To date, there have been no publicly announced enforcement actions based specifically on a violation of data minimization principles. The law leaves the definition of “requested by the consumer” ambiguous, but it would seem to mean that a business can only collect sensitive data from a Maryland citizen if that person explicitly asks for or agrees to receive a product or service. Under MODPA, sensitive data must be “strictly necessary to provide or maintain a specific product or service requested by the consumer.” The Maryland Online Data Privacy Act (MODPA), which goes into effect on Oct. 1, has a tougher data minimization requirement than any other US state privacy law on the books to date. Even so, data minimization as a basic and fundamental requirement in the US is coming into greater and greater focus. Still, there are several important unanswered – and perhaps unanswerable – questions about implementing data minimization principles.
For example, France’s data protection authority, the Commission nationale de l’informatique et des libertés, has issued several decisions regarding the simplified sanction procedure introduced in 2022 and on the basis of noncompliance with the data minimization principle in cases concerning the permanent geolocation and continuous video surveillance of employees. In addition to the data minimization principle, and separate but related data accuracy and storage limitation principles in GDPR’s Article 5(1)(d) and (e), organizations must identify a “legal basis” for all data processing activities — under Article 6, supplemented by Article 9, as far as special categories of data are concerned. The GDPR’s data minimization principle states personal data shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed,” but does not define those terms. Depending on the outcome of an initial assessment, a deeper dive may be required, and activities may need to be restricted by jurisdiction. To stay compliant, organizations should establish and reinforce internal messaging that all data processing activities must be reviewed with a data minimization lens.
The European Union’s General Data Protection Regulation (GDPR) first launched the concept of data minimization, which states that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. We will not know whether substantive data minimization truly offers something new until these requirements go into effect and are publicly enforced. Maryland has broken new ground by enacting its law with new, stricter data minimization language. Under the procedural data minimization standard, controllers maintain significant control to shape the bounds of legitimate processing via their disclosures, but enforcers still have some leeway to “second-guess” whether processing activities are beyond the bounds of what was disclosed, as the FTC has done for decades. The challenge of scoping data minimization applies to all substantive data minimization rules, whether that be Maryland’s privacy law, the ADPPA, the APRA or something else.
- EPIC is happy to work with any policymakers interested in data minimization rules and frameworks.
- Whereas now, it’s really a great experience for candidates and we regularly have positive feedback.”
- Kiteworks’ secure storage features also contribute to data minimization by ensuring that data is securely stored and only accessible to authorized individuals.
- To meaningfully protect privacy, laws and regulations should include real data minimization protections like those found in the GDPR, the CCPA, Maryland’s Online Data Privacy Act, and proposed federal legislation.
Start with Security: A Guide for Business
- Because disclosure is still an important factor in that test, this rule is between procedural and substantive data minimization.
- These rules often predate the term “data minimization” but enforce the same underlying principle.
- Welcome to the Environmental Protection Agency (EPA) Central Data Exchange (CDX) – the Agency’s electronic reporting site.
- The CCPA incorporates strong data minimization requirements to protect Californians from harmful overcollection of personal information, out-of-context impermissible secondary data uses, and excessive data retention.
- This is not just good practice—it’s required under Section 5(1), which mandates that every consent request must be accompanied by a notice outlining what data is collected and why.
- It is no surprise that as U.S. states began enacting comprehensive privacy legislation in the absence of federal action, these new laws tended to include data minimization requirements with language similar to the GDPR.
Any data minimization program that lacks a litigation hold override is fundamentally incomplete. An organization with a well-designed automated deletion system can accidentally destroy evidence it was legally required to keep. The IRS requires businesses to retain income tax records for at least three years from the filing date, but that baseline extends significantly in certain situations. Under GDPR Article 35, a Data Protection Impact Assessment is mandatory before any https://master-your-business.com/what-are-the-benefits-of-cloud-computing-for-businesses/ processing that is “likely to result in a high risk to the rights and freedoms” of individuals.9GDPR-Info.eu.
Warning Notice and Privacy Policy
These practices violated the CCPA’s purpose limitation and data minimization requirements, added in 2023, that impose common sense limitations on when and how businesses use, retain, and share data with third parties. Additionally, GM sold consumers’ data to Lexis and Verisk without customers’ knowledge or consent, despite an internal privacy compliance program that required GM to inform consumers how their personal information would be used and the third parties that may receive it. Article 70 of the EU AI Act calls for “facilitating audits of the AI systems with new requirements for https://the-business-mag.net/can-data-breach-protocols-safeguard-your-company/ documentation, traceability and transparency” and recognizing the need for collection and confidentiality of data required for such audits. The California Privacy Rights Act is one of the most stringent privacy laws in terms of data minimization requirements — emphasizing the need to limit unnecessary data collection and restricting data processing to a short list of accepted purposes. In California, the California Privacy Rights Act, set to take effect on January 1, 2023, amends the California Consumer Privacy Act (CCPA) and adds data minimization to its obligations for businesses.
- Controllers can only collect, process or share sensitive data when it is strictly necessary to provide or maintain a requested product or service, and Maryland’s privacy law prohibits selling sensitive data entirely.
- This guide helps privacy professionals develop and maintain data minimization programs that support business goals and protect privacy.
- Retail organizations balance extensive customer data collection for personalization with data minimization requirements.
- As the liquid evaporates, it efficiently removes heat from the electronics underneath — no extra energy required.
- Given that biometric data remains sensitive data under the CPA, these changes increase when data protection assessments are required, particularly where biometrics are used for identification or in high-risk contexts.
Recent Documents on Data Minimization
These permitted purposes include things like protecting data security, complying with legal obligations, conducting market research, and preventing and responding to fraud. The passage of Maryland’s privacy law represents another significant milestone in the rise of data minimization. Controllers can only collect, process or share sensitive data when it is strictly necessary to provide or maintain a requested product or service, and Maryland’s privacy law prohibits selling sensitive data entirely. Maryland’s privacy law includes heightened data minimization requirements for sensitive data. Controllers must limit collection of personal data to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.”
The FCC and T-Mobile entered into a consent decree following several breaches that caused T-Mobile customers’ customer proprietary network information and personal information to be exposed. EPIC regularly filed comments with the Commission regarding its proposed consent orders, applauding the Commission for including data minimization principles and pushing for the strongest possible requirements in final orders and future enforcement actions. In a 2021 report, What the FTC Could Be Doing (But Isn’t) to Protect Privacy, EPIC pushed the Commission to use all of its authorities to establish strong privacy protections for consumers, including data minimization requirements. It required the company to direct third parties to delete customer health data and limit the future collection and retention of customer health information. The prosed order in GoodRx permanently prohibited the company from sharing health information for advertising purposes with applicable third parties and it required user consent before sharing health information with applicable third parties for other purposes. In several of its recent enforcement actions, the FTC has incorporated data minimization requirements into consent orders.

Recent Comments