What’s Data Minimization? As the Saying Goes, You’ll ‘Know It When (You) See It’

Odia Kagan
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

What do obscenity and data minimization have in common?

As Justice Potter Stewart famously wrote in his concurring opinion to the U.S. Supreme Court’s decision in the 1964 free speech case Jacobellis v. Ohio, “I know it when it see it.”

Data minimization is coming to CPRA, CPA, CDPA and FTC enforcement. But what does “necessary and relevant” or “adequate and relevant” or “proportionate” mean in real life?

Only collect what is necessary for the purpose.
  1. Know what the purpose is. (“Marketing said so” or “that’s our template intake form” won’t cut it.)
  2. Figure out a process to notify individuals of the purpose and of any new purposes.
  3. Make sure the data is relevant and helpful to accomplishing this purpose. (If you are worried about vandals in your warehouse entrance, you don’t need CCTV in your employee break room. (Commission Nationale de l’Informatique et des Libertés, Agencia Española de Protección de Datos and pretty much every DPA). If you are logging employee days of illness, don’t use this to ding their promotion.
  4. Make sure ALL the data is relevant and helpful and that there is no less privacy invasive way to accomplish this. (Or if there is, offer it as an alternative.) In other words:
    • Allow a guest checkout instead of a user account (DSK, Germany)
    • Don’t record the entire call, just the part on the contract; and redact payment data (CNIL)
    • Pixelate and blur faces and license plates (Bavaria DPA)
    • Don’t require ID and DOB for purchasing concert tix (Personuvernd)
    • If you don’t need a continued smart meter reading, take one once daily (ENISA)
Only retain for as long as necessary for the purpose.
  1. Figure out (with your stakeholders) how long you need to keep the data to accomplish the purpose you already identified (Federal Trade Commission in CafePress).
  2. Figure out whether any data retention laws apply and require you to retain the day for a minimum period.
  3. Even if there are such laws, be granular. Keep only those items which the law requires you to retain, and delete the rest. (No, “my database doesn’t allow this,” is not a good reason and Datatilsynet said so already in TAXA.)
  4. Re-assess your data retention period periodically (Israel PPA on Telehealth).
  5. Delete it like you mean it. (Really delete, not just remove from the active server.) You can also anonymize, but really anonymize. (Removing identifiers is not enough.)

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide