What is Data Minimization Under the CPRA?

The laws governing data privacy and protection are becoming more stringent across the globe due to the increasing complexities they must address to safeguard consumer data and establish a legal basis for data processing.

In this respect, the principle of data minimization, following its initial enactment through the European Union’s General Data Protection Regulation (GDPR), has emerged as an integral principle of data processing across different jurisdictions. In the United States, the California Privacy Rights Act (CPRA) is the first legislation to codify the data minimization principle in relation to the processing of personal data and sensitive personal data.

The CPRA, as passed in 2020, is an amended version of the California Consumer Privacy Act (CCPA) and will take effect on January 1, 2023. The codification of the data minimization principle is one of the many distinctions between the CPRA and the CCPA.

Data Minimization - An Overview

The principle of data minimization denotes that a data controller should only process such personal data which are necessary and relevant for achieving the specified purposes of the concerned processing activity. Moreover, such personal data should not be unnecessarily retained, and the controller should dispose of the same after the requisite processing purpose has been attained.

The GDPR outlines the data minimization principle under Article 5(1)(c) mandates that personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Therefore, data controllers subject to the GDPR are required to identify the purposes of their processing activities and only collect and retain such data, which are essential to fulfill such specified purposes.

Data Minimization Under the CPRA

Reasonable and Proportionate

The CPRA, through Section 1798.100(c), stipulates that the collection, use, retention, and sharing of a consumer's personal information must be both reasonably necessary and proportionate to achieve:

• the original purpose for which the personal information was collected or processed;
• another disclosed purpose that is compatible with the context in which the personal information was earlier collected;
• and it is not further processed in a manner that is incompatible with those purposes.

Consumer’s Reasonable Expectations

As per the CPRA Regulation 7002(b) the purposes for which consumer personal information shall be processed must meet the reasonable expectations of the consumer(s) regarding the purpose for which their information will be collected or processed, which shall be based on the following factors:

• the relationship between the consumers and the business;
• the type, nature, and amount of personal information to be collected or processed;
• the source of the personal information and the method of its collection or processing;
• the specificity, explicitness, prominence and clarity of the disclosures to the consumers regarding the purposes of collection and processing of their personal information; and
• the degree to which involvement of service providers, contractors, third parties, or other entities in the collection and processing of personal information is apparent to the consumers; and
• the strength of the link between the reasonable expectations of the consumers and the other disclosed purpose; for instance, if the consumers’ reasonable expectations are to receive a service, and the further processing is for repairing errors that impair the functionality of such service, such further processing would be compatible with the original purpose.

The draft CPRA regulations 7002(d) provides the standard by which it may be determined whether the collection, use, retention, and/or sharing of a consumer’s personal information is reasonably necessary and proportionate to the disclosed processing purpose:

• the minimum amount of personal information required to accomplish a processing purpose is obtained. For example, to process an online transaction and send an email confirmation of the purchase, a business might require the consumer’s email address, payment and delivery information, and order details;
• the potential risks to the consumers posed by the collection or processing of their personal information by the business. For instance, gathering accurate geolocation data may have a detrimental effect on consumers by disclosing other sensitive personal information about them, such as health data based on visits to healthcare providers; and
• the existence of additional protections that particularly address the foregoing identified potential risks to the consumers. For example, as a potential safeguard, a business may consider encryption or the automatic erasure of personal data within a specific window of time.

To summarize, the use, collection, retention, and sharing of consumers’ personal data by businesses must be reasonably necessary and proportionate to the processing purposes for which the data was obtained or another disclosed purpose.

It is important to highlight here that through the foregoing stipulations, the CPRA codifies two other important principles of lawful data processing, that is, purpose limitation and storage limitation.

Purpose Limitation Under the CPRA

The CPRA mandates purpose limitation in relation to data processing by providing that a business must not collect or use personal information or sensitive personal information for any purpose that is incompatible with the original purpose of such data processing activity.

The CPRA, under Cal. Civ. Code §§ 1798.100 (a)(1) and (a)(2), and the proposed CPRA regulations, under §7002(e), further mandate that a business should, at the time of or prior to the collection or use of additional categories of personal information, for purposes that are incompatible with the original purpose for which the information was collected, notify the relevant consumers and obtain their consent.

It is important to note here that a business’s collection, use, retention, and/or sharing of such personal information should also be reasonably necessary and proportionate to achieve the processing purpose for which the consumer’s consent is obtained.

Storage Limitation Under the CPRA

The CPRA, through Cal. Civ. Code § 1798.100 (a)(3), also mandates storage limitation by specifying that a business should inform the consumers of the length of time for which it intends to retain each category of the consumer’s personal information or sensitive personal information.

Where the business cannot provide an accurate timeline, it should inform the consumer of the criteria used to determine the data retention period. However, the business must not store the personal data of the consumer beyond the period reasonably necessary to achieve the purpose of the data processing activity.

Third Parties and Data Minimization Obligations

A business may often sell, or share data with, third parties, contractors or service providers, for varying business purposes, such as advertising or business analytics.

The CPRA, through Cal. Civ. Code § 1798.100 (d), outlines the prerequisites for such data sharing or selling by mandating that a business must enter into an agreement with the data recipient that incorporates the following terms and conditions:

• the business is selling or disclosing personal information only for limited and specific purposes;
• the data recipient shall abide by all applicable privacy requirements under the CPRA;
• the business shall have the right to take appropriate steps to ensure that the data recipient uses the disclosed personal information in a manner consistent with the business’ obligations under the CPRA;
• the data recipient shall be obligated to notify the business if it makes a determination that it can no longer meet its obligations under the CPRA; and
• the business shall have the right, upon notice (including under the preceding condition) to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

The foregoing requirements reveal that businesses are also obligated to ensure that any contractors, service providers, or third parties with whom they share consumers’ personal data, should also comply with CPRA requirements, including the principle of data minimization.

What Do the New Requirements Mean for Businesses?

The concept of data minimization is new in the American privacy legal framework. Therefore, businesses subject to the CPRA should revamp their data processing operations in order to develop compliance with the principle of data minimization and the associated tenets of purpose limitation and storage limitation.

In this respect, businesses should carefully consider the data they collect, use, retain or share, as well as the processing purposes, in order to eliminate any unnecessary or purpose-incompatible data processing activities.

Additionally, when such data is no longer required for disclosed processing purposes, businesses must take steps to remove it from their systems. Having detailed records of the applications or systems used to store personal data, internally or externally, is crucial for this purpose.