Data collection is a ubiquitous practice in modern business, with companies collecting personal information to deliver products and services, engage in targeted marketing, and offer exceptional customer service (among many other things). At the same time, consumers have become painfully aware of the risks that come with trusting businesses with their data. Someone suffers identity theft every 22 seconds, according to identitytheft.org, with the average cost being $500.
Practicing data minimization remains a crucial tool in reducing the risk to consumers who provide information to your business. It also reduces risk to your business by limiting your exposure to fines and reputational damages if things go wrong. So, let’s delve into what data minimization looks like in practice.
Data Minimization Defined
Data minimization is a principle of privacy and security that involves collecting the minimum amount of personal data necessary to achieve a specific purpose.
Adopting data minimization requires businesses to avoid over–collecting data. To do this, simply don’t (or stop) collecting data that you do not need or that isn’t relevant.
Data Overcollection Comes with Significant Risks
Beyond the potential increased costs associated with a data breach, data overcollection may also lead to decreased consumer trust. Several factors drive this – and any one factor can negatively impact consumer trust, reduce loyalty, and drive down sales. Some of the drivers are that consumers:
- Worry their identity may be stolen;
- See your business as greedy – caring more for its data (and the potential profit) than consumer safety;
- Feel that the business isn’t being transparent; or
- Perceive a loss of control over their data.
Where Data Overcollection Went Wrong
The risks associated with data overcollection aren’t just hypotheticals put forward by risk-averse lawyers. There are countless real-world examples of data over–collection resulting in real consequences.
- The Cambridge Analytica scandal is the highest-profile example.
- The Marriot data breach in 2018 resulted in a $23 million (USD) fine and a 5.6% decrease in its premarket stock price. The hackers exfiltrated information about hundreds of millions of guests, including credit card information and unencrypted passport information.
- The Flo Period app penalty and the recent FTC penalty against GoodRx are examples of where companies collect data and then sell it to advertising companies without disclosing this use to consumers.
Practical Steps to Implement Data Minimization
Here are five practical steps you can take to implement data minimization:
- Identify the types of personal data and sensitive information you collect. We’ve outlined previously that data maps are the foundation of a privacy program. It’s essential that you know and understand what data you collect, and why.
- Document your purpose for collecting each type of data.
- Evaluate whether it is truly necessary to collect and store these types of data. An essential part of this is considering whether there are alternatives to collecting and storing it. For instance, you may not need to collect a physical address, email address and phone number to facilitate a delivery. Perhaps just two of those categories will suffice. Resist the temptation to collect (and keep) data that might be useful down the road. You can’t lose what you don’t have.
- Implement data retention policies to ensure you keep data only as long as you need it. You should judge this based on the reason you initially collected the data, not potential future uses for it.
- Regularly review your data collection policies and practices. It’s a good practice to audit your data collection practices routinely, but the following events should also act as a prompt:
- Any change in the law.
- A data breach.
- Significant changes to your operations.
- Mergers or acquisitions.
- An increase in customer complaints or requests to access or delete their data.
If your business would benefit from implementing data minimization, reach out. Our privacy attorneys would love to help.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.