The European Union’s General Data Protection Regulation (GDPR) first launched the concept of data minimization, which states that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. This seems like a simple concept: an entity should only collect personal information that is relevant and necessary to the objective for which the entity is collecting the information. Yet, how many times do we hear of data breaches in which a company had vast amounts of highly personal information dating back years which it no longer uses or needs, but that was part of a data breach? All that highly personal information is now out there on the dark web. This is one major reason why data minimization should be the new mantra for IT professionals and anyone else managing a company’s data.
While there is not one standard privacy law in the US like there is in the EU, California, and now Colorado and Virginia, will soon have new privacy laws that will include data minimization principles.
In California, the California Privacy Rights Act, set to take effect on January 1, 2023, amends the California Consumer Privacy Act (CCPA) and adds data minimization to its obligations for businesses. Specifically, section 1798.100(c) states that: “[a] business’s collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.”
Virginia was the next state to pass a comprehensive privacy law with the Virginia Consumer Data Protection Act (CDPA). This law is also set to take effect on January 1, 2023, and contains language regarding data minimization. The CDPA includes a responsibility for the data controller to limit personal data collection and processing to “what is adequate, relevant, and reasonably necessary for the disclosed purposes for which such data is processed, as disclosed to the consumer.” This section of the law further states that the data controller should “not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.” Virginia Code Ann. §59.1-578 §§ A.1, 2.
Colorado was next to the party, passing its privacy law a few months later. The Colorado Privacy Act (CPA) is set to take effect on July 1, 2023. Section 6-1-1307(3) of the CPA states that a “controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.” Colorado, like Virginia, requires that a controller shall not process personal data for purposes that are not reasonably necessary to, or compatible with, the specified purposes for which the personal data are processed, unless the controller first obtains the consumer’s consent. Section 6-1-1307(4).
Since these laws take effect in 2023, now is a great time for companies to do some data mapping to determine what data the company has in its possession and to review and update data retention policies. Good data management practices, including minimization, should be a major focus now to be ready for 2023 and beyond.