Start Planning for Data Minimization Under the CPRA

Just when we were getting used to the idea of the California Consumer Privacy Act (CCPA), a new law was passed in November 2020, which will supercede it. Fortunately, there is time to prepare since the California Privacy Rights Act (CPRA) won’t be fully operative until January 1st, 2023. CCPA, CPRA, what’s the difference?

One of the tenets of Europe’s General Data Protection Regulation (GDPR) is a data minimization clause stating that personal data collected, stored, and used by companies must be limited to only that which is relevant, adequate, and absolutely necessary. The CCPA did not have a data minimization clause, but the new CPRA does. So what does this mean?

As the eDiscovery Blues cartoon which accompanies this blog points out, it isn’t exactly cut and dry. The exact language of the CPRA states a business “shall not retain a consumer’s personal information or sensitive personal information… for longer than is reasonably necessary.” In the same way that “reasonableness” under the Federal Rules of Civil Procedure (FRCP) rule 37(e) is interpreted by the courts, I can foresee the same happening for the CPRA. So until that takes place, what can organizations do to prepare their IT, Legal, and Compliance departments for the inevitability of data minimization?

First, if your company doesn’t have a data map already, now is the time to begin. For a great review of things to consider in that process, read Doug Austin’s article The 5 W’s of Organizational Data Maps which leaves readers with these 5 questions organizations should keep in mind when it comes to their data:

  • What data is being stored?
  • Where is it being kept?
  • When do we need to keep/destroy it?
  • Who is responsible for the data?
  • Why are we keeping/tracking it?

After you have all of your data mapped, a next step would be to establish a records retention program in order to ensure compliance and protect electronic business records from unauthorized exposure, alteration, or destruction.

To help reduce risks and increase adherence to legal and regulatory guidelines, companies should adopt the 3Es of electronic record management:

  • Establish effective policies and procedures governing Nonpublic Personal Information (NPI), Personally Identifiable Information (PII), and other business records.
  • Educate employees about record risks, organizational rules, and individual responsibilities.
  • Enforce policies through a combination of disciplinary action, training, and best-in-class technology solutions designed to manage content, use, and records.

Yes, it may seem like a long time before the CPRA becomes active, or you may not fall under its jurisdiction (though the chances of your company doing business with a citizen of California is not a longshot), but good information governance and data retention policies and programs take time to put together. They also require the right technology to enable the successful execution of these programs. So an early start, in this case, might mean you are compliant just in the nick of time.