Businesses must become significantly more disciplined in how they collect and use data. Excessive data collection is not only inefficient but also introduces legal and reputational risk.
The need for more responsible data practices has been evident for some time. As early as 2017, publications such as The Economist highlighted the growing tension between the rapid expansion of technology companies and increasing public concern over privacy and regulatory oversight.
In response to these concerns, major legislative actions followed. The European Union’s General Data Protection Regulation (GDPR) became enforceable on May 25, 2018. It established comprehensive data rights for individuals, including the right to limit how their data is processed and the right to request its deletion. A foundational principle of GDPR is data minimization—collecting only what is necessary for a specific purpose.
Soon after, California enacted the Consumer Privacy Act (CCPA) on June 28, 2018, with enforcement beginning July 1, 2020. The CCPA introduced similar protections for personal data and became the first U.S. law to explicitly include data minimization as a compliance requirement.
Data minimization requirements in privacy regulations worldwide
While many enforcement actions of privacy regulations focus on privacy breaches and/or misuse of personal information, investigators also look for compliance with data minimization principles, which are now standard in many regulations. These principles were put in place to address data hoarding and focus on:
- Breach exposure minimization – minimizing the amount and detail of any personal information that could be stolen in breach
- Purpose limitations – restricting data collections to information that is provably necessary for stated purposes. Mostly this should mean for the stated purposes of delivering personalized customer experiences
- Consumer consent – limiting collection of personal data only from consumers who have given informed and explicit consent for its collection, processing, sharing, and sale.
Questions to ask about personal data collected by your organization:
- Is it mapped and tracked throughout its lifespan? Can the business quickly identify the locations of each piece of personal information collected and track its use history, including every instance of how it was accessed and processed – and why each activity was necessary?
- Is it adequate? Does the personal data collected contain enough (but not more than enough) information to help your business identify the individual and sufficiently deliver a personalized service (stated purpose)?
- Is it relevant? Is it clear how each piece of personal information is relevant to fulfilling the stated purpose?
- Is it limited to what is necessary? Does the data collection only capture information needed for the stated purpose – and no more than is probably necessary?
- Is it still useful and do you still have permission to store it? Is the information contained in a collection of personal data up-to-date and accurate or has it passed its acceptable and/or permitted use-by date?
- Is it properly secured? Is the data protected by access controls and other cybersecurity measures to prevent unauthorized and unlawful use, or accidental loss or damage?
- Is access controlled based on permissions? Does each data system, staff member, third party, or business partner only have access to the data they are explicitly permitted to access – and only what is adequate, relevant, and necessary for them to fulfill a permitted task (and nothing else)?
EU GDPR made data minimization a key principle
The EU’s GDPR sets a standard for privacy that gives EU citizens strong privacy rights, especially more visibility, and control of how organizations may collect and use their personal information.
Data minimization is listed in GDPR Article 5 as one of seven principles relating to the processing of personal data:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Limited storage periods
- Integrity and confidentiality
- Accountability
The data minimization principle is explained by the European Data Protection Supervisor:
‘The principle of “data minimisation” means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose.
‘They should also retain the data only for as long as is necessary to fulfill that purpose. In other words, data controllers should collect only the personal data they really need, and should keep it only for as long as they need it.
‘The data minimisation principle is expressed in Article 5(1)(c) of the GDPR and Article 4(1)(c) of Regulation (EU) 2018/1725, which provide that personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.’
UK data protection rules on data minimization similar to EU GDPR
The UK Data Protection Act (2018) was updated post-Brexit with a set of UK GDPR rules that closely follow those of the EU GDPR. As a result, UK citizens have stronger personal data and sensitive personal data privacy rights, including more control over how organizations may collect and use their personal data.
The UK GDPR data protection principles match all seven of those listed in the EU GDPR (see above).
The data minimization principle is explained by the UK Information Commissioner’s Office:
You must ensure the personal data you are processing is:
- adequate – sufficient to properly fulfil your stated purpose;
- relevant – has a rational link to that purpose; and
- limited to what is necessary – you do not hold more than you need for that purpose.
Article 5(1)(c) says: “Personal data shall be: (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)”.
