Skip to Main Content
Main Menu

Compliance Brief: Data Minimization under GDPR, CCPA and other Privacy Laws

Businesses need to get a whole lot smarter about how they consume data because greed is not good: it’s risky and uneconomical.

And it’s not like the warning signs weren’t there in the early data gold rush.

It might seem quaint now, but in 2017 when business publications such as The Economist reported “The world’s most valuable resource is no longer oil, but data”, they framed it as a conflict between big tech companies’ apparently unbridled growth versus rising public demand for antitrust and privacy regulations to reign them in.

The next year the EU GDPR (European Union General Data Protection Regulation) became enforceable (May 25, 2018), giving European citizens stronger personal data privacy rights, including the right to restrict processing and the right to delete. GDPR compliance requirements include data minimization as a key principle (see below).

California’s Consumer Privacy Act (CCPA) became law a month later (June 28, 2018) with a similar intent to drive greater protections of personal information, and CCPA compliance became enforceable from July 1, 2020. The CCPA was the first U.S. privacy law with data minimization as a compliance requirement (see below).

Data Minimization Requirements in Privacy Regulations Worldwide

While many enforcement actions of privacy regulations focus on privacy breaches and/or misuse of personal information, investigators also look for compliance with data minimization principles, which are now standard in many regulations. These principles were put in place to address data hoarding and focus on:

  • Breach exposure minimization – minimizing the amount and detail of any personal information that could be stolen in breach
  • Purpose limitations – restricting data collections to information that is provably necessary for stated purposes. Mostly this should mean for the stated purposes of delivering personalized customer experiences
  • Consumer consent – limiting collection of personal data only from consumers who have given informed and explicit consent for its collection, processing, sharing, and sale.

Questions to ask about personal data collected by your organization:

  • Is it mapped and tracked throughout its lifespan? Can the business quickly identify the locations of each piece of personal information collected and track its use history, including every instance of how it was accessed and processed – and why each activity was necessary?
  • Is it adequate? Does the personal data collected contain enough (but not more than enough) information to help your business identify the individual and sufficiently deliver a personalized service (stated purpose)?
  • Is it relevant? Is it clear how each piece of personal information is relevant to fulfilling the stated purpose?
  • Is it limited to what is necessary? Does the data collection only capture information needed for the stated purpose – and no more than is probably necessary?
  • Is it still useful and do you still have permission to store it? Is the information contained in a collection of personal data up-to-date and accurate or has it passed its acceptable and/or permitted use-by date?
  • Is it properly secured? Is the data protected by access controls and other cybersecurity measures to prevent unauthorized and unlawful use, or accidental loss or damage?
  • Is access controlled based on permissions? Does each data system, staff member, third party, or business partner only have access to the data they are explicitly permitted to access – and only what is adequate, relevant, and necessary for them to fulfill a permitted task (and nothing else)?

EU GDPR made data minimization a key principle

The EU’s GDPR set a standard for privacy that gives EU citizens strong privacy rights, especially more visibility, and control of how organizations may collect and use their personal information.

Data minimization is listed in GDPR Article 5 as one of seven principles relating to the processing of personal data:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Limited storage periods
  • Integrity and confidentiality
  • Accountability

The data minimization principle is explained by the European Data Protection Supervisor:

‘The principle of “data minimisation” means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose.

‘They should also retain the data only for as long as is necessary to fulfill that purpose. In other words, data controllers should collect only the personal data they really need, and should keep it only for as long as they need it.

‘The data minimisation principle is expressed in Article 5(1)(c) of the GDPR and Article 4(1)(c) of Regulation (EU) 2018/1725, which provide that personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.’

UK data protection rules on data minimization similar to EU GDPR

The UK Data Protection Act (2018) was updated post-Brexit with a set of UK GDPR rules that closely follow those of the EU GDPR. As a result, UK citizens have stronger personal data and sensitive personal data privacy rights, including more control over how organizations may collect and use their personal data.

The UK GDPR data protection principles match all seven of those listed in the EU GDPR (see above).

The data minimization principle is explained by the UK Information Commissioner’s Office:

You must ensure the personal data you are processing is:

  • adequate – sufficient to properly fulfil your stated purpose;
  • relevant – has a rational link to that purpose; and
  • limited to what is necessary – you do not hold more than you need for that purpose.

Article 5(1)(c) says: “Personal data shall be: (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)”.

So you should identify the minimum amount of personal data you need to fulfil your purpose. You should hold that much information, but no more.’

Data minimization rules in CCPA/CPRA

The California Consumer Privacy Act, which was amended by the California Privacy Rights Act (CPRA), led the way in the U.S. with the first comprehensive state privacy regulation to give consumers enforceable rights over how – or whether at all – businesses collect, process, store, share or sell personal data.

The amendments under CPRA place more restrictions on collection, storage and use of sensitive personal information, and include data minimization and purpose limitation rules in section 1798.100 ‘General Duties of Businesses that Collect Personal Information’ which accompany requirements for informing consumers of purposes for data collection:

  • Additional categories – 1798.100 (a) (1): “A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.”
    (Note: subsection (a) (2) uses practically the same words as the rule above, applying them to ‘sensitive personal information’.)
  • Storage period – 1798.100 (a) (3) “The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.”
  • Proportionate use – 1798.100 (c) “A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.

Businesses must also ensure third parties, contractors and commercial partners comply with CCPA/CPRA rules, including data minimization requirements.

Get the latest resources sent to your inbox

Back to Top