Last updated on 01 July 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
Privacy laws worldwide are becoming stricter. The California Privacy Rights Act (CPRA), passed in 2020, contains the first "data minimization" requirement of any U.S. privacy law.
The CPRA's requirements center around notice and choice. But the law also contains some important rules regulating the purposes for which businesses collect personal information and the periods for which they may store it.
So how should CPRA-covered businesses fulfill these new obligations? To explain, we're going to look at how data minimization works in the EU, where such principles have been in place for many years. Then we'll apply these concepts in the Californian context.
Whether you're legally obliged to do so or not, it's in your interests to limit the amount of personal information you collect, use, share, and store.
Below, we're going to look at the new data minimization obligations for U.S. businesses under the CPRA. But first, we're going to consider how similar obligations already exist under the GDPR.
If you're already familiar with the GDPR's "principles of data processing," and you're interested in how these concepts apply in the context of the CPRA, you can skip ahead. Otherwise, you can stick with us as we explain how these important data protection rules exist in the EU context.
"Processing" means any means of collecting, storing, or using personal information. "Personal information" refers to any information that can be linked to an identifiable individual such as their name, IP address, or salary, depending on the context.
The GDPR contains six principles that underpin how you must process personal information. Here are the principles in full, at Article 5 (1) of the GDPR:
We'll be focusing on three of these principles, all of which impose some form of data minimization requirement:
Let's look in more detail at what each principle requires.
Purpose limitation requires you to be specific and intentional when collecting personal information. Personal information must be "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes."
What does it mean to collect personal information for "specified" purposes? Here's what the Article 29 Working Party (now succeeded by the European Data Protection Board) says (at page 15 of the linked PDF):
The message is clear: Don't collect personal information aimlessly. Start with a purpose and determine whether you need to collect personal information for this purpose. Then consider what personal information you need to meet this purpose.
Here's the Article 29 Working Party again (again at page 15 of the above-linked PDF):
You're accountable for all the personal information you collect. You should keep a record of how you have assessed your purposes, and what personal information you need to fulfill those purposes.
Once you have specified your purposes, you must make them explicit to the person from whom you're collecting personal information.
It's important to link each type of personal information you need with your purposes for collecting it. Be specific. Simply stating that you need a person's email address for "marketing purposes" doesn't really explain what you plan to do with that email address.
Explaining your purposes for collecting personal information is a key requirement under many privacy laws, including the California Consumer Privacy Act (CCPA), Canada's Personal Information Processing and Electronic Documents Act (PIPEDA), and New Zealand's Privacy Act.
You must only collect personal information for "legitimate" purposes. Here's what the Article 29 Working Party says about the legitimacy requirement (at page 20 of the linked PDF):
When considering whether your purposes are legitimate, consider:
If you're collecting personal information for illegitimate purposes, it doesn't matter whether these purposes are specific and explicit.
The GDPR states that you may not process personal information for further purposes other than those for which you collected it that are "incompatible" with the original purpose for which you collected it.
So, which purposes are "compatible" with one another?
Sometimes, this is obvious. Here's an example from the Article 29 Working Party of when processing purposes are obviously compatible (at page 22 of linked PDF):
Sometimes, however, it isn't clear whether purposes are compatible. Here's an example of a more complicated scenario (at page 23 of linked PDF):
This example presents two examples of further processing in the context of marketing: one where a retailer uses customer information for its own marketing purposes, and another where the retailer shares customer information with another business.
It isn't clear that either of these two examples of further processing is compatible with the purposes for which the retailer collected the personal information. Both scenarios present different risks and might not comply with direct marketing laws.
In some cases, the incompatibility of further processing is obvious. While the two scenarios above all involve organic food, the retailer might, for example, have shared its' customers' data with a totally unrelated business, such as a computer repair shop.
When determining whether purposes are compatible, you should consider:
It's also worth noting that the GDPR has some exceptions to the further processing rules when using personal information for certain "historical, statistical or scientific purposes."
Data minimization is the requirement that personal information is "adequate, relevant, and limited to what is necessary in relation to the purposes for which (it is) processed."
Data minimization is closely linked to the GDPR's "purpose limitation" principle. However, sometimes it is possible to collect too much personal information in pursuit of specified, explicit, and legitimate purposes.
Here's an example from the ICO:
Some other examples include:
To comply with the principle of data minimization, you should regularly review the personal information in your possession to determine whether it is still adequate, relevant, and necessary for your purposes.
Storage limitation requires that you don't keep personal information for longer than you need it in relation to a specified purpose. The GDPR doesn't provide any specific time limits for storing personal information: you need to assess this for yourself.
Compliance with the storage limitation principle is easier if you draw up a "retention schedule" setting out how long you need to keep each type of personal information.
Here's an example from the University of Brighton:
In some cases, you shouldn't keep personal information for more than a matter of days or even hours. For example, here's some advice for web developers from the Internet Engineering Task Force's Internet Area Working Group (IntArea):
"(Don't) store logs of incoming IP addresses from inbound traffic for longer than three days [...] a three-day logging period covers a weekend, which is convenient for professional server providers."
You should regularly review all the personal information in your possession so you can be sure you're not keeping it for too long.
We're assuming you understand the basics of the CPRA and know whether it applies to you. If not, check out our main CPRA article before continuing.
The CPRA provides a list of information that businesses must provide consumers before collecting their personal information. A rule about the collection of personal data itself appears alongside each item on the list.
Here's the relevant section of the law, at 1798.100:
These data minimization requirements aren't as significant as the EU's, but it's essential that you understand them. We can boil this section of the CPRA down to two main rules.
Section 1798.100 (a) (1) and (2) of the CPRA present a limited "purpose limitation" obligation.
First of all, you must disclose the purposes for which you collect or use each category of personal information and sensitive personal information. You must not collect or use personal information or sensitive personal information for any additional purpose unless:
This is reiterated at Section 1789.100, which states:
"A business' collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes."
The CPRA doesn't explain which purposes are compatible with one another. Our guidance on further purposes under the GDPR is a good starting point.
Section 1798.100 (a) (3) imposes a narrow "storage limitation" obligation on businesses. It starts by requiring you to notify consumers of either:
If you're using the second of these two types of notice, the CPRA imposes an additional obligation: don't retain personal information or sensitive personal information for longer than is reasonably necessary for the disclosed purposes for which you collected it.
It appears that the CPRA does not impose a storage limitation obligation on businesses using the first type of notice. However, a commonsense approach to data retention dictates that you should not set arbitrarily long retention periods either way.
Again, the CPRA does not define how long is a "reasonably necessary" period of storage. An honest assessment of your purposes for storing the personal information should help you justify your retention periods.
Data minimization is a new concept in U.S. privacy law. However, it should be welcomed by any business wishing to respect their customers' privacy, reduce their liability, and save money in the long term.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022