Recently, Marriott resolved a major data breach investigation with the Federal Trade Commission (FTC) and several state attorneys general, resulting in more than $50 million in penalties. In addition to the hefty financial penalty, the settlement led to significant compliance changes at Marriott, emphasizing the critical need for data minimization practices as part of a robust privacy compliance framework.
Understanding Data Minimization
Data minimization is a fundamental privacy principle, long established in the General Data Protection Regulation (GDPR) in Europe and increasingly adopted in state privacy laws across the United States. Simply put, data minimization means collecting only the data necessary for a specific processing purpose and retaining that data only as long as needed. For example, Colorado’s Privacy Act requires collected data to be necessary, adequate, and relevant.
Key Questions for Data Minimization
When implementing data minimization, consider these three essential questions:
- Why do we need the data? Assess the processing purpose and goals, which could range from providing a product or service to better targeting marketing initiatives. These goals should be clearly stated in your privacy policy and communicated to consumers at the time of data collection.
- What data do we actually need? Identify the specific data elements required to achieve the stated goals. Often, companies collect excessive data – especially when purchasing third-party data sets which often include many more data points than are actually needed – leading to unnecessary retention of irrelevant consumer information.
- How long should we retain the data? Determine the appropriate retention period for the data. Bear in mind that “just in case we need it in the future” is not a valid reason to retain data indefinitely, a practice that vastly increases the risk of exposure during a data breach. Establish clear record retention cycles and data purging protocols to mitigate this risk.
The Risks of Excessive Data Retention
Holding onto data without a clear purpose or retention plan not only violates data minimization principles but also exposes companies to greater risks in the event of a data breach. The more data stored, the more potential for exposure.
As businesses navigate their data collection and usage practices, keeping the data minimization principle in mind is crucial. It not only ensures compliance with evolving privacy laws but also reduces risks associated with data breaches. Minimizing data collection and retention is not just a legal requirement in many states—it’s a strategic approach to safeguarding your business and your customers.
For further guidance on data minimization and privacy compliance, feel free to reach out. We’re here to help.
A Partner at M&S, Josh advises clients on a range of proactive and responsive matters, helping them achieve their business goals while complying with federal and state privacy and other consumer protection laws.