What do obscenity and data minimization have in common?
As Justice Potter Stewart famously wrote in his concurring opinion to the U.S. Supreme Court’s decision in the 1964 free speech case Jacobellis v. Ohio, “I know it when it see it.”
Data minimization is coming to CPRA, CPA, CDPA and FTC enforcement. But what does “necessary and relevant” or “adequate and relevant” or “proportionate” mean in real life?
Only collect what is necessary for the purpose. Know what the purpose is. (“Marketing said so” or “that’s our template intake form” won’t cut it.) Figure out a process to notify individuals of the purpose and of any new purposes. Make sure the data is relevant and helpful to accomplishing this purpose. (If you are worried about vandals in your warehouse entrance, you don’t need CCTV in your employee break room. (Commission Nationale de l’Informatique et des Libertés, Agencia Española de Protección de Datos and pretty much every DPA). If you are logging employee days of illness, don’t use this to ding their promotion. Make sure ALL the data is relevant and helpful and that there is no less privacy invasive way to accomplish this. (Or if there is, offer it as an alternative.) In other words: Allow a guest checkout instead of a user account (DSK, Germany) Don’t record the entire call, just the part on the contract; and redact payment data (CNIL) Pixelate and blur faces and license plates (Bavaria DPA) Don’t require ID and DOB for purchasing