FPF Unveils Paper on State Data Minimization Trends
Today, the Future of Privacy Forum (FPF) published a new paper—Data Minimization’s Substantive Turn: Key Questions & Operational Challenges Posed by New State Privacy Legislation. Data minimization is a bedrock principle of privacy and data protection law, with origins in the Fair Information Practice Principles (FIPPs) and the Privacy Act of 1974. At a high level, data minimization prohibits a covered entity from collecting, using, or retaining more personal data than is necessary to accomplish an identified, lawful purpose.
In recent years, data minimization has emerged as a contested and priority issue in privacy legislation. Under many existing state privacy laws, companies have been subject to “procedural” data minimization requirements whereby collection and use of personal data is permitted so long as it is adequately disclosed or consent is obtained. As privacy advocates have pushed to shift away from notice-and-choice, some policymakers have begun to embrace new “substantive” data minimization rules that aim to place default restrictions on the purposes for which personal data can be collected, used, or shared, typically requiring some connection between the personal data and the provision or maintenance of a requested product or service. This white paper explores this ongoing trend towards substantive data minimization, with a focus on the unresolved questions and policy implications of this new language.
Part I of the paper identifies the relevant standards: procedural data minimization (the majority rule); substantive data minimization (the rule that is currently law in Maryland and several sectoral laws); and reasonable expectations (the approach taken by California). This rise of substantive data minimization rules raises a number of challenges and unresolved questions, which are explored in Part II. Some of these questions include the role of consent, what is a “requested” product or service, and what is “necessary” to provide a requested product or service.
For its proponents, this substantive turn promises to better align companies’ collection and use of personal data with consumers’ reasonable expectations. For its detractors, however, this trend threatens to upend longstanding business practices, introduce legal uncertainty, and threaten socially beneficial uses of data. The core of this debate is really the societal value of different uses of data, and whether certain data uses should be allowed, encouraged, discouraged, or prohibited by default, which itself is a proxy for major economic and political decisions with vast societal implications. How these questions are resolved will have significant implications for economic activity and data-intensive business practices, including advertising, artificial intelligence, and product improvement generally. The paper concludes by briefly outlining several options for how to construct a substantive data minimization rule that is forward looking and flexible.