Minimization Standards

With the basic mechanics of data minimization established, we now turn to how these principles have been implemented in existing law. Although nearly every modern privacy regime embraces data minimization as a core concept, jurisdictions vary significantly in how they define its scope, structure its obligations, and enforce its requirements. Current data minimization laws range from broadly framed reasonableness standards to detailed, use-based prohibitions, adopted across comprehensive state statutes, sectoral federal laws, agency enforcement actions, and international frameworks.

a. Comprehensive state privacy laws

Current data minimization laws in the United States have adopted one of three general approaches. The majority of U.S. states align with one another. Under the majority approach. a business must limit the collection of personal data to what is “adequate, relevant, and reasonably necessary in relation to the purposes. . .disclosed to the consumer.”^[35] Regarding sensitive data, most state laws require the consent of the consumer before the business may process that data.^[36] Beyond this majority standard, two states are outliers on the issue of data minimization. Maryland and California have unique approaches to the law, with California’s law being further complicated by detailed regulation and heavy-handed enforcement.^[37]

The Maryland Online Data Privacy Act (MODPA), passed in May 2024, disrupted established standards for data minimization in state laws.^[38] Maryland’s law provided stricter collection and processing restrictions in addition to blanket prohibitions not present in any other law passed at the time.^[39] MODPA requires several novel standards: that businesses limit collection and processing of personal data to what is “reasonably necessary for a product requested by the consumer.”^[40] The law requires heightened standards for sensitive (including minors’) data, prohibiting the sale of sensitive data and the use of minors’ data for targeted advertising.^[41] These restrictions drew backlash from industry, citing the impossibly restrictive standards and the crippling effect on data-driven businesses.^[42] This criticism has prompted the Maryland legislature to consider amendments to the data minimization standard to better align with other states and loosen the grip on businesses.^[43] The new standard would mirror the language of the majority view described above, incorporating the “adequate” and “reasonably necessary” language as a replacement for “strictly necessary.”^[44] As expected, this amendment has been supported by industry participants,^[45] but has drawn criticism from privacy advocacy groups who support stricter data practices.^[46]

The California Privacy Protection Act (CPPA) also uniquely restricts the collection and processing of personal data. Instead of unitary standards based on the type of personal data, the CPPA and accompanying regulations outline a factor-based analysis of data minimization.^[47] A business must limit their collection of personal data to what is “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed. . . .”^[48] The processing must also be compatible with the context of collection.^[49] The regulations instruct the business to consider a number of factors to determine what qualifies as “reasonably necessary and proportionate,” as well as how to analyze whether or not certain processing meets the compatibility requirement of the law.^[50] Under the CCPA, businesses are required to consider the following factors: the consumer’s relationship with the business, the type, nature, and amount of personal information to be collected or processed, the source of the personal information, the specificity and prominence of disclosures to consumers regarding their data, and the degree to which third parties are involved.^[51] Recently, the CCPA issued a decision regarding a settlement with clothing retailer Todd Snyder.^[52] Among other violations, the company required that customers provide photographs of their identification to effectuate certain privacy rights.^[53] According to the settlement, they “unlawfully required Consumers to submit more information than necessary. . . to exercise privacy rights.”^[54] The company was fined over $300k and the CCPA ordered the company to enact even more stringent privacy protections for their consumers, some within three months of the order.^[55]

Outside of Maryland, and California, states with explicit data minimization provisions in their comprehensive privacy laws establish the following standard: that collection and processing of personal data must “adequate, relevant, and reasonably necessary” for the purposes disclosed to the consumer.^[56] So far, this is the majority view of how to write a data minimization provision and one that is being advocated for at the federal level.^[57] However, consumer rights organizations argue that this standard is not an effective standard at all.^[58] They argue that allowing businesses to use personal data for any purpose, as long as they disclose it to the consumer is not an effective protection.^[59] Disclosure and consent mechanisms levied constantly on consumers reduces the effectiveness of the disclosures and allows companies to exhaust consumers into agreement.^[60]

Analyzing data minimization under most state laws is a fact-specific analysis that requires businesses to thoroughly assess how and why they collect data. Complying with this variety of state laws is challenging for businesses. Understanding how to apply which standard, when, and for who, is an expensive-to-execute and costly-to-get wrong set of questions.

After Maryland’s law was passed, numerous states are seeking to pass similarly strict laws to mirror the restrictions in MODPA. Recently, the Maine Legislature heard testimony on a proposed bill with a data minimization provision that looks identical to Maryland’s.^[61] Maine’s new privacy bill would prohibit the collection and processing of personal data unless it is reasonably necessary for a specific product or service requested by the consumer, and with regards to sensitive data, collection and processing would need to be strictly necessary.^[62]

In Massachusetts, the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity introduced the Massachusetts Data Privacy Act that restricts the collection and processing of personal data to what is reasonably necessary for the requested product or service.^[63] Sensitive data, again, requires more protections.^[64] Nestled within the Massachusetts law is a location data protection bill called the Location Shield Act, which lays out explicit “permissible purposes” for precise location data.^[65] The more strict privacy laws that go into effect in the United States without a federal standard, the more frustrated and expensive compliance in this space will become.

b. Sectoral state and federal

In addition to comprehensive state privacy law, specific federal and state privacy laws are written to protect different types of information under limited circumstances. Many of these sectoral laws, at their core, are data minimization laws prohibiting or restricting the collection and use of certain types and categories of personal information. Examples include Washington’s My Health My Data Act (WMHMDA), the FTC’s Children’s Online Privacy Protection Rule (COPPA), and the Health Insurance Portability and Accountability Act (HIPAA).

