The CPPA, California's privacy regulator, has come out with a forceful advisory to regulated businesses regarding a “foundational principle” of the state's privacy laws: data minimization. Long a concept in privacy circles and important in EU compliance, data minimization is encoded in many US state laws but has not gotten much press here. That may be about to change. In essence, data minimization means to collect from consumers/users only what you need to collect in order to conduct your transaction with them. In other words, don't ask for or collect unnecessary data.
Why It Matters
The CPPA reminds businesses that data minimization applies to all activities under the state's laws. It also posits that data minimization is a good business practice that reduces business risk, legal risk, and harm to individuals. The bulk of the advisory centers on how to respond to consumer requests to access or delete their data, however, which suggests that businesses should tread carefully when asking consumers for information to verify their identity before responding to those requests.
Lest we treat this as purely a California issue: of the more than 30 states that have passed or are trying to pass a state privacy law or laws, only five have drafted bills that omit the idea of data minimization. The principle is embedded in every US state privacy law currently on the books (except one), but has not gotten much attention here yet. The CPPA's advisory may signal that this grace period from regulators is coming to an end.
/Passle/61f3627a0c51c3165820f0e7/MediaLibrary/Images/5ff4a070535488111cdbfec9/2024-01-17-18-25-18-859-65a81b8e3f5d760a89621ac7.png)
