What is data minimization? As the saying goes, you ‘ll know it when (you) see it’ | Fox Rothschild LLP
What do obscenity and data minimization have in common?
As the famous Justice Potter Stewart wrote in his concurring opinion to the United States Supreme Court’s decision in the 1964 Free Speech Case Jacobellis v. Ohio, “I know it when he sees it.”
Data minimization happens to law enforcement CPRA, CPA, CDPA and FTC. But what does “necessary and relevant” or “adequate and relevant” or “proportionate” mean in real life?
Collect only what is necessary for the objective.
- Know what the goal is. (“Marketing said so” or “this is our intake form template” won’t suffice.)
- Develop a process to let people know about the goal and any new goals.
- Make sure the data is relevant and useful to achieve this goal. (If you fear vandals at the entrance to your warehouse, you don’t need video surveillance in your employees’ break room. (Commission Nationale de l’Informatique et des Libertés, Agencia Española de Protección de Datos et à pretty much all DPAs.) If you’re logging employees’ sick days, don’t use it to get them promoted.
- Make sure ALL data is relevant and useful and that there is no less privacy-invasive way to achieve this. (Or if there is, offer it as an alternative.) In other words:
- Allow guest checkout instead of user account (DSK, Germany)
- Do not record the entire call, only the part about the contract; and redaction of payment data (CNIL)
- Pixelate and blur faces and license plates (Bavaria DPA)
- Does not require ID and date of birth to purchase concert tickets (Personuvernd)
- If you don’t need a continuous smart meter reading, take one once a day (ENISA)
Keep them only as long as necessary for the purpose.
- Determine (with your stakeholders) how long you need to retain the data to achieve the purpose you have already identified (Federal Trade Commission in CafePress).
- Determine if any data retention laws apply that require you to keep the day for a minimum period.
- Even if there are such laws, be specific. Keep only what you are required by law to keep and delete the rest. (No, “my database doesn’t allow it”, is not a good reason and Datatilsynet already said so in TAXA.)
- Periodically reassess your data retention period (Israel PPA on Telehealth).
- Delete it as you see fit. (Really delete, not just delete from active server.) You can also anonymize, but really anonymize. (Removing IDs is not enough.)