So you should identify the minimum amount of personal data you need to fulfil your purpose. You should hold that much information, but no more.’
Data minimization in the United States
In the United States, data minimization is emerging as a common principle across state consumer privacy laws, though its implementation varies widely. Generally, these laws require that businesses limit the collection, use, and retention of personal data to what is reasonably necessary and proportionate to achieve specified purposes.
However, most U.S. laws provide broad flexibility, allowing businesses to define those purposes as long as they are disclosed to consumers. This approach contrasts with more prescriptive models like the EU’s GDPR, which imposes stricter purpose limitations.
Notably, states such as California, Colorado, and Virginia incorporate data minimization as a foundational obligation, but still permit processing for a range of operational needs. Maryland, by contrast, has adopted a narrower standard, restricting data processing to what is necessary for the specific product or service requested by the consumer—signaling a possible shift toward more restrictive U.S. interpretations of data minimization.
Below are summaries of data minimization requirements in two key U.S. states, California and Maryland, which illustrate the varying approaches to this principle.
California
The CCPA, which was amended by the California Privacy Rights Act (CPRA), led the way in the U.S. with the first comprehensive state privacy regulation to give consumers enforceable rights over how – or whether at all – businesses collect, process, store, share or sell personal data.
The amendments under CPRA place more restrictions on collection, storage and use of sensitive personal information, and include data minimization and purpose limitation rules in section 1798.100 ‘General Duties of Businesses that Collect Personal Information’ which accompany requirements for informing consumers of purposes for data collection:
- Additional categories – 1798.100 (a) (1): “A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.”
(Note: subsection (a) (2) uses practically the same words as the rule above, applying them to ‘sensitive personal information’.) - Storage period – 1798.100 (a) (3) “The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.”
- Proportionate use – 1798.100 (c) “A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.”
Businesses must also ensure third parties, contractors and commercial partners comply with CCPA rules, including data minimization requirements.
Maryland
Maryland’s data minimization requirements, introduced under the Maryland Online Data Privacy Act of 2024 (MODPA), take a more stringent and prescriptive approach compared to other U.S. consumer privacy laws.
Unlike frameworks such as the CCPA or Colorado Privacy Act, which generally require that personal data collection be limited to what is “reasonably necessary” for disclosed purposes, MODPA mandates that businesses only collect, process, and retain personal data that is “reasonably necessary and proportionate” to provide or maintain a specific product or service requested by the consumer.
This narrower scope restricts the use of personal data for broader business purposes—such as analytics, product improvement, or advertising—unless the consumer has explicitly requested the service that requires such processing. MODPA’s approach reflects a shift toward a more EU-like, purpose-limited model of data governance, elevating the standard for necessity and limiting the discretion businesses typically have under other U.S. laws.
For a closer look at MODPA’s unique provisions and how they compare to other U.S. state laws, read our overview of Maryland’s Online Data Privacy Act’s Novel Approach to Consumer Privacy.
Data minimization is no longer optional
From the EU’s GDPR to California’s CCPA and Maryland’s MODPA, one principle is increasingly consistent: collect less, prove purpose, and protect what you process. Data minimization is a strategic imperative that aligns privacy, security, and efficiency.
For privacy professionals, this means moving beyond awareness into operational excellence. Mapping data lifecycles, documenting necessity, and embedding minimization logic into product and service design aren’t just best practices—they’re risk reducers and trust builders. As more jurisdictions sharpen their stance on what’s “reasonably necessary,” organizations that over-collect or under-document may find themselves on the wrong side of enforcement and public sentiment.
Now is the time to treat data like a critical resource, not a limitless asset. Ask hard questions. Trim the excess. Architect for purpose. Because when less is truly more, your privacy program is doing its job.
Map Smarter. Minimize Risk.
Automate data discovery, mapping, and risk scoring across your systems and vendors. Instantly generate ROPAs, flag high-risk flows, and take action all in one intelligent workspace.
Streamline data mapping
Regulatory Research, Done for You.
Stay ahead of evolving privacy laws with curated legal analysis, alerts, and cross-jurisdictional summaries without relying on costly counsel or endless hours of digging.
Try Nymity Research