The FTC passed the Children’s Online Privacy Protection Rule in 1998, as a protective mechanism for children on the internet and to allow parents to control what information about their children is processed and used for purposes like targeted advertising.^[66] Under COPPA, “an operator must retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.”^[67] The law also lays down significant processing restrictions for data of children under the age of 13.^[68] The goal of COPPA, to protect children online from privacy violations and malicious advertising techniques is accomplished through strict prohibitions and requirements if a business wants to monetize their collection and processing of children’s data.^[69] The rule applies to websites, video games, social media, and internet-connected home devices.^[70] The sensitivity of children’s data and their vulnerability to online attacks consistently motivates agencies and legislatures to pass protective rules and laws. Currently, a bill known as the Kids Off Social Media Act is progressing through Congress, which would prohibit social media platforms from allowing children under a certain age from being fed algorithmic recommendations or have profiles at all.^[71]

In addition to children’s data, a long-recognized category of data that holds particular sensitivity is consumer health data. While some laws now protect this data at a state-level, HIPAA has been the precursor to these privacy laws, establishing strict protections and rights an individual has regarding their health data.^[72] The law prioritizes the privacy and security of health information, and the rights of the patient to take their data with them (portability) when they switch providers or insurers.^[73]

WMHMDA also restricts the collection of consumer health data to what is necessary to provide a product or service requested by the consumer.^[74] Collection is also limited by consent requirements and limitations of the subsequent use of consumer data.^[75] The motivation for these privacy laws varies but may sometimes be in response to a political climate, technological advancement, or court ruling.^[76] One of the arguments for no state preemption of state laws by a federal privacy law is the adaptability and agility of state laws, and their ability to pivot their regulatory requirements or expeditiously pass amendments in the wake of a new need.^[77]

c. Comprehensive federal and agency action

Although the United States does not yet have a comprehensive federal privacy law, there are still notable restrictions on the collection and use of personal information contemplated and enforced at the federal level.

Most notably, the recent draft of federal privacy legislation contained significant restrictions on data collection and processing. The American Privacy Rights Act (APRA) that failed to pass in 2024 went beyond setting a standard for collection and use of data.^[78] Instead, the law enumerated specific uses that a business was permitted to process data for.^[79] This iteration of data minimization drew criticism on the grounds that it failed to future-proof the regulation of technology and was overly restrictive on American business.^[80] In February 2025, the House Working group of the Energy and Commerce Committee published a request for information, soliciting feedback on the potential drafting of a new federal privacy law.^[81] Many organizations, trade associations and non-profits submitted commentary. Consumer advocacy groups argue consistently for a strong and strict data minimization provision that substantially restricts a business’s ability to collect and process the information of users.^[82] On the opposite side of the debate are businesses and industry groups advocating for a more relaxed standard for data minimization.^[83] Ad-tech companies, for example, have a large stake in the debate. Because ad-tech companies rely on personal–and sometimes sensitive– data to provide their services, they argue for a protective but not hyper-restrictive law.

Federal agencies also have a history of enforcing data minimization principles. The Federal Trade Commission (FTC) has brought enforcement actions against companies under Section 5 of the FTC Act, alleging violations of key data minimization principles and practices.^[84] In 2019, the FTC settled an enforcement action against CafePress, which arose, in part, due to the company’s indefinite retention of sensitive personal information.^[85] The FTC further mandated the company to “minimize data collection, storage, and retention” to mitigate future breaches and attacks.^[86] Even without a federal statute in effect to instruct on the standard for permissible collection, processing, and retention, federal agencies have a robust history of penalizing over-collection,^[87] misrepresentation of processing,^[88] and irresponsible retention.^[89] In another enforcement action against Drizly, an online alcohol marketplace, an FTC investigation found primarily security vulnerabilities in Drizly’s information management program.^[90] Despite the allegations not being directly related to data minimization violations, the Federal Trade Commission determined that implementing proper data minimization was an adequate remedy to preventing similar missteps in the future.^[91] Drizly was required to do the following as a result of the enforcement action: destroy any personal data no longer necessary to provide its services and limit their future data collection unless it is necessary for specific purposes and is subject to a retention and deletion schedule.^[92] In this case, the company held liable for the infractions, as well as the CEO.^[93] Rellas, who was responsible for overseeing Drizly’s security practices was held personally liable for the infractions, ensuring that the blemish remains on his record, even upon departure from Drizly.^[94]

Although not explicitly a data minimization law, the Department of Justice’s new Rule on the Transfer of Bulk Sensitive Personal Information is another federal-level restriction on the sale of personal information.^[95] Before the rule was passed, some commentators noted that the federal government could address the national security risks they were concerned with by implementing certain privacy protections on personal data.^[96] However, the Department of Justice addressed this comment by indicating that privacy protections address unlawful acts that harm privacy interests, where the DOJ rule and other national security measure are concerned with the impact of lawful and otherwise permissible activity.^[97]

d. International

Most jurisdictions outside the United States that have successfully passed comprehensive federal privacy legislation have codified a data minimization standard at a national level. The GDPR provision on data minimization has similar restrictions to many of the U.S. state laws. Article 5(1)(c) states that “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”^[98] This means that collection and processing must be adequate to fulfill the stated purpose, clearly connect to the processing purpose, and no more data than is needed is collected.^[99]
The European Data Protection Authorities (DPA’s) aggressively bring enforcement actions under the GDPR. Case have been brought against major retailers, software companies, and even governmental entities for collecting more data than needed, or for using it for purposes unrelated to the collection. The European Union and its Data Protection authorities have famously cracked down on Meta and their privacy practices in Europe.^[100] The GDPR’s restrictive provision was interpreted in this case to prevent companies from collecting and using personal data for targeted advertising unless there were time restriction on the usage of the information, which Meta had not implemented.^[101] The French data protection authority, Commission Nationiale de L’Informatique (CNIL), the French data protection authority, fined an online clairvoyance service hundreds of thousands of euros after they failed to obtain consent for collecting and processing sensitive personal data.^[102] The company recorded calls between consumers and clairvoyants beyond what was needed for service quality and training.^[103] As shown, the Data Protection Authorities in Europe are performing granular inspections company practices with data. But they are not the only jurisdiction taking this practice seriously.

