What do obscenity and data minimization have in common?

As Justice Potter Stewart famously wrote in his concurring opinion to the U.S. Supreme Court’s decision in the 1964 free speech case Jacobellis v. Ohio, “I know it when it see it.”

Data minimization is coming to CPRA, CPA, CDPA and FTC enforcement. But what does “necessary and relevant” or “adequate and relevant” or “proportionate” mean in real life?

Only collect what is necessary for the purpose.
  1. Know what the purpose is. (“Marketing said so” or “that’s our template intake form” won’t cut it.)
  2. Figure out a process to notify individuals of the purpose and of any new purposes.
  3. Make sure the data is relevant and helpful to accomplishing this purpose. (If you are worried about vandals in your warehouse entrance, you don’t need CCTV in your employee break room. (Commission Nationale de l’Informatique et des Libertés, Agencia Española de Protección de Datos and pretty much every DPA). If you are logging employee days of illness, don’t use this to ding their promotion.
  4. Make sure ALL the data is relevant and helpful and that there is no less privacy invasive way to accomplish this. (Or if there is, offer it as an alternative.) In other words:
    • Allow a guest checkout instead of a user account (DSK, Germany)
    • Don’t record the entire call, just the part on the contract; and redact payment data (CNIL)
    • Pixelate and blur faces and license plates (Bavaria DPA)
    • Don’t require ID and DOB for purchasing concert tix (Personuvernd)
    • If you don’t need a continued smart meter reading, take one once daily (ENISA)
Only retain for as long as necessary for the purpose.
  1. Figure out (with your stakeholders) how long you need to keep the data to accomplish the purpose you already identified (Federal Trade Commission in CafePress).
  2. Figure out whether any data retention laws apply and require you to retain the day for a minimum period.
  3. Even if there are such laws, be granular. Keep only those items which the law requires you to retain, and delete the rest. (No, “my database doesn’t allow this,” is not a good reason and Datatilsynet said so already in TAXA.)
  4. Re-assess your data retention period periodically (Israel PPA on Telehealth).
  5. Delete it like you mean it. (Really delete, not just remove from the active server.) You can also anonymize, but really anonymize. (Removing identifiers is not enough.)