The California Privacy Rights Act (CPRA) amendment to the CCPA contains the first "data minimization" requirement of any U.S. privacy law. And the General Data Protection Regulation (GDPR) has set global standards in minimizing data collection and use.
The CPRA's requirements center around notice and choice. But the law also contains some important rules regulating the purposes for which businesses collect personal information and the periods for which they may store it.
This article will look at how data minimization works in the EU, where such principles have been in place for many years. Then we'll apply these concepts in the Californian context and how CPRA-covered businesses should fulfill these obligations.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. Data Minimization is in Your Business Interests
- 2. EU General Data Protection Regulation
- 2.1. Purpose Limitation Under the GDPR
- 2.1.1. Specified Purposes
- 2.1.2. Explicit Purposes
- 2.1.3. Legitimate Purposes
- 2.1.4. Compatible Further Purposes
- 2.2. Data Minimization Under the GDPR
- 2.3. Storage Limitation Under the GDPR
- 3. California Privacy Rights Act
- 3.1. Purpose Limitation Under the CPRA
- 3.2. Storage Limitation Under the CPRA
- 4. Summary
Data Minimization is in Your Business Interests
Whether you're legally obliged to do so or not, it's in your interests to limit the amount of personal information you collect, use, share, and store.
- Collecting excessive personal information violates your customers' privacy.
- The more personal information you control, the more likely you are to suffer a data breach. IBM estimates the average cost of a data breach in the U.S. at over $8 million.
- Your customers have certain rights over their personal information. But people can't require you to provide or erase personal information you don't have.
EU General Data Protection Regulation
Below, we're going to look at the new data minimization obligations for U.S. businesses under the CCPA (CPRA). But first, we're going to consider how similar obligations already exist under the GDPR.
If you're already familiar with the GDPR's "principles of data processing," and you're interested in how these concepts apply in the context of the CCPA (CPRA), you can skip ahead. Otherwise, you can stick with us as we explain how these important data protection rules exist in the EU context.
"Processing" means any means of collecting, storing, or using personal information. "Personal information" refers to any information that can be linked to an identifiable individual such as their name, IP address, or salary, depending on the context.
The GDPR contains six principles that underpin how you must process personal information. Here are the principles in full, at Article 5 (1) of the GDPR:
We'll be focusing on three of these principles, all of which impose some form of data minimization requirement:
- Purpose limitation: Only process personal information for the specified purpose for which you collected it, or for other purposes that are compatible with the original purpose.
- Data minimization: Only process the personal information that is necessary, relevant, and adequate for your purposes.
- Storage limitation: Don't store personal information for longer than you need it in connection with a specified purpose.
Let's look in more detail at what each principle requires.
Purpose Limitation Under the GDPR
Purpose limitation requires you to be specific and intentional when collecting personal information. Personal information must be "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes."
What does it mean to collect personal information for "specified" purposes? Here's what the Article 29 Working Party (now succeeded by the European Data Protection Board) says (at page 15 of the linked PDF):
The message is clear: Don't collect personal information aimlessly. Start with a purpose and determine whether you need to collect personal information for this purpose. Then consider what personal information you need to meet this purpose.
- If you're building a website, don't collect log data such as timestamps, IP addresses, browser information unless you need it for a specific purpose.
- If you're developing an app, ensure third-party APIs such as Google Analytics are not hoovering up your users' data unnecessarily. Be careful about which permissions you request.
- If you allow customers to set up an account on your website or app, don't ask for their date of birth or even their name unless you actually need this information for a specific purpose.
Here's the Article 29 Working Party again (again at page 15 of the above-linked PDF):
You're accountable for all the personal information you collect. You should keep a record of how you have assessed your purposes, and what personal information you need to fulfill those purposes.
Once you have specified your purposes, you must make them explicit to the person from whom you're collecting personal information.
It's important to link each type of personal information you need with your purposes for collecting it. Be specific. Simply stating that you need a person's email address for "marketing purposes" doesn't really explain what you plan to do with that email address.
Explaining your purposes for collecting personal information is a key requirement under many privacy laws, including the California Consumer Privacy Act (CCPA), Canada's Personal Information Processing and Electronic Documents Act (PIPEDA), and New Zealand's Privacy Act.
You must only collect personal information for "legitimate" purposes. Here's what the Article 29 Working Party says about the legitimacy requirement (at page 20 of the linked PDF):
When considering whether your purposes are legitimate, consider:
- The law
- Any industry-specific regulations (for example, in fields such as health, finance, and communications)
- Any relevant codes of conduct and ethics
- The underlying relationship between your business and the people whose personal information you're collecting
If you're collecting personal information for illegitimate purposes, it doesn't matter whether these purposes are specific and explicit.
Compatible Further Purposes
The GDPR states that you may not process personal information for further purposes other than those for which you collected it that are "incompatible" with the original purpose for which you collected it.
So, which purposes are "compatible" with one another?
Sometimes, this is obvious. Here's an example from the Article 29 Working Party of when processing purposes are obviously compatible (at page 22 of linked PDF):
Sometimes, however, it isn't clear whether purposes are compatible. Here's an example of a more complicated scenario (at page 23 of linked PDF):
This example presents two examples of further processing in the context of marketing: one where a retailer uses customer information for its own marketing purposes, and another where the retailer shares customer information with another business.
It isn't clear that either of these two examples of further processing is compatible with the purposes for which the retailer collected the personal information. Both scenarios present different risks and might not comply with direct marketing laws.
