The advice around data acquisition for nonprofits has been consistent for years: collect what you say you need for your stated purposes, disclose it, give people an opt-out.

But a lean approach to data acquisition isn't optional in Maryland anymore. The Maryland Online Data Privacy Act (MODPA) — which is in enforcement now and covers nonprofits — requires organizations to limit their collection of personal data to what is reasonably necessary and proportionate to provide the specific product or service the consumer actually requested. 

Not what's useful. Not what might be helpful later. What was necessary to deliver what a person came to you for.

And Maryland isn't alone — the debate in state legislatures is increasingly not whether to require data minimization, but how strictly to define what "necessary" means.

Questions Nonprofits Should Ask About Every Data Point You Collect

These aren't compliance questions. They're operational ones — the kind worth asking before you add a field to a form, before you onboard a new tool, before you expand what you're collecting at an event or a donation page.

If a constituent asked why you need this data, could you tell them?

Not "we've always collected it." Not "it might be useful." A specific, defensible reason tied to what they came to you for. If you can't answer that question readily, that's the first signal worth paying attention to.

Did the constituent expect you to collect this when they came to you?

A donor completing a gift expected you to process their transaction and deliver a receipt. A volunteer expected you to sign them up for the event. Did they expect everything else you collected in that moment? Reasonable expectation is a meaningful test — and one your constituents are applying whether or not you are.

Are you collecting the minimum amount of data needed to deliver that outcome?

Not the most useful-to-you amount. The minimum necessary. This is the hardest question because it requires looking at practices that have been in place for years and asking whether they're still defensible under a necessity standard.

What Lean Data Acquisition Looks Like in Practice

The distinction MODPA draws is between data that's necessary to deliver what the constituent requested and data that's collected for other purposes — even good ones.

A constituent signing up to volunteer requested a shift placement. The fields necessary to fulfill that are probably name, contact information, and availability. Their employer, their age range, or how they heard about the organization aren't necessary to place them.

Program staff sometimes add an age range field to an email sign-up form because it might help inform future research or segmentation. But a constituent signing up for a newsletter requested communications — not to contribute to an audience analysis. Collecting age at that moment, for a purpose unrelated to delivering what they asked for, is exactly the kind of speculative collection a necessity standard challenges.

A donor completing a gift requested a transaction. "Why do you care about our mission?" is a meaningful question, but it's probably not a donation form question. In a donor survey, where the constituent has opted into a separate conversation, it's a different situation. The interaction itself is what they requested, and the question is connected to it.

The difference isn't whether the data is useful. It's whether collecting it was connected to what the constituent came to you for in that specific moment.

How to Audit for Data Minimization and Lean Principles

If you're not sure where to begin, here are a few concrete places to look:

Audit your forms. Look at the fields you're collecting at the point of a donation, a volunteer sign-up, or an event registration. For each one, apply the three questions above. You don't need to overhaul everything at once — you need to be able to justify what you're collecting and why. And remember that context counts. It needs to be clear to the constituent why you're asking.

Review your intake processes. Think about what data enters your CRM and when. Is everything coming in necessary to the transaction that triggered it, or are fields being populated by default because the system allows it?

Have a cross-functional conversation. Your legal team, your product or operations team, your field staff, and your fundraising team need to be in the same room for this. Minimization decisions made in a vacuum — by any one of those groups alone — tend not to hold up.

If you can't explain why a specific piece of data was necessary to deliver what your constituent came to you for, that question is going to get harder to avoid as more states raise the bar.

Let's Talk

If your organization is ready to think through what data minimization actually requires in practice — or if you're not sure where your current data collection practices stand — I'm glad to help. Get in touch to start the conversation.