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) also requires data minimization protocols.^[104] Under PIPEDA, businesses may not collect more personal data than is reasonably necessary for the disclosed purpose.^[105] There must be a direct relation between the collection and the purpose disclosed, with “just in case” collection prohibited under the law.^[106] Canada has also brough extensive fines down on companies who violate the principles under the data minimization provision. In a case against Tim Hortons, the Privacy Commissioner of Canada fined the coffee chain for collecting information for the purposes of targeted advertising, and never using it.^[107] Interestingly, even though the company obtained “adequate consent,” choosing not to use the data made the collection of the information unlawful.^[108] The company collected vast amounts of personal data, tracking app users in their home and work to determine when they were visiting a competitor.^[109] Other enforcement actions under PIPEDA are brought because businesses gave no reason for retaining personal data, collected too much data to achieve a specified purpose, or indefinitely retained personal information.^[110]

The jurisdictional variety and escalating regulatory complexity surveyed above creates significant challenges for both businesses and consumers. Most state data minimization laws require that data collection be “adequate, relevant, and reasonably necessary” for disclosed purposes, but offer little concrete direction on what this means in practice. Federal agencies bring enforcement actions for data minimization violations even without explicit statutory authority, while international regulators impose massive fines for the same conduct.

This predicament is not unique to privacy law. The parallels between Fourth Amendment jurisprudence and contemporary data minimization law are striking. Like today’s data minimization standards, the Fourth Amendment prohibits “unreasonable” searches and seizures, a standard as vague as “adequate, relevant, and reasonably necessary.” Like data minimization laws, Fourth Amendment protections were recognized as fundamental long before effective enforcement mechanisms existed. And like current privacy legislation, Fourth Amendment jurisprudence in the Wolf to Mapp era grappled with questions of federalism, scale, and the effectiveness of alternative remedies.

IV. A Lesson from Constitutional Law: The Fourth Amendment’s Journey from Vague Standard to Enforceable Right

The Fourth Amendment’s evolution from 1949 to 1961 demonstrates what happens when courts recognize a right but fail to provide meaningful remedies for its violation. This twelve-year period serves as a natural experiment in the efficacy of vague standards coupled with weak enforcement mechanisms.

In 1949, The Supreme Court recognized Fourth Amendment protections as fundamental for the same reason that a federal privacy law is being discussed today. Privacy violations under the Fourth Amendment were frequent, and until that point, unenforced on a state level. Coming just a few years after the end of World War II, the Court also noted the importance of acknowledging “recent history” in their decision to incorporate the Fourth Amendment and maintain rights they saw as “basic to a free society.” The Court emphasized that the right against arbitrary intrusion was “implicit in the concept of ordered liberty,” drawing on centuries of Anglo-American constitutional tradition dating to British common law protections against general warrants.

These same factors apply to privacy law and data minimization today. Private sector data collection constantly grows in both scale and intimacy. Recent history, like the Cambridge Analytica scandal and regular, catastrophic data breaches demonstrate what happens when data collection operates without meaningful constraints. Like the Fourth Amendment, data minimization principles trace to foundational privacy concepts like the Fair Information Practice Principles, giving them historical pedigree as essential protections in democratic societies.

a. Wolf v. Colorado (1949): The Failure of Vague Standards Without Federal Remedies

The Fourth Amendment guarantees “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.”^[111] In Wolf v. Colorado, The Colorado Supreme Court upheld three convictions where evidence was admitted that would have been inadmissible the federal level for violation of the Fourth Amendment.^[112] On appeal, the Supreme Court held that the Fourth Amendment applied to states through the Fourteenth Amendment but declined to impose the exclusionary rule on states as a remedy for Fourth Amendment violations.^[113] On incorporating the Fourth Amendment, the court reasoned: “The security of one’s privacy against arbitrary intrusion by the police—which is at the core of the Fourth Amendment—is basic to a free society. It is therefore implicit in ‘the concept of ordered liberty’ and as such enforceable against the States through the Due Process Clause.”^[114] However, when it came to the decision of imposing the exclusionary rule on states, the Court refused, finding that the exclusionary rule is not an essential part of the Fourth Amendment, but merely a possible remedy. The Court determined that states should have the flexibility to develop their own enforcement mechanisms against violations, and that alternatives like civil suits and disciplinary actions could be effective deterrents.^[115]

The twelve years following the Wolf decision proved this reasoning wrong. Most notably, The California Supreme Court presented a damning review of the effectiveness of these remedies in 1955, through their reasoning in People v. Cahan. In that case, California joined a number of other states reversing course on the exclusionary rule and adopting it as a Fourth Amendment remedy.^[116] According to the California Supreme Court, “[O]ther remedies ha[d] completely failed to secure compliance with the constitutional provisions on the part of police officers with the attendant result that the courts under the old rule ha[d] been constantly required to participate in, and in effect condone, the lawless activities of law enforcement officers.”^[117] California articulated what had been a reality across the country. The lack of exclusionary remedy left no effective remedy at all.^[118]

