The California Privacy Protection Agency issued its first-ever enforcement advisory on April 2, reinforcing that data minimization is a founding principle under the California Consumer Privacy Act. In the memo, the agency underscores that covered businesses should apply the data minimization principle to every purpose involving the collection, use, retention, and sharing of consumer personal information. The memo was prompted by concerns that businesses are asking consumers for excessive and unnecessary personal information in connection with consumer data deletion requests.

As the CCPA’s enforcement memo highlights, data minimization reduces the risk of unintended data access, is part of good data governance, and businesses can reduce risk exposures by regularly evaluating how they collect, use, retain, and share personal information. The memo further provides a few thought exercises to help organizations examine and apply the data minimization principle in some common consumer data rights requests contexts. Questions organizations should often ask include: Do we really need more information than we already have to achieve our purpose? What are the possible negative impacts from collecting and using the information we control? And what additional safeguards are available to help address the potential for negative impacts?

At Zasio, we help organizations make data minimization a foundational part of not only their personal information processing, but throughout their records and information practices. Good information governance requires organizations think about how they collect, use, retain, and share not just personal information, but all records and information.

Good information governance requires organizations to frequently ask themselves questions like (i) are your business units being precise or overbroad in their records and information collection and retention, (ii) what records and information in your domain no longer have business or legal value and are ripe for disposal, and (iii) what additional safeguards can we apply? Having a well-vetted and consistently followed records and information management policy and records retention schedule, routinely updating these documents, and ensuring functions like IT, security, and privacy, are all fundamentally represented in your IG program, will help make data minimization an intrinsic part of your organization’s information governance.

Consistently following the data minimization principle is integral to managing records and information risks, allowing it to spend more time on producing the innovations that will allow it to thrive.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.