A New Year, A New Challenge
The last two years were busy ones for privacy advocates. In 2020, California voters passed the California Privacy Rights Act (CCPA), a major revision of the California Consumer Privacy Act of 2018; Virginia adopted the Consumer Data Protection Act; and Colorado approved the Colorado Privacy Act. Each of these laws will have an impact in how businesses, particularly those with an online presence (so, virtually all businesses), collect, process and protect personal information.
This is a challenge for any business, even those that have worked to comply with existing laws – the CCPA and the EU's General Data Protection Regulation – and best practices. It's not going to become any easier: Florida, Washington, Indiana and the District of Columbia have all introduced consumer data privacy acts, just 10 days into the new year. As we see a proliferation of state laws, combined with the possibility of federal action on the regulatory or legislative front, companies need to adopt a strategy for compliance.
We look at all of these developments and try to find the commonalities, as opposed to the differences, to guide our clients toward efficient, cost-effective, and meaningful ways of grappling with the constantly shifting environment. One of the common elements between each of the California, Virginia and Colorado laws, as well as the GDPR and most of the pending proposals, is data minimization.
What is Data Minimization?
Data minimization consists of two obvious components:
- Only collect the data that you actually need to provide the goods and services you offer.
- Don't keep the data any longer than you need.
The Colorado Privacy Act presents it succinctly: "A controller's collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed." Virginia's Consumer Data Protection Act is similar; "A controller shall: 1. Limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer . . . ." And the California Privacy Rights Act amends existing California law to bar businesses from collecting more personal information than "reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed . . . ." and requires that a business "shall not retain a consumer's personal information or sensitive personal information . . . for longer than is reasonably necessary" for the purpose for which it was collected.
Why Focus on Data Minimization
Introducing data minimization can be used as the building block for a privacy-compliant data collection operation; for businesses that are subject to the existing laws, there really is no choice. Data minimization also has an added benefit: minimizing the data footprint makes it easier to achieve reasonable information security, which is another common element of the California, Colorado and Virginia statutes and a wide variety of laws either adopted or under consideration.
How to Comply
An enterprise can address data minimization using simple, straightforward steps:
- Identify the purposes for which the company needs to collect personal information, whether it be providing goods or services, advertising, or other functions.
- Identify the minimum amount of information that is necessary to achieve the business purpose.
- Identify the amount of time that the company needs to retain the information.
- Designate and control the parties, both within the company and vendors, that need access to the information to achieve the identified business purposes.
- Disclose to the consumer the purpose for collection, who will have access to the information, and how long it will be held.
It's also important to document the process. This would include:
- A basic data inventory of the categories of personal data collected, the categories of data subjects from whom data is collected, the purposes for the collection, the categories of recipients of the data, and the applicable retention periods.
- List the systems or applications on which personal information collected and determine whether such systems or applications are maintained internally or externally.
- Appointing an "owner" of the systems charged with periodically updating the inventory.
You should be aware that you are not alone in this effort. Since the adoption of the GDPR and the CCPA, great strides have been made in overcoming what can, at first, seem to be an overwhelming task.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.