Finally, in 1961, the Supreme Court overturned the ruling in Wolf. Acknowledging the ineffectiveness of alternative remedies, the Court conceded that exclusion of illegally obtained evidence was the only effective remedy and began imposing the rule on states.^[119] Their core finding that other remedies had been “worthless and futile” compelled them to overturn Wolf.^[120] The Wolf to Mapp era exposed many shortfalls of unsubstantiated federal protections. Vague standards and weak enforcement, at their best, provide a slim chance at success for alternative protections and at their worst, condone unconstitutional behavior and violations of the law.

b. The Lesson for Privacy Law

Current state data minimization laws occupy the same precarious position as Fourth Amendment protections between Wolf and Mapp. Like data minimization’s “adequate, relevant, and reasonably necessary” standard, the Fourth Amendment’s prohibition on “unreasonable” searches established a principle without defining its contours or specifying remedies for violations. The question of how to enforce this constitutional command and whether federal intervention was necessary occupied the Supreme Court for decades and culminated in two landmark decisions that offer instructive parallels for modern privacy law. Just as Wolf‘s faith in state-level alternatives to the exclusionary rule proved misplaced, the current approach to data minimization demonstrates that disclosure-based remedies and flexible reasonableness standards cannot effectively protect privacy rights.

Despite the proliferation of state data minimization laws, over-collection and misuse of personal data continues. The Federal Trade Commission’s 2024 report on social media companies found “vast surveillance” of users with “lax privacy controls.”^[121] Enforcement actions remain rare, and when they occur, they typically address only the most egregious violations by the largest companies. Small and mid-sized businesses face virtually no risk of enforcement. The Wolf era of Fourth Amendment violations was the same. Alternative remedies like civil lawsuits and disciplinary action were few and far between.^[122] Getting courts to exclude illegally obtained evidence was even harder if the state had not adopted the exclusionary rule as law.^[123] Balancing the societal interests of convicting a guilty individual with the interest of the individual in their Fourth Amendment rights almost always ended in favor of admitting the evidence. Only the most egregious Fourth Amendment violations tilted the calculus in favor of the defendant’s constitutional rights,^[124] meaning less severe violations went undeterred and without punishment.^[125] In order to avoid replicating Wolf’s failures, a federal privacy law must be specific in its prohibitions, clear in its remedies, and severe in its penalties.

V. The Path Forward for Data Minimization: Designing a Provision to Avoid Recreating Wolf’s Mistakes

Justice Louis Brandeis, Supreme Court Justice and co-author of the foundational article, The Right to Privacy, wrote in State Ice Co. v. Liebmann about the nature of state versus federal legislatures. He described the legislatures as “laboratories of democracy.”^[126] To Justice Brandeis, one of the benefits of state law making was the ability of states to experiment with different models of legislation without threatening the national structure.^[127] So far, these benefits of federalism have not materialized in the privacy law space. Privacy laws that are passed in one state are inevitably felt in another. California, for example, is the 4^th largest economy in the world.^[128] It disproportionately makes up a large percentage of the United States’ gross domestic product.^[129] Given the scale of California’s economy, especially the size of its technology industry, any technology regulation passed in California will be felt across the country. Privacy lawyers practicing outside of California must understand and be able to implement the complex regulations, even if they are based on the other side of the country. Operating as “laboratories of democracy” in the tech space has not yet been achieved and may not be possible given the sprawling nature of data practices. Consistency and federalization of privacy protections are necessary and inevitable.

Given the inevitability of a federal privacy law, considering the content of critical provisions is the most difficult task. Federal data minimization law, in particular, must move beyond procedural requirements to establish substantive limitations on data collection and processing. The standard should prohibit specific harmful uses of data rather than merely requiring disclosure of those uses. This approach offers several advantages over the current disclosure-based model.

First, substantive prohibitions are easier to enforce. Instead of requiring regulators to parse whether a business adequately disclosed a particular use in a 10,000-word privacy policy, enforcement can focus on whether the business engaged in the prohibited conduct. This is analogous to the exclusionary rule: rather than requiring case-by-case litigation over whether police violated the Fourth Amendment and whether the particular plaintiff can prove injury, courts simply ask whether the evidence was obtained in violation of the Fourth Amendment. If so, it is excluded. Similarly, if a business uses data in a prohibited manner, liability attaches regardless of what disclosures appeared in the privacy policy.

Second, substantive standards better protect consumers by preventing harm before it occurs rather than compensating for it afterward. The Fourth Amendment’s core concern is preventing government overreach, not merely providing damages after unconstitutional searches occur. Data minimization law should similarly focus on preventing harmful data practices rather than relying on after-the-fact enforcement. Prohibiting specific uses, such as using consumer data to train or display dark patterns, or indefinitely retaining data without a documented business justification, prevents these harms at the source.

Third, substantive standards provide clarity to businesses. The current patchwork of vague and variant standards leaves businesses guessing about compliance. By contrast, clear prohibitions on specific practices give businesses bright-line rules. A business knows it cannot use consumer location data to surveil visits to competitors (as Tim Hortons did in Canada) or indefinitely retain sensitive personal information without a retention schedule (as CafePress did).^[130] These are not vague balancing tests but concrete prohibitions.

