Skip to content


Data minimization is not addressed by most privacy laws in the United States and was not mandated by the CCPA. Privacy laws in the United States that do touch upon data minimization generally do not require it; instead, they recommend it as a best practice or as a condition for achieving a safe harbor from allegations of improper security. For example, the New York Shield Act considers a business to be “deemed to be in compliance” with the requirement it develop reasonable safeguards to protect certain information if, among other things, the business “disposes of private information within a reasonable amount of time after it is no longer needed for business purposes….”[1]

Unlike the CCPA, the CPRA appears to contain a data minimization requirement. Specifically, the law states:

A business shall not retain a consumer’s personal information or sensitive personal information . . . for longer than is reasonably necessary for that disclosed purpose [for which it was collected].[2]

The data retention language of the CPRA is similar to the language contained within the European GDPR which permits a company to retain personal data for “no longer than is necessary for the purposes for which the personal data are processed.”[3]

The requirement that a company keep information for the least amount of time needed is often referred to as “storage limitation” and, by many privacy advocates, falls within the larger rubric of “data minimization.’

[1] New York Bus.Law § 899-bb(2)(a), (b)(ii)(C)(4).

[2] CPRA, 1798.100(a)(3).

[3] GDPR, Article 5(1)(e).