Data Minimization Under the CPRA and GDPR

Data Minimization Under the CPRA and GDPR

Privacy laws worldwide are becoming stricter. The California Privacy Rights Act (CPRA), passed in 2020, contains the first "data minimization" requirement of any U.S. privacy law.

The CPRA's requirements center around notice and choice. But the law also contains some important rules regulating the purposes for which businesses collect personal information and the periods for which they may store it.

So how should CPRA-covered businesses fulfill these new obligations? To explain, we're going to look at how data minimization works in the EU, where such principles have been in place for many years. Then we'll apply these concepts in the Californian context.


Data Minimization is in Your Business Interests

Whether you're legally obliged to do so or not, it's in your interests to limit the amount of personal information you collect, use, share, and store.

Here's why:

  • Collecting excessive personal information violates your customers' privacy.
  • The more personal information you control, the more likely you are to suffer a data breach. IBM estimates the average cost of a data breach in the US at over $8 million.
  • Your customers have certain rights over their personal information. But people can't require you to provide or erase personal information you don't have.

EU General Data Protection Regulation

Below, we're going to look at the new data minimization obligations for U.S. businesses under the CPRA. But first, we're going to consider how similar obligations already exist under the GDPR.

If you're already familiar with the GDPR's "principles of data processing," and you're interested in how these concepts apply in the context of the CPRA, you can skip ahead. Otherwise, you can stick with us as we explain how these important data protection rules exist in the EU context.

"Processing" means any means of collecting, storing, or using personal information. "Personal information" refers to any information that can be linked to an identifiable individual such as their name, IP address, or salary, depending on the context.

The GDPR contains six principles that underpin how you must process personal information. Here are the principles in full, at Article 5 (1) of the GDPR:

EUR-Lex GDPR Article 5 Section 1: Processing personal data

We'll be focusing on three of these principles, all of which impose some form of data minimization requirement:

  • Purpose limitation: Only process personal information for the specified purpose for which you collected it, or for other purposes that are compatible with the original purpose.
  • Data minimization: Only process the personal information that is necessary, relevant, and adequate for your purposes.
  • Storage limitation: Don't store personal information for longer than you need it in connection with a specified purpose.

Let's look in more detail at what each principle requires.

Purpose Limitation Under the GDPR

Purpose Limitation Under the GDPR

Purpose limitation requires you to be specific and intentional when collecting personal information. Personal information must be "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes."

Specified Purposes

What does it mean to collect personal information for "specified" purposes? Here's what the Article 29 Working Party (now succeeded by the European Data Protection Board) says (at page 15 of the linked PDF):

Article 29 Data Protection Working Party Opinion on Purpose Limitation: Excerpt of Purposes must be specified section - Why it is necessary

The message is clear: Don't collect personal information aimlessly. Start with a purpose and determine whether you need to collect personal information for this purpose. Then consider what personal information you need to meet this purpose.

  • If you're building a website, don't collect log data such as timestamps, IP addresses, browser information unless you need it for a specific purpose.
  • If you're developing an app, ensure third-party APIs such as Google Analytics are not hoovering up your users' data unnecessarily. Be careful about which permissions you request.
  • If you allow customers to set up an account on your website or app, don't ask for their date of birth or even their name unless you actually need this information for a specific purpose.

Here's the Article 29 Working Party again (again at page 15 of the above-linked PDF):

Article 29 Data Protection Working Party Opinion on Purpose Limitation: Excerpt of Purposes must be specified section - Internal assessment required

You're accountable for all the personal information you collect. You should keep a record of how you have assessed your purposes, and what personal information you need to fulfill those purposes.

Explicit Purposes

Once you have specified your purposes, you must make them explicit to the person from whom you're collecting personal information.