With substantive standards established, the law must also provide a meaningful remedy. The exclusionary rule failed because it punished police officers. It was effective because it removed the incentive for unconstitutional searches and prevented illegally obtained evidence from being used to secure a conviction. Consumers who can prove a business violated data minimization provisions should be entitled to: statutory damages, or actual damages, whichever is greater; and injunctive relief, requiring businesses to cease violating the practice and delete illegally obtained data. Statutory damages are necessary because actual damages are often difficult to prove in privacy cases, one of the reasons that alternative remedies have failed.^[131] Injunctive relief is necessary because it removes the incentive for businesses to over-surveil. Fines and monetary relief are often insufficient against large companies that make more revenue from violating enforcement actions and continuing to use data than it costs to incur the fine.^[132]

VI. Against Rigid Substantive Standards: Why Flexibility and Disclosure Serve Innovation and Consumer Welfare

Introducing such a strict, expensive, federal law will inevitably come with pushback. The European experience with GDPR demonstrates the costs of strict regulation on businesses. Industry advocates argue that a federal law modeled on rigid prohibitions would import these costs to the United States. The Information Technology and Innovation Foundation estimates that an EU-style privacy law would cost the U.S. economy approximately $122 billion per year.^[133] These costs are then passed to consumers through higher prices, reduced service quality, or elimination of free services entirely.^[134]

The same argument was made against the exclusionary remedy: that the cost of such a restrictive and consequential rule did not outweigh the constitutional benefits. In People v. Defore, then Judge Cardozo lamented that application of the exclusionary rule would mean that “The criminal is to go free because the constable has blundered.”^[135] In this famous statement, he emphasized his belief that the officer’s constitutional violation was not serious enough to warrant tossing out the evidence, and potentially the conviction. Ultimately, the New York Appeals Court in Defore affirmed the conviction, despite the Fourth Amendment violation.^[136] A strict and consequential data minimization rule would be costly. Companies would suffer financial losses and be forced to find alternatives to current data processing practices that has allowed the current technology market in the United States to thrive. Nevertheless, if American legislators are serious about creating meaningful and enforceable privacy protections, history has demonstrated the ineffectiveness of anything less deterrent than onerous obligations and costly mistakes.

VII. Conclusion

The history of the Fourth Amendment’s incorporation offers Congress a clear warning and an equally clear path forward. Wolf v. Colorado demonstrated that recognizing a right without supplying concrete rules and meaningful remedies does not protect that right at all. Vague standards, coupled with faith in alternative enforcement mechanisms, produced a constitutional guarantee that existed largely on paper. Only when the Supreme Court federalized enforcement through the exclusionary rule did the Fourth Amendment become a practical constraint on government conduct rather than a rhetorical commitment to privacy.

Similarly, privacy law now stands at a similar crossroads. Current legislation has adopted data minimization as a foundational principle, recognizing the importance of regulating what business collect about individuals and what they do with it. However, the laws in place rely on open-ended reasonableness standards with lackluster enforcement. These mechanisms mirror the failed alternatives of the Wolf era: they presume compliance without deterrence and protection without consequence. As a result, over-collection, expansive secondary uses, and indefinite retention persist despite the formal existence of data minimization obligations. Without clearer substantive limits and stronger remedies, data minimization risks becoming the modern equivalent of the pre-Mapp Fourth Amendment: acknowledged, but ineffective.

^[1] See generally Wolf v. Colorado, 338 U.S. 25 (1949) (holding that exclusionary rule does not apply to states).

^[2] Id. at 41.

^[3] See generally Ian Tick, Why Data Minimization is a Key Principle of Data Privacy, K2view (Nov. 30, 2023) (explaining the purpose of data minimization and its relationship to business functionality) https://www.k2view.com/blog/data-minimization/.

^[4] Id.

^[5] Glossary, European Data Protection Supervisor, https://www.edps.europa.eu/data-protection/data-protection/glossary/d_en. “[D]ata controllers should collect only the personal data they really need, and should keep it only for as long as they need it.”

^[6] Fair Information Practice (FIPP’s), Federal Privacy Council, https://www.fpc.gov/resources/fipps/.

^[7] Cheryl Saniuk-Heinig, 50 Years and Still Kicking: An Examination of FIPPs in Modern Regulation, IAPP (May 25, 2021), https://iapp.org/news/a/50-years-and-still-kicking-an-examination-of-fipps-in-modern-regulation.

^[8] Regulation (EU) 2016/679, art. 5(1)(c), 2016 O.J. (L 119) 1, 35 (General Data Protection Regulation).

^[9] Office of Privacy and Civil Liberties, Privacy Act of 1974, U.S. Dep’t of Just.

(updated Oct. 4, 2022), https://www.justice.gov/opcl/privacy-act-1974.

^[10] Jordan Francis, Unpacking the Shift Toward Substantive Data Minimization Rules in Proposed Legislation, IAPP (May 22, 2024), https://iapp.org/news/a/unpacking-the-shift-towards-substantive-data-minimization-rules-in-proposed-legislation.

^[11] Id.

^[12] Id.

^[13] Hunton, CJEU Rules that Principle of Minimization Limits the Personal Data that Can Be Used for Targeted Advertising, Privacy and Information Security Blog (Oct. 15, 2024), https://www.hunton.com/privacy-and-information-security-law/cjeu-rules-that-principle-of-minimization-limits-the-personal-data-that-can-be-used-for-targeted-advertising.

^[14] Saniuk-Heinig, supra, note 8.

^[15] Cal. Civ. Code §§ 1798.100(b)–(c), 1798.120(a).

^[16] Id.

^[17] Francis, supra note 11.

^[18] Perhaps with the exception of California, who have engaged in robust rulemaking around their regulations and provided clearer rules that expand on the language of the CCPA.

^[19] State laws generally require procedural protections in place at the moment of collection and assess the reasonableness and contextual appropriateness of collection based on circumstances at the moment of collection.

^[20] Md. Code Ann., Com. Law § 14-4704 (West 2024); American Privacy Rights Act of 2024, H.R. 8818, 118th Cong. § 102 (2024) (as introduced June 25, 2024).

^[21] See Iowa Code § 715D.1 et seq. (2024).

