Explore the significance of data minimization in global data privacy laws such as GDPR, CCPA, and others. Learn how implementing data minimization strategies benefits businesses and ensures compliance.
Data minimization is one of the core privacy protection principles throughout the data protection laws worldwide. It requires businesses - as well as AI models - to collect data they truly need for processing, and nothing more.
Businesses usually think that minimizing data collection and data retention means shooting themselves in the leg. Yet, what they do is create data exposure risks.
Collecting and storing data that you don't need is a risk to your company. It leads to non-compliance, doesn't protect individual privacy, and entails unnecessary risks.
Explore more privacy compliance insights and best practices
Data minimization promotes the opposite.
Data minimization means processing only the minimum amount of personal data necessary for your processing purposes (fundamental in training AI models).
Let's imagine that you want to deliver a monthly newsletter to your customers. For that purpose, you need to process their email address and their names. By collecting only the email address and the name, you've applied the data minimization principle.
If you collect their phone number and home address to communicate with them over email, you've gone too far. You don't need anyone's home address to send them an email.
However, if you want to send them promotional materials at their home address or SMS messages with discounts over the phone, it is reasonable to get the phone numbers and home addresses. You'll need such data to communicate with the customers by their preferred means.
But, in that case, you should not collect their date of birth because it won't be relevant or necessary for informing them about the discounts. Unless you offer birthday discounts, in which case the birthday becomes personal data necessary for fulfilling the processing purpose.
The bottom line is that your processing purpose determines what categories of personally identifiable information you need to collect. Once you know why you need to process personal information, the next step is to determine what categories of data are relevant for the specified purpose. Then, you should ask yourself if all these data categories are necessary or if you could reach your goals without so many pieces of personal information. That's how you implement data minimization practices, including in AI.
Before the rise of data protection laws globally, marketers and entrepreneurs assumed that collecting vast amounts of data was good, just in case it became useful in the future. But that couldn't be further from the truth.
Legal requirements aside, limiting data collection to what is necessary has positive unintended consequences for businesses.
Storing and processing someone else's personal data brings inherent risks to your business. Personal data is always a valuable target for cybercriminals, which puts you at risk of data breaches. The risk of data breaches further implies a requirement to implement robust data security measures to prevent data breaches. And that means spending money that you may save if you simply implement a data minimization strategy and limit the collection of data to what you really need.
Processing unnecessary data doesn't bring benefits to your business, but only risks. It doesn't bring money in, but it causes you to spend more on preventing breaches.
Article 5(1)(3) of the General Data Protection Regulation (GDPR) of the EU states that personal data shall be "adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)".
Recital 39 of the GDPR stipulates that the processing of personal data must be adequate, relevant, and limited to what is necessary for the intended purposes. The GDPR further explains that we should only process personal data if other means could reasonably fulfill the processing purpose.
European data protection enforcement agencies have created a vast amount of case law to let us know how not to implement data minimization and what the best practices about it are. Here are a few examples:
Embracing data minimization is required for GDPR compliance. As you can see, agencies do not discriminate between small and large companies or individuals.
However, not only the EU enforces this principle.
The California Privacy Rights Act (CPRA), which amended the California Consumer Privacy Act (CCPA), brought the first data minimization rule to the United States. It states that "businesses should collect consumers' personal information only to the extent that it is relevant and limited to what is necessary in relation to the purposes for which it is being collected, used, and shared."
According to the Colorado Privacy Act, the processing of personal data "shall be solely to the extent that the processing is necessary, reasonable, and proportionate to the specific purpose or purposes."
The Connecticut Data Privacy Act mandates that a controller should only collect personal data that is adequate, relevant, and reasonably necessary for the purposes disclosed to the consumer.
All the state consumer privacy laws in the United States follow the same principles. They allow businesses to collect and process personal information without opt-in, but at the same time require them to limit the processing to the data they really need and not all the data they can collect.
Not respecting this principle means a violation of the law, which, throughout these states, is $7500 per violation. However, we haven't seen any investigations or fines in the US related to this principle.
Under the Lei Geral de Protecao do Dados (LGPD) of Brazil, data minimization refers to the processing only of the necessary data necessary to accomplish the processing purposes.
Article 6 prescribes the basic privacy principles for data processing. The third one requires "limitation of the processing activity to the minimum necessary for the accomplishment of its purposes, with the comprehensiveness of the relevant data proportional and not excessive in relation to the purposes of the data processing."
Obviously, Brazilian legislators replicate this privacy protection principle in other laws, most notably the EU GDPR.
PIPEDA relies on Ten Privacy Principles, where the fourth principle is Limiting Collection. PIPEDA states that "the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means."
It further explains that "organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfill the purposes identified."
This means that even if you opt out in Canada, you still need to collect and retain only the minimum amount of customer data for processing.
We already have enough case law from Canada's Office of Privacy Commissioner to understand its enforcement.
Here are a few cases:
The India Digital Personal Data Protection Act (DPDPA) slightly differs from the other laws by mentioning the data minimization principle only in terms of processing personal data based only on consent. It states that "the consent given by the Data Principal shall be free, specific, informed, unconditional, and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose."
It indicates that the data collected from users will be the minimum amount of data necessary for processing purposes.
If you have been wondering about implementing data minimization, now you know that it provides only benefits and is explicitly required by all data privacy laws worldwide. It is a no-brainer.
You can achieve what we outline in this article by following these steps:
If your answer is yes, you're good to go.
If you have been collecting more data than necessary in the past and you still store that data, it is time to delete it. As we explained above, it brings only risks without any benefits. This doesn't mean processing less data; it means processing only the right data.
That's one step toward providing data subjects with better data protection and reducing your business risks at the same time.