One way to do this by including reference to your purposes in your Privacy Policy, and always presenting your Privacy Policy when you collect personal information. You may also need to present a shorter notice alongside a link to your main Privacy Policy.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:

  1. Click on the "Privacy Policy Generator" button.
  2. At Step 1, select the Website option and click "Next step":
  3. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  4. Answer the questions about your website and click "Next step" when finished:
  5. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  6. Answer the questions about your business practices and click "Next step" when finished:
  7. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  8. Enter your email address where you'd like your policy sent, select translation versions and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

There are many approaches to explaining your purposes in your Privacy Policy. Here's one approach, from the Contact page of the UK's Information Commissioner's Office (ICO):

ICO Contact the Press Office page: What information we need and why we need it sections

It's important to link each type of personal information you need with your purposes for collecting it. Be specific. Simply stating that you need a person's email address for "marketing purposes" doesn't really explain what you plan to do with that email address.

Explaining your purposes for collecting personal information is a key requirement under many privacy laws, including the California Consumer Privacy Act (CCPA), Canada's Personal Information Processing and Electronic Documents Act (PIPEDA), and New Zealand's Privacy Act.

Legitimate Purposes

You must only collect personal information for "legitimate" purposes. Here's what the Article 29 Working Party says about the legitimacy requirement (at page 20 of the linked PDF):

Article 29 Data Protection Working Party Opinion on Purpose Limitation: Excerpt of Purposes must be legitimate section

When considering whether your purposes are legitimate, consider:

  • The law
  • Any industry-specific regulations (for example, in fields such as health, finance, and communications)
  • Any relevant codes of conduct and ethics
  • The underlying relationship between your business and the people whose personal information you're collecting

If you're collecting personal information for illegitimate purposes, it doesn't matter whether these purposes are specific and explicit.

Compatible Further Purposes

The GDPR states that you may not process personal information for further purposes other than those for which you collected it that are "incompatible" with the original purpose for which you collected it.

So, which purposes are "compatible" with one another?

Sometimes, this is obvious. Here's an example from the Article 29 Working Party of when processing purposes are obviously compatible (at page 22 of linked PDF):

Article 29 Data Protection Working Party Opinion on Purpose Limitation: Example 1

Sometimes, however, it isn't clear whether purposes are compatible. Here's an example of a more complicated scenario (at page 23 of linked PDF):

Article 29 Data Protection Working Party Opinion on Purpose Limitation: Example 2

This example presents two examples of further processing in the context of marketing: one where a retailer uses customer information for its own marketing purposes, and another where the retailer shares customer information with another business.

It isn't clear that either of these two examples of further processing is compatible with the purposes for which the retailer collected the personal information. Both scenarios present different risks and might not comply with direct marketing laws.

In some cases, the incompatibility of further processing is obvious. While the two scenarios above all involve organic food, the retailer might, for example, have shared its' customers' data with a totally unrelated business, such as a computer repair shop.

When determining whether purposes are compatible, you should consider:

  • The relationship between the two purposes: How different are the two purposes? Was the further purpose implied by the original purpose?
  • The context in which you collected the personal information and the reasonable expectations of the individuals from whom you collected it: Are you dealing with existing customers? Is this a vulnerable group?
  • The nature of the personal information: Is this sensitive personal information? What are the risks?
  • Any safeguards you can put in place: How can you reduce the likelihood that your new purposes will cause harm?

It's also worth noting that the GDPR has some exceptions to the further processing rules when using personal information for certain "historical, statistical or scientific purposes."

Data Minimization Under the GDPR

Data Minimization Under the GDPR

Data minimization is the requirement that personal information is "adequate, relevant, and limited to what is necessary in relation to the purposes for which (it is) processed."

  • Adequate: The personal information you process must help you meet the purposes for which you collected it.
  • Relevant: Only process personal data that has a rational link to your purposes.
  • Limited to what is necessary: Don't process more personal information than you need for your purposes.

Data minimization is closely linked to the GDPR's "purpose limitation" principle. However, sometimes it is possible to collect too much personal information in pursuit of specified, explicit, and legitimate purposes.

Here's an example from the ICO:

ICO Principle: Data Minimisation - Example of processing excess data

Some other examples include:

  • If you're building a website, you may identify an issue with a specific web form. You might decide to use analytics software to test how users interact with the form (note that you need consent for analytics cookies in the EU). You don't need to collect analytics data about every page of your website.
  • If you're recruiting, you might need to ask applicants to complete a health survey. You should only include questions that are relevant to your post.
  • If you're developing an app, it might require location permissions for certain functions. Whenever a user is not using the app for those functions, it should no longer track the user's location.