^[22] Md. Code Ann., Com. Law § 14-4707(3).

^[23] 16 C.F.R. § 312.5(a)(1) (2024). “An operator is required to obtain verifiable parental consent before any collection, use, or disclosure of personal information from children, including consent to any material change in the collection, use, or disclosure practices to which the parent has previously consented.”

^[24] 45 C.F.R. §§ 164.502(b), 164.514(d) (2024).

^[25] Va. Code Ann. § 59.1-578.

^[26] Id.

^[27] Md. Code Ann., Com. Law § 14-4707 (2025).

^[28] See Cal. Code Regs. tit. 11, § 7002 (2024); Cal. Priv. Prot. Agency, Enforcement Advisory: Applying the Data Minimization Requirement, https://cppa.ca.gov/pdf/enfadvisory202401.pdf.

^[29] Eugenio Marinelli et al., Towards Migration-Free “Just-In-Case” Data Archival for Future Cloud Data Lakes Using Synthetic DNA, 16 PVLDB 1923 (2023).

^[30] Adam Mendoza, Cold Storage in the Cloud: Trends, Challenges, and Solutions(White Paper, Intel Corp. 2013), https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/cold-storage-atom-xeon-paper.pdf.

^[31] Spencer Wheatley et al., The Extreme Risk of Personal Data Breaches & The Erosion of Privacy, arXiv

(May 28, 2015), https://arxiv.org/abs/1505.07684.

^[32] FKnowledge Base, Can Automated Data Retention Policies Simplify Legal Adherence for Enterprises?, FBI Support, https://fbisupport.com/can-automated-data-retention-policies-simplify-legal-adherence-enterprises/ (last visited Jan. 16, 2026).

^[33] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), art. 5(1)(e), 2016 O.J. (L 119) 1, 35 [hereinafter “GDPR”].

^[34] Md. Code Ann., Com. Law § 14-4605(b)(4) (LexisNexis 2024).

^[35] Virginia Code Ann. § 59.1-578(A)(1) (2025); Colo. Rev. Stat. § 6-1-1303(3) (2023).

^[36] Va. Code Ann. § 59.1-578(A)(5) (2024); Or. Rev. Stat. §§ 646A.570–646A.589 (2024); Colo. Rev. Stat. § 6-1-1304(4)(a)(I) (2023).

^[37] See generally Cal. Privacy Prot. Agency, Enforcement Advisory No. 2024-0: Applying Data Minimization to Consumer Requests (Apr. 2, 2024) https://cppa.ca.gov/pdf/enfadvisory202401.pdf (detailing analysis for enforcement and compliance with the CCPA).

^[38] Meredith LaMaster, Maryland Enacts Comprehensive Data Privacy Act, Nixon Peabody (May 21, 2024), https://www.nixonpeabody.com/insights/alerts/2024/05/21/maryland-enacts-comprehensive-data-privacy-act.

^[39] Id.

^[40] Md. Code Ann., Com. Law § 14-4704(a)(1) (West 2024).

^[41] Id.

^[42] Najmeh Tima, Maryland’s “Strictly Necessary” Standard For Sensitive Data Protection, Captain Compliance (Mar. 8, 2025), https://captaincompliance.com/education/marylands-strictly-necessary-standard/.

^[43] Electronic Privacy Information Center, EPIC Testifies Against Maryland Bill that Would Gut Data Minimization in Privacy Law (Mar. 6, 2025), https://epic.org/epic-testifies-against-maryland-bill-that-would-gut-data-minimization-in-privacy-law/#:~:text=This%20bill%2C%20H.B.%201365%2C%20would,they%20want%2C%20for%20whatever%20purpose.

^[44] See generally, H.B. 1365, 2025 Gen. Assemb., Reg. Sess. (Md. 2025), https://mgaleg.maryland.gov/2025RS/bills/hb/hb1365F.pdf.

^[45] Id.

^[46] Electronic Privacy Information Center, supra, note 44.

^[47] Enforcement Advisory, supra, note 38.

^[48] CCPA § 1798.100(c).

^[49] Id.

^[50] Cal. Code Regs. tit. 11, § 7002 (2025).

^[51] Id.

^[52] Todd Synder, Inc., Case No. ENF23-M-TO-26 (Cal. Privacy Prot. Agency May 1, 2025) (order of decision), .

^[53] Id.

^[54] Id.

^[55] Id.

^[56] Colo. Rev. Stat. § 6-1-1304(4)(a)(I) (2023); Conn. Gen. Stat. § 42-515(a)(4) (2023); Or. Rev. Stat. § 646A.570(2)(a) (2024); Vt. Stat. Ann. tit. 9, § 2443(a)(1) (2026); Mont. Code Ann. § 30-14-1703(1)(a) (2025); Ind. Code § 24-4.9-3-2(a)(1) (2024); Tenn. Code Ann. § 47-18-2105(a)(1) (2024); Tex. Bus. & Com. Code § 521.051(a)(1) (2024).

^[57] Network Advertising Initiative, Comment Letter on House Privacy Working Group RFI at 8-9 (Apr. 8, 2025), http://thenai.org/nai-comments-on-house-privacy-working-group-rfi/.

^[58] Electronic Privacy Info. Ctr & U.S. PIRG Educ. Fund, The State of Privacy: How State “Privacy” Laws Fail to Protect Privacy and What They Can Do Better, at 16 (Feb. 2024).

^[59] Kara Williams & Caitriona Fitzgerald, Data Minimization is the Key to a Meaningful Privacy Law, EPIC (May 9, 2024), https://epic.org/data-minimization-is-the-key-to-a-meaningful-privacy-law/#:~:text=Despite%20the%20frequent%20claims%20of,is%20disclosures%20in%20privacy%20policies.

