This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Insights Insights
| 1 minute read

Data Minimization: California Regulator Issues a Reminder/Warning About Data Collection

The CPPA, California's privacy regulator, has come out with a forceful advisory to regulated businesses regarding a “foundational principle” of the state's privacy laws: data minimization. Long a concept in privacy circles and important in EU compliance, data minimization is encoded in many US state laws but has not gotten much press here. That may be about to change. In essence, data minimization means to collect from consumers/users only what you need to collect in order to conduct your transaction with them. In other words, don't ask for or collect unnecessary data.  

Why It Matters

The CPPA reminds businesses that data minimization applies to all activities under the state's laws. It also posits that data minimization is a good business practice that reduces business risk, legal risk, and harm to individuals. The bulk of the advisory centers on how to respond to consumer requests to access or delete their data, however, which suggests that businesses should tread carefully when asking consumers for information to verify their identity before responding to those requests.  

Lest we treat this as purely a California issue: of the more than 30 states that have passed or are trying to pass a state privacy law or laws, only five have drafted bills that omit the idea of data minimization. The principle is embedded in every US state privacy law currently on the books (except one), but has not gotten much attention here yet. The CPPA's advisory may signal that this grace period from regulators is coming to an end.  

Data minimization is a foundational principle in the CCPA. Businesses should apply this principle to every purpose for which they collect, use, retain, and share consumers’ personal information. Data minimization serves important functions. For example, data minimization reduces the risk that unintended persons or entities will access personal information, such as through data breaches. Data minimization likewise supports good data governance, including through potentially faster responses to consumers’ requests to exercise their CCPA rights. Businesses reduce their exposure to these risks and improve their data governance by periodically assessing their collection, use, retention, and sharing of personal information from the perspective of data minimization.


data security and privacy, hill_mitzi, insights