Data Minimization and Avoiding the Over-Retention of Personal Information

In particular, counsel should:

• Create a list of the various types of data and records the organization is storing, and derive from that a list of what it is unnecessarily storing.
• Establish a system for defensibly disposing of data the organization no longer reasonably needs.
• Implement a process for reducing the amount of digital debris unnecessarily retained in the future and periodically updating that process.
• Regularly review federal and state-specific regulations for changes to data collection, minimization, and disposition requirements (among others) that affect how (and for how long) companies retain personal information.

For resources to help in-house counsel and law firm attorneys manage an organization's records and other data, see the Records Management Toolkit and the Global Records Retention Toolkit.  For more information on the responsible destruction of a nonprofit organization's data, see Standard Document, Records Retention and Destruction Policy (Non-Profits) .

The High Cost of Retaining Digital Debris

Data minimization and the routine, defensible disposition of data are essential to maintaining an organization's information hygiene.  Some types of data are useful for only a short amount of time, while others, such as certain vital corporate records, may have a nearly infinite useful life.  But the vast majority of data reaches a point after some time where it no longer has business value.  When an organization retains data beyond its useful life, the primary question to ask when deciding whether to retain it is whether the business can extract value from it.  The related question is whether the business actually extracts value from it.  The likelihood that an organization accesses aging data decreases exponentially over time.  The data eventually becomes digital debris, which industry experts commonly refer to as data that is redundant, obsolete, or trivial (ROT).

Companies often retain data by default regardless of its business value.  Therefore, digital debris tends to accumulate indefinitely absent a company's affirmative steps to the contrary.  Continued ownership of this debris is a significant and growing business expense at many organizations.  Raw storage space may be cheap, but the total cost of owning enterprise data has increased due to the rising costs of security, labor, migration, maintenance, and other factors.  Even if the trend reverses, the trajectory of growing data volumes is unlikely to subside.

For more information about the cost of over-retention, see Article, Act Now or Pay Later: The Case for Defensible Disposition of Data: The High Costs of Data Over-Retention.

Regulatory Restrictions

The situation is worse than organizations needlessly spending money to retain digital debris.  The unnecessary retention of personally identifiable information, protected health information, payment card industry data, and a host of other consumer, employee, and business information also exposes organizations to potential criminal, civil, and regulatory penalties.  Until recently, most legislative and regulatory activity focused on the relatively established requirements of the records that organizations must keep, such as for tax purposes.  However, regulators now additionally focus on the quickly evolving requirements of:

• The types of data that organizations may obtain and keep.
• How long organizations may keep different types of data.
• The various ways organizations must protect or dispose of this data.

Consequently, organizations not only spend money to store data that lacks value but may also perpetuate latent liabilities that grow more serious with time.

In this regard, the legislative and regulatory environment has shifted in the past several years.  Spearheaded by new data privacy and cybersecurity mandates, organizations are increasingly restricted to:

(See The Advent of Data Minimization Mandates.)

Organizations that stray from these data minimization dictates do so at their peril.  As a result, many organizations now view the defensible disposition of ROT, particularly personal data, with renewed interest and a sense of urgency.

The Rise of Defensible Disposition

Information governance is fundamentally a business function.  The Supreme Court recognized that information governance is a business function when it observed that ordinarily, "it is not wrongful for a manager to instruct his employees to comply with a valid document retention policy, even though the policy, in part, is created to keep certain information from others, including the Government" (Arthur Andersen LLP v. United States, 544 U.S. 696, 704 (2005)).

