FPF Reveals Document Outlining Trends in Minimizing State Data Collection

FPF Reveals Document Outlining Trends in Minimizing State Data Collection

In a new paper published by the Future of Privacy Forum (FPF), entitled "Data Minimization's Substantive Turn: Key Questions & Operational Challenges Posed by New State Privacy Legislation," the focus on substantive data minimization in U.S. privacy laws is explored. This shift is seen as a significant development, presenting several key challenges and important questions.

1. Defining the Scope of Necessary Data Collection

Laws increasingly require controllers to collect only the data that is reasonably necessary and proportionate to the purposes disclosed to consumers. Striking the right balance between adequate data for business needs and limiting collection to minimize privacy risks remains complex. For example, Connecticut’s amendments emphasize limiting data collection to what is “reasonably necessary and proportionate,” expanding from previously “adequate, relevant and reasonably necessary” language.

2. Handling New or Changing Data Processing Purposes

If data controllers want to process personal data for any new purpose not originally disclosed to the consumer, they must assess whether this new purpose is “reasonably necessary” or “compatible” with the original purpose. This includes considering consumer expectations, the relationship between the new and original purposes, the impact on the consumer, and additional safeguards like encryption.

3. Consent vs. Minimization Trade-Offs

Different laws vary in requiring either consent, data minimization, or a combination. For example, Washington’s “My Health, My Data” Act requires consent or data minimization for health data collection, with strong definitions of consent. Laws allowing entities to choose between consent or minimization can be weaker, as businesses may prioritize profit over privacy by opting to collect more data under a consent framework rather than minimize.

4. Regulatory Complexity and Enforcement

New requirements include detailed obligations such as creating data inventories, limiting collection, and immediate deletion of sensitive data upon revocation of consent. These impose operational burdens on businesses to update data governance frameworks and compliance programs.

5. Balancing Consumer Rights and Security Risks

Legislators are grappling with how to balance consumers’ rights to access their personal data against risks of exposing sensitive information such as Social Security numbers or biometric data. For example, Connecticut’s amendments prohibit disclosure of certain sensitive data in responses to access requests, instead requiring controllers to inform consumers that such data was collected without revealing the actual data to reduce security risks.

6. Extending Protections to Automated Profiling and Decision-Making

Legislative changes also expand the scope of profiling rights to cover any automated decisions that produce significant legal or similar effects, including decisions made on behalf of the controller by third parties. This raises questions about how to regulate complex algorithmic processing in ways consistent with minimization principles.

In summary, the substantive approach to data minimization in U.S. privacy laws challenges lawmakers and businesses to precisely define what “reasonably necessary” means in context, manage evolving use-cases without overstepping initial consumer expectations, decide the appropriate interplay between consent and minimization, implement practical controls and transparency mechanisms for data collection and deletion, protect consumers’ sensitive data while delivering meaningful access rights, and address the complexity of automated decision-making under the minimization framework. These challenges highlight the evolving nature of privacy regulation, aiming to better align data practices with consumer privacy expectations and risk reduction in an increasingly data-driven environment.

The paper does not specify the options for constructing a substantive data minimization rule that it outlines. Proponents argue that this trend could align companies' data collection and use with consumers' reasonable expectations, while opponents raise concerns about disrupting longstanding business practices, introducing legal uncertainty, and threatening socially beneficial uses of data. The core of the debate revolves around the societal value of different data uses, with questions about what should be allowed, encouraged, discouraged, or prohibited by default.

1. The paper discusses the concept of reasonable necessity in the context of data collection, where laws require controllers to limit data collection to what is necessary and proportionate.
2. When data controllers wish to process personal data for new purposes, they must assess whether these new purposes are compatible with the original ones, considering factors like consumer expectations, the relationship between new and original purposes, and additional safeguards.
3. Different laws present choices between obtaining consent, implementing data minimization, or combining both for personal data collection. This raises concerns about businesses prioritizing profit over privacy by opting for the consent framework rather than minimizing data collection.

Read also: