California Privacy Rights Act (CPRA) Brings Focus to Data Minimization

Data Minimization

Following California’s implementation of the California Consumer Privacy Act (CCPA) which took effect on January 1st, 2020. The state is setting up the California Privacy Rights Act (CPRA) slated for January 1st, 2023.

The CRPA is an expansion beyond the CCPA, and will supersede it once the CRPA is fully effective. The key differences between California Privacy Rights Act (CPRA) & the California Consumer Privacy Act (CCPA) is the addition of the data minimization clause.

Similar to FRCP discovery rule’s, ESI responsibility is end to end and in this case means only retaining data for an appropriate amount of time. The CRPA reads “shall not retain a consumer’s personal information or sensitive personal information . . . for longer than is reasonably necessary” in context with when it was collected.

So what is Data Minimization and why is it relevant? Data minimization is the intentional reduction of data through applying targeted collection methods, only collecting the data that is necessary. According to the CPRA, “Businesses should collect consumers’ personal Information only to the extent that it is relevant and limited to what Is necessary in relation to the purposes for which it is being collected, used, and shared.”

Data minimization is a core statue within the EU’s General Data Protection Regulation (GDPR), yet it wasn’t present within California’s data privacy laws until now due to its role in the CRPA. Being that California has been one of the early adopters for setting up data privacy and information governance safeguards, making them an a good signaling point of future shifts to come within the data privacy are of legal.

The California Privacy Rights Act of 2020, The International Association of Privacy Professionals (IAPP),

“The CPRA Digest: Data Minimization.” Bryan Cave Leighton Paisner, 26 Jan. 2021,