^[60] Enhancing Online Disclosure Effectiveness, OECD Digital Economy Papers, Oct. 2022, https://www.oecd.org/content/dam/oecd/en/publications/reports/2022/10/enhancing-online-disclosure-effectiveness_e8b230aa/6d7ea79c-en.pdf?utm_source.

^[61] An Act to Enact the Maine Online Data Privacy Act: Hearing on L.D. 1822 Before the Me. Legis. Joint Standing Comm. on the Judiciary, 131^st Legis. 2 (2025) (testimony of Eric Null, Senior Dir. of the Privacy & Data Project, Ctr. for Democracy & Tech.), https://legislature.maine.gov/testimony/resources/JUD20250505Null133908401749563960.pdf.

^[62] L.D. 1822, An Act to Enact the Maine Online Data Privacy Act, 131st Leg., 2d Reg. Sess. (Me. 2025).

^[63] Keir Lamont, State Privacy News (May 16, 2025) https://www.linkedin.com/pulse/state-privacy-news-516-keir-lamont-17s0f/?trackingId=CpcEKMFdTO%2B5iViRzMmOhQ%3D%3D.

^[64] Id.

^[65] Id.

^[66] Fed. Trade Comm’n, Complying with COPPA: Frequently Asked Questions, Business Guidance Resources\ https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions#A.%20General%20Questions (last visited Sept. 6, 2025).

^[67] COPPA, 16 C.F.R. § 312.10.

^[68] Companies cannot use or disclose the information for other purposes without getting new parental consent. Id. § 312.5(c)(2).

^[69] Electronic Privacy Info. Ctr, Children’s Privacy (last visited May 16, 2025), https://epic.org/issues/data-protection/childrens-privacy/.

^[70] Id.

^[71] S. 278, 119^th Cong. (2025), .

^[72] Kathrin Gardhouse, The Evolving Landscape of Health Data Protection Laws in the United States, Limina (June 5, 2024), https://www.private-ai.com/en/blog/health-data-protection-us.

^[73] Id.

^[74] Washington’s My Health My Data Act, Wash. Rev. Code § 19.373.030(1) (enacted 2023).

^[75] Id. § 19.373.030(2).

^[76] Washington’s health privacy act was motivated to pass by the overruling of Roe v. Wade. Despite not having a comprehensive law, Washington wanted to issue protections for types of data they saw as having the most potential for harm to the consumer. Andreas Kaltsounis, An Introduction to Washington’s My Health My Data Act, BakerHostetler (Apr. 19, 2023) https://www.bakerdatacounsel.com/blogs/an-introduction-to-washingtons-my-health-my-data-act/.

^[77] National Conference of State Legislatures, Comments to the House Energy & Commerce Privacy Working Group, Letters & Testimonies (Apr. 7, 2025), https://www.ncsl.org/resources/details/ncsl-comments-to-house-ec-privacy-working-group.

^[78] U.S. Senate Comm. on Commerce, Sci. & Transp., Section-by-Section Summary of the American Privacy Rights Act of 2024, at 1 (2024), https://www.commerce.senate.gov/services/files/E7D2864C-64C3-49D3-BC1E-6AB41DE863F5.

^[79] Id.

^[80] Software & Information Industry Association, APRA’s Data Restriction Changes Fail to Protect American Innovation, US Competitiveness, Policy (Oct. 1, 2024), https://www.siia.net/apras-data-restriction-changes-fail-to-protect-american-innovation-us-competitiveness.

^[81] Press Release, U.S. House Comm. on Energy & Commerce, Chairman Guthrie and Vice Chairman Joyce Issue Request for Information to Explore Data Privacy and Security Framework (Feb. 21, 2025), https://energycommerce.house.gov/posts/chairman-guthrie-and-vice-chairman-joyce-issue-request-for-information-to-explore-data-privacy-and-security-framework.

^[82] Michael Kebede, Testimony on LD 1822 (Maine Online Data Privacy Act) (May 5, 2025), ACLU of Maine, submitted to Joint Standing Committee on Judiciary, Maine Legislature, PDF available at https://legislature.maine.gov/testimony/resources/JUD20250505Kebede133909339275387936.pdf (arguing in favor of strong consumer data privacy protections); see also Null, supra note 62.

^[83] William and Fitzgerald, supra note 60.

^[84] Press Release, Fed. Trade Comm’n, FTC Takes Action Against CafePress for Data Breach Cover Up (Mar. 15, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover.

^[85] Complaint, In re Residual Pumpkin Entity, LLC, d/b/a CafePress, FTC File No. 1923209, at 5 (Mar. 15, 2022).

^[86] In re Residual Pumpkin Entity, LLC, d/b/a CafePress, FTC Docket No. C-4768, Decision and Order at 4 (June 23, 2022).

^[87] Matt Laslo, FTC Orders Mobilewalla and Gravy Analytics to Stop Selling Sensitive Location Data, Wired(Dec. 3, 2024), https://www.wired.com/story/ftc-mobilewalla-gravy-analytics-orders/.

^[88] Press Release Fed.Trade Comm’n, FTC Takes Action Against Mobilewalla for Collecting and Selling Sensitive Location Data, (Dec. 3, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/12/ftc-takes-action-against-mobilewalla-collecting-selling-sensitive-location-data.

^[89] CafePress, supra, note 86, at 2.

^[90] Press Release, Fed. Trade Comm’n, FTC Takes Action Against Drizly and Its CEO James Cory Rellas for Security Failures That Exposed Data of 2.5 Million Consumers(Oct. 24, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/10/ftc-takes-action-against-drizly-its-ceo-james-cory-rellas-security-failures-exposed-data-25-million.