To comply with the principle of data minimization, you should regularly review the personal information in your possession to determine whether it is still adequate, relevant, and necessary for your purposes.

Storage Limitation Under the GDPR

Storage Limitation Under the GDPR

Storage limitation requires that you don't keep personal information for longer than you need it in relation to a specified purpose. The GDPR doesn't provide any specific time limits for storing personal information: you need to assess this for yourself.

Compliance with the storage limitation principle is easier if you draw up a "retention schedule" setting out how long you need to keep each type of personal information.

Here's an example from the University of Brighton:

University of Brighton Student Administration Support Services: Data retention period chart excerpt

Note:

  • Some retention periods are simply "6 years," others are "SFT (student's final year) + 6 years." This is an acceptable way to calculate a retention period: the university requires the data throughout the student's period of study, and for a certain period after their study ends.
  • In one case, the personal information will be anonymized and kept permanently. Once data is properly anonymized it is no longer personal information and is not subject to the GDPR.
  • Some personal information is retained "until audited." Sometimes there is a legal or regulatory obligation to retain personal information for a certain period.

In some cases, you shouldn't keep personal information for more than a matter of days or even hours. For example, here's some advice for web developers from the Internet Engineering Task Force's Internet Area Working Group (IntArea):

"(Don't) store logs of incoming IP addresses from inbound traffic for longer than three days [...] a three-day logging period covers a weekend, which is convenient for professional server providers."

You should regularly review all the personal information in your possession so you can be sure you're not keeping it for too long.

California Privacy Rights Act

California Privacy Rights Act

We're assuming you understand the basics of the CPRA and know whether it applies to you. If not, check out our main CPRA article before continuing.

The CPRA provides a list of information that businesses must provide consumers before collecting their personal information. A rule about the collection of personal data itself appears alongside each item on the list.

Here's the relevant section of the law, at 1798.100:

California Legislative Information: CPRA - Section 1798 100: General Duties of Businesses that Collect Personal Information

These data minimization requirements aren't as significant as the EU's, but it's essential that you understand them. We can boil this section of the CPRA down to two main rules.

Purpose Limitation Under the CPRA

Purpose Limitation Under the CPRA

Section 1798.100 (a) (1) and (2) of the CPRA present a limited "purpose limitation" obligation.

First of all, you must disclose the purposes for which you collect or use each category of personal information and sensitive personal information. You must not collect or use personal information or sensitive personal information for any additional purpose unless:

  • Your new purpose is "compatible" with the original, disclosed purpose for which you collected it, or
  • You provide valid notice to inform the consumer about the new purpose

This is reiterated at Section 1789.100, which states:

"A business' collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes."

The CPRA doesn't explain which purposes are compatible with one another. Our guidance on further purposes under the GDPR is a good starting point.

Storage Limitation Under the CPRA

Storage Limitation Under the CPRA

Section 1798.100 (a) (3) imposes a narrow "storage limitation" obligation on businesses. It starts by requiring you to notify consumers of either:

  • How long you intend to retain their personal information or sensitive personal information, or
  • If you don't know how long you'll be retaining consumers' personal information or sensitive personal information, the criteria you'll use to determine how long you retain it (e.g., "for as long as you hold an account with us, and for three months after you close your account")

If you're using the second of these two types of notice, the CPRA imposes an additional obligation: don't retain personal information or sensitive personal information for longer than is reasonably necessary for the disclosed purposes for which you collected it.

It appears that the CPRA does not impose a storage limitation obligation on businesses using the first type of notice. However, a commonsense approach to data retention dictates that you should not set arbitrarily long retention periods either way.

Again, the CPRA does not define how long is a "reasonably necessary" period of storage. An honest assessment of your purposes for storing the personal information should help you justify your retention periods.

Summary

Data minimization is a new concept in U.S. privacy law. However, it should be welcomed by any business wishing to respect their customers' privacy, reduce their liability, and save money in the long term.

  • Only collect personal information for specified, explicit, and legitimate purposes
  • Don't collect more personal information than you need
  • Don't store personal information for longer than necessary
Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.