In some cases, the incompatibility of further processing is obvious. While the two scenarios above all involve organic food, the retailer might, for example, have shared its' customers' data with a totally unrelated business, such as a computer repair shop.
When determining whether purposes are compatible, you should consider:
- The relationship between the two purposes: How different are the two purposes? Was the further purpose implied by the original purpose?
- The context in which you collected the personal information and the reasonable expectations of the individuals from whom you collected it: Are you dealing with existing customers? Is this a vulnerable group?
- The nature of the personal information: Is this sensitive personal information? What are the risks?
- Any safeguards you can put in place: How can you reduce the likelihood that your new purposes will cause harm?
It's also worth noting that the GDPR has some exceptions to the further processing rules when using personal information for certain "historical, statistical or scientific purposes."
Data Minimization Under the GDPR
Data minimization is the requirement that personal information is "adequate, relevant, and limited to what is necessary in relation to the purposes for which (it is) processed."
- Adequate: The personal information you process must help you meet the purposes for which you collected it.
- Relevant: Only process personal data that has a rational link to your purposes.
- Limited to what is necessary: Don't process more personal information than you need for your purposes.
Data minimization is closely linked to the GDPR's "purpose limitation" principle. However, sometimes it is possible to collect too much personal information in pursuit of specified, explicit, and legitimate purposes.
Here's an example from the ICO:
Some other examples include:
- If you're building a website, you may identify an issue with a specific web form. You might decide to use analytics software to test how users interact with the form (note that you need consent for analytics cookies in the EU). You don't need to collect analytics data about every page of your website.
- If you're recruiting, you might need to ask applicants to complete a health survey. You should only include questions that are relevant to your post.
- If you're developing an app, it might require location permissions for certain functions. Whenever a user is not using the app for those functions, it should no longer track the user's location.
To comply with the principle of data minimization, you should regularly review the personal information in your possession to determine whether it is still adequate, relevant, and necessary for your purposes.
Storage Limitation Under the GDPR
Storage limitation requires that you don't keep personal information for longer than you need it in relation to a specified purpose. The GDPR doesn't provide any specific time limits for storing personal information: you need to assess this for yourself.
Compliance with the storage limitation principle is easier if you draw up a "retention schedule" setting out how long you need to keep each type of personal information.
Here's an example from the University of Brighton:
- Some retention periods are simply "6 years," others are "SFT (student's final year) + 6 years." This is an acceptable way to calculate a retention period: the university requires the data throughout the student's period of study, and for a certain period after their study ends.
- In one case, the personal information will be anonymized and kept permanently. Once data is properly anonymized it is no longer personal information and is not subject to the GDPR.
- Some personal information is retained "until audited." Sometimes there is a legal or regulatory obligation to retain personal information for a certain period.
In some cases, you shouldn't keep personal information for more than a matter of days or even hours. For example, here's some advice for web developers from the Internet Engineering Task Force's Internet Area Working Group (IntArea):
"(Don't) store logs of incoming IP addresses from inbound traffic for longer than three days [...] a three-day logging period covers a weekend, which is convenient for professional server providers."
You should regularly review all the personal information in your possession so you can be sure you're not keeping it for too long.
California Privacy Rights Act
We're assuming you understand the basics of the CPRA and know whether it applies to you. If not, check out our main CPRA article before continuing.
The CPRA provides a list of information that businesses must provide consumers before collecting their personal information. A rule about the collection of personal data itself appears alongside each item on the list.
Here's the relevant section of the law, at 1798.100:
These data minimization requirements aren't as significant as the EU's, but it's essential that you understand them. We can boil this section of the CPRA down to two main rules.
Purpose Limitation Under the CPRA
Section 1798.100 (a) (1) and (2) of the CPRA present a limited "purpose limitation" obligation.
First of all, you must disclose the purposes for which you collect or use each category of personal information and sensitive personal information. You must not collect or use personal information or sensitive personal information for any additional purpose unless:
- Your new purpose is "compatible" with the original, disclosed purpose for which you collected it, or
- You provide valid notice to inform the consumer about the new purpose
This is reiterated at Section 1789.100, which states:
"A business' collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes."
The CPRA doesn't explain which purposes are compatible with one another. Our guidance on further purposes under the GDPR is a good starting point.
Storage Limitation Under the CPRA
Section 1798.100 (a) (3) imposes a narrow "storage limitation" obligation on businesses. It starts by requiring you to notify consumers of either:
- How long you intend to retain their personal information or sensitive personal information, or
- If you don't know how long you'll be retaining consumers' personal information or sensitive personal information, the criteria you'll use to determine how long you retain it (e.g., "for as long as you hold an account with us, and for three months after you close your account")
If you're using the second of these two types of notice, the CPRA imposes an additional obligation: don't retain personal information or sensitive personal information for longer than is reasonably necessary for the disclosed purposes for which you collected it.
It appears that the CPRA does not impose a storage limitation obligation on businesses using the first type of notice. However, a commonsense approach to data retention dictates that you should not set arbitrarily long retention periods either way.
Again, the CPRA does not define how long is a "reasonably necessary" period of storage. An honest assessment of your purposes for storing the personal information should help you justify your retention periods.
Data minimization is a new concept in U.S. privacy law. However, it should be welcomed by any business wishing to respect their customers' privacy, reduce their liability, and save money in the long term.
- Only collect personal information for specified, explicit, and legitimate purposes
- Don't collect more personal information than you need
- Don't store personal information for longer than necessary