December 5, 2020

Volume X, Number 340

Advertisement

December 04, 2020

Subscribe to Latest Legal News and Analysis

December 03, 2020

Subscribe to Latest Legal News and Analysis

December 02, 2020

Subscribe to Latest Legal News and Analysis
Advertisement

Does the CCPA require data minimization with regard to the collection, use and storage of information?

Does the CCPA require data minimization with regard to the collection and use of information?

No.

The European GDPR permits a company to collect only that information which is “adequate, relevant and limited to what is necessary in relation to the purposes” for which the information is to be processed.”[1]  As a result, a company arguably is not permitted to collect personal data that is not “necessary” for a specific processing purpose.  The requirement that a company limit the type and quantity of information that it collects is often referred to as “data minimization.”

Data minimization is not addressed by most privacy laws in the United States, and it is not mandated by the CCPA.

Unlike the CCPA, the California Privacy Rights Act of 2020 (the “CPRA”) – which will be on the ballot in California in November – purports to contain a data minimization requirement.  The CPRA states that a “business’ . . . collection [and] use” of a consumer’s personal information shall be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed . . . .:”[2]  The CPRA further states that a business “shall not retain a consumer’s personal information or sensitive personal information . . . for longer than is reasonably necessary” for the purpose for which it was collected.[3]

Does the CCPA require data minimization with regard to the storage of information?

No.

The European GDPR permits a company to retain personal data for “no longer than is necessary for the purposes for which the personal data are processed.”[4]  As a result, if a company no longer needs information to accomplish a specific purpose, the company is, theoretically, required to delete that information.  The requirement that a company keep information for the least amount of time needed is often referred to as “storage limitation” and, by many privacy advocates, falls within the larger rubric of “data minimization.’

Data minimization is not addressed by most privacy laws in the United States, and it is not mandated by the CCPA.  Privacy laws in the United States that do touch-upon data minimization generally do not require it; instead they recommend it as a best practice or as a condition for achieving a safe harbor from allegations of improper security.  For example, the New York Shield Act states that a business is “deemed to be in compliance” with the requirement within that statute that the business must develop reasonable safeguards to protect certain information if, among other things, the business “disposes of private information within a reasonable amount of time after it is no longer needed for business purposes….”[5]

Unlike the CCPA, the California Privacy Rights Act of 2020 (the “CPRA”) – which will be on the ballot in California in November – purports to contain a data minimization requirement.  The CPRA states that a “business’ . . . retention . . . of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed . . . .:”[6]  The CPRA further states that a business “shall not retain a consumer’s personal information or sensitive personal information . . . for longer than is reasonably necessary” for the purpose for which it was collected.[7]

[1] GDPR, Article 5(1)(c).

[2] Proposed 1798.100(c).

[3] Proposed 1798.100(a)(4).

[4] GDPR, Article 5(1)(e).

[5] New York Bus.Law § 899-bb(2)(a), (b)(ii)(C)(4).

[6] Proposed 1798.100(c).

[7] Proposed 1798.100(a)(4).

©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 305
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement