On March 16, 2023, the French Data Protection Agency (the “CNIL”) imposed a fine of € 25,000 on the company CITYSCOOT in connection with a finding that CITYSCOOT failed to comply with the obligation to ensure data minimization, as required by Article 5.1.c of the GDPR. The facts that led to the judgment included a finding that during the short-term rental of a scooter, CITYSCOOT would collect (and store) the vehicle’s geolocation data every 30 seconds. CITYSCOOT maintained that the information was being processed and stored for four reasons: (1) processing of traffic offenses; (2) processing of consumer complaints; (3) user support (to call for help if a user falls); and (4) management of claims and thefts. The CNIL found that none of these purposes justified the collection of geolocation data in such detail as that carried out by the company, and that CITYSCOOT’s practices were very intrusive on the private life of users.
“What exactly does data minimization require” could become a hot topic for U.S. privacy litigation in the coming years, particularly given that the majority of U.S. states that have adopted general privacy laws thus far have required data minimization by statute. (The Iowa Consumer Data Protection Act (ICDPA) does not have a statutory data minimization requirement.) For example, under the California Privacy Rights Act (CPRA) any information collected must be “reasonably necessary and proportionate to either the purposes for which it was collected or another disclosed purpose” similar to the context under which it was collected.” Similarly, the Virginia Consumer Data Protection Act (VCDPA) expressly provides a Data Minimization requirement, which it defines as an “[o]bligation to limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes.” The Colorado Privacy Act (CPA) provides that “[c]ontrollers must assess and document the minimum types and amount of Personal Data needed for the state processing purposes.” The Connecticut Data Privacy Act (CTDPA) provides that controllers must “[l]imit collection of personal data to what is adequate, relevant, and reasonably necessary for the specific purpose(s) for which the data is processed (also known as “data minimization”).” The Utah Consumer Privacy Act (UCPA) mentions “purpose specification and data minimization” among the responsibilities of controllers.
In view of the enforcement of “data minimization” in Europe and the nearly universal adoption of “data minimization” obligations in the United States, it would behoove any business to regularly evaluate not just what types of data it is collecting, but also how much and how frequently it is collecting it. Also, as part of annual privacy mapping and updating of privacy policies, it is a good idea to ensure that the identified “purposes” for collecting data continue to be accurate and complete.
Rothwell Figg remains committed to assisting its clients with all of their privacy needs, including not just updating policies and contracts, but also consulting with businesses on “best practices” for data management. Also, because our privacy team is highly technical and comprised of experienced litigators, we are ready should complex questions, security breaches, or litigation arise.