Why Organizations Need to Start Implementing Data Minimization
When the European Union (EU) enacted the General Data Protection Regulation (GDPR) on May 2, 2018, the world was introduced to the concept of data minimization. According to Article 5 of the GDPR, data minimization means “personal data shall be . . . adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’).”
Although there is currently no federal legislation governing data minimization in the U.S., there has been a recent push for federal action. And according to a privacy legislation tracker created by the International Association of Privacy Professionals (IAPP), there are, in total, 22 states that have introduced their own acts to govern consumer privacy. All but one of these bills have been referred to a committee for review before advancement to the next step in the legislative process—indicating state legislators intend to increase privacy protections.
Most pressingly, California, Virginia, and Colorado will begin enforcing data minimization requirements in 2023. Here’s what that means in these states, and the actions organizations should take to achieve compliance.
California
The California Privacy Rights Act (CPRA) was passed into law on November 3, 2020 and is set to take effect on January 1, 2023. The CPRA will amend the California Consumer Privacy Act (CCPA) on many counts. Importantly, Section 1798.100(c) of the CPRA will add data minimization as a mandatory practice for businesses engaging with or servicing California consumers.
Virginia
The Virginia Consumer Data Protection Act (VCDPA) was passed into law on March 2, 2021 and will take effect January 1, 2023. Under Section §59.1-578 §§ A.1, 2, a data collector or processor may only possess consumers’ personal information when it is “adequate, relevant, and reasonably necessary for the disclosed purposes for which such data is processed, as disclosed to the consumer.” If a consumer’s information does not fall within this categorization, then the data processor or controller may not possess the data without the consumer’s consent.
Colorado
The Colorado Privacy Act (CPA) was passed into law July 8, 2021 and is set to take effect on July 1, 2023. Under the CPA, data minimization will be achieved by Section 6-1-1307(3), the text of which essentially mirrors the text outlined in the VCDPA.
Regulatory Efforts
The Electronic Privacy Information Center (EPIC) released a white paper in January titled How the FTC Can Mandate Data Minimization Through a Section 5 Unfairness Ruling (White Paper). The White Paper argues that the Federal Trade Commission (FTC) should utilize its power to interfere with “unfair methods of competition,” set forth in Section 5 of the FTC Act. According to EPIC, the FTC has the authority to establish a Data Minimization Rule that would prevent, with limited exceptions, the transfer and use of consumer’s personal data to secondary entities.
EPIC recommends an outright prohibition on transfer to secondary entities. However, if the FTC resists this level of oversight, EPIC proposes that the FTC prohibit secondary use of data for behavioral or surveillance advertising, or at least mandating that all businesses provide consumers with the right to opt out of having their data used by secondary parties.
Although this white paper is a mere recommendation to the FTC, statements by Justin Brookman–the director of technology policy at Consumer Reports and a former FTC official–indicate that the FTC has been waiting many years for Congress to implement protections related to data minimization.
How Businesses Can Advance Data Minimization
In a recent video, Apple’s head of user privacy, Erik Neuenschwander discussed data minimization, naming the practice as a priority for Apple in its ongoing effort to protect its users’ privacy. Data minimization is at the forefront of Apple’s design, Neuenschwander said, and achieved by on-device intelligence and hardware that permits data processing on the device rather than on Apple’s servers.
If these capabilities are not available to your organization, you can still act to ensure data minimization is achieved by conducting a voluntary review of policies and procedures related to data collection, retention, and use and distribution. These policies and procedures should be amended to reflect the guidelines outlined in the GDPR and forthcoming U.S. state privacy laws set to take effect next year.