^[91] In re Drizly, LLC, FTC Docket No. C-4784, Proposed Decision and Order at 3 (Oct. 24, 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/202-3185-Drizly-Decision-and-Order.pdf.

^[92] Id.

^[93] Id. at 10-11.

^[94] Id.

^[95] See generally 28 C.F.R. § 202 (establishing broad prohibitions and restrictions on “bulk” transfers of sensitive personal and government-related data to specified foreign adversaries), set forth in Final Rule, Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern and Covered Persons, 90 Fed. Reg. 1638 (Jan. 8, 2025).

^[96] See Final Rule, 90 Fed. Reg. at 1643.

^[97] Id. “Despite some overlap, privacy protections and national security measures generally focus on different challenges associated with sensitive personal data.”

^[98] GDPR, art. 5(1)(c).

^[99] Information Comm’r’s Office, Principle (c): Data minimisation, in A Guide to the Data Protection Principles, UK GDPR Guidance(May 19, 2023), https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/data-minimisation.

^[100] Press Release, Eur. Data Prot. Bd., €1.2 Billion Fine for Facebook the Result of EDPB Binding Decision(May 22, 2023), https://www.edpb.europa.eu/news/news/2023/12-billion-euro-fine-facebook-result-edpb-binding-decision_en#:~:text=Brussels%2C%2022%20May%20%2D%20Following%20the,Protection%20Authority%20(IE%20DPA).

^[101] Case C-446/21, Schrems v. Meta Platforms Ireland Ltd. (Ct. Just. Eur. Union July 4, 2023), https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62021CJ0446.

^[102] Comm’n Nationale de l’Informatique et des Libertés (CNIL), Online Clairvoyance: CosmoSpace and Télémaque Fined €250,000 and €150,000, Press Release (Nov. 17, 2022) https://www.cnil.fr/en/online-clairvoyance-cosmospace-and-telemaque-fined-eu250000-and-eu150000.

^[103] Id.

^[104] Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, sched. 1, princ. 4.4 (Can.)

^[105] Id.

^[106] “Just-in-case” collection and retention refers to a practice of collecting and retaining data in case the business needs the data in the future. This practice is frowned upon by regulatory bodies and is answered with data minimization. In Canada, collection is limited to what is necessary at the time of collection, prohibiting companies from collecting information, even with consent and other mechanisms, if they don’t need the data at the time of disclosure and collection. Id.

^[107] Office of the Privacy Comm’r of Can., PIPEDA Report of Findings #2022-001: Investigation into Tim Hortons’ Mobile Application (June 1, 2022), https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2022/pipeda-2022-001/.

^[108] Less Is More: Data Minimization and Privacy Cyber Risk Management, Borden Ladner Gervais LLP (Mar. 2023), https://www.blg.com/en/insights/2023/03/less-is-more-data-minimization-and-privacy-cyber-risk-management.

^[109] Id.

^[110] Id.

^[111] U.S. Const. amend. IV.

^[112] Wolf v. Colorado, 338 U.S. 25, 28–29 (1949)

^[113] Id. at 33.

^[114] Id. at 27.

^[115] Id. at 31–33.

^[116] People v. Cahan, 282 P.2d 905, 911–12 (1955).

^[117] Id. at 911.

^[118]Id. at 912 (“[C]ase after case has appeared in our appellate reports describing unlawful searches and seizures against the defendant on trial, and those cases undoubtedly reflect only a small fraction of the violations of the constitutional provisions that have actually occurred. On the other hand, reported cases involving civil actions against police officers are rare, and those involving successful criminal prosecutions against officers are nonexistent. In short, the constitutional provisions are not being enforced.”).

^[119] Mapp v. Ohio, 367 U.S. 643, 651–55, 657 (1961).

^[120] Id.

^[121] FTC, A Look Behind the Screens: Examining the Data Practices of Social Media and Video Streaming Services (Sept. 19, 2024), https://www.ftc.gov/system/files/ftc_gov/pdf/Social-Media-6b-Report-9-11-2024.pdf.

^[122] Yale Kamisar, Wolf and Lustig Ten Years Later: Illegal State Evidence in State and Federal Courts, 43 Minn. L. Rev. 1083 (describing failure of alternative remedies).

^[123] Id. at 1093–97.

^[124] Id. at 1097–1102

^[125] Id.

^[126] New State Ice Co. v. Liebmann, 285 U.S. 262, 311 (1932) (Brandeis, J., dissenting).

^[127] Id.

^[128] Office of Governor Gavin Newsom, California Is Now the 4th Largest Economy in the World (Apr. 23, 2025), https://www.gov.ca.gov/2025/04/23/california-is-now-the-4th-largest-economy-in-the-world/.

^[129] Id.

^[130] Privacy Commissioner, supra note 108; CafePress, supra note 86.

^[131] This is another similarity with Fourth Amendment violations from the Wolf era. Civil suits resulted in nominal damages that resulted in little to no recovery for plaintiffs. Kamisar, supra note 125 at 1152.

^[132] Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114

Colum. L. Rev. 583, 605 (“When the FTC does include fines, they are often quite small in relation to the gravity of the violations and the overall net profit of the violators.”).

^[133] Alan McQuinn & Daniel Castro, The Costs of an Unnecessarily Stringent Federal Data Privacy Law, Info. Tech. & Innovation Found (Aug. 5, 2019), https://itif.org/publications/2019/08/05/costs-unnecessarily-stringent-federal-data-privacy-law/.

^[134] Id.

^[135] People v. Defore, 242 N.Y. 13, 21, 150 N.E. 585, 587 (1926).

^[136] Id. at 589.