Skip to content


The European GDPR permits a company to collect only that information which is “adequate, relevant and limited to what is necessary in relation to the purposes” for which the information is to be processed.”[1]  As a result, a company arguably is not permitted to collect personal data that is not “necessary” for a specific processing purpose.  The requirement that a company limit the type and quantity of information that it collects is often referred to as “data minimization.”

Data minimization is not addressed by most privacy laws in the United States, and it is not mandated by the CCPA.

Unlike the CCPA, the California Privacy Rights Act of 2020 (the “CPRA”) – which will be on the ballot in California in November – purports to contain a data minimization requirement.  The CPRA states that a “business’ . . . collection [and] use” of a consumer’s personal information shall be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed . . . .:”[2]  The CPRA further states that a business “shall not retain a consumer’s personal information or sensitive personal information . . . for longer than is reasonably necessary” for the purpose for which it was collected.[3]

[1] GDPR, Article 5(1)(c).

[2] Proposed 1798.100(c).

[3] Proposed 1798.100(a)(4).