Many other courts have likewise recognized that record retention policies serve important and legitimate business purposes (see, for example, Spanish Peaks Lodge, LLC v. Keybank Nat. Ass'n, 2012 WL 895465, at *1 n.3 (W.D. Pa. Mar. 15, 2012) (denying motion for spoliation sanctions based on evidence destroyed under a document retention policy, because credible testimony established that "the document retention policy was implemented for legitimate business purposes unconnected with the current litigation") and Barnett v. Deere & Co., 2016 WL 4544052, at *4 (S.D. Miss. Aug. 31, 2016) (noting that "[t]he court does 'not draw an inference of bad faith when documents are destroyed under a routine policy'") (quoting Russell v. Univ. of Tex., 234 Fed. App'x 195, 208 (5th Cir. 2007))).  For more information on drafting a document retention policy, see Practice Note, Drafting a Document Retention Policy .

The primary purpose of an information governance program is to manage the organization's information in ways that meet the organization's legal and regulatory obligations.  Simultaneously, the information governance program should contribute to the  business's efficiency, productivity, and overall value.  Digital debris impedes these efforts in many ways, such as by making it  difficult for:

Regardless of whether the organization can identify these documents related to a future proceeding, the regulator's question is not whether the organization applied a retention and disposition framework to keep every relevant bit or byte of relevant data.  It instead examines whether the organization's processes were reasonable under the circumstances.  The hallmarks of reasonableness include processes that are sensible, consistent, programmatic, and well-documented. 

Reasonable retention is not an all-or-nothing proposition.  The fact that it is neither practical nor possible for an organization to identify and purge all ROT does not mean that it cannot make significant gains using tactical initiatives targeting particular data stores.  For example, an organization can achieve significant reductions in hard and soft costs simply by:

Bifurcate Information

Most organizations find it useful to bifurcate their information universe into already-existing information and newly created or received information.  Even an organization that cannot address the ROT in its existing information stores can make significant  progress toward reasonable retention by developing and implementing a sound framework for the classification, retention, and  disposition of information that it creates or acquires.

Bifurcating information and implementing the necessary policies, procedures, and technologies for the organization to retain and dispose of information helps it set a course that:

• Collect more personal data than necessary to fulfill some legitimate purpose.
• Keep what they have collected any longer than necessary to serve that purpose.

For more information about the SHIELD Act, see Legal Update , New York Amends Data Breach Notification , Information Security ,  and Identity Theft Prevention Obligations.

Illinois Biometric Information Privacy Act (BIPA)

The Illinois Biometric Information Privacy Act (BIPA) (740 Ill. Comp. Stat. 14/ to 14/99) relates to biometric information and identifiers, such as facial geometry, iris scans, voice prints, and fingerprints.  BIPA applies to private entities that possess biometric  identifiers or information.  It requires these entities to develop a written, publicly available policy that sets:

• A retention schedule for biometric identifiers or information.
• Guidelines for permanently destroying an individual's identifiers or information at the earlier of:
  • after the entity satisfies its initial purpose for collecting the identifiers or information; or
  • within three years of the last interaction between the individual and the entity.

As a parade of class action lawsuits have shown, an organization's failure to comply with BIPA's mandates can result in steep statutory penalties and fee awards (see, for example, In re Facebook Biometric Info. Privacy Litig., 326 F.R.D. 535 (N.D. Cal. 2018)).  The penalties were so devastatingly steep and potentially annihilative that the Illinois General Assembly amended BIPA to limit damages and provide for electronic consent (IL SB 2979, effective Aug. 2, 2024).

For more information about the BIPA, see Practice Note, BIPA Compliance and Litigation Overview.

Furthermore, as the result of an enforcement action instead of private litigation, Texas Attorney General Ken Paxton in 2024 secured a $1.4 billion settlement with Meta (formerly known as Facebook) to stop the company's practice of capturing and using the personal biometric data of millions of Texans without the authorization required by law (Agreed Final Judgment, Texas v. Meta Platforms, Inc., July 30, 2024).

Federal Trade Commission Act

The FTC Act applies to "all persons engaged in commerce."  It prohibits engaging in "unfair methods of competition" and "unfair or deceptive acts or practices in or affecting commerce." (15 U.S.C. § 45(a)(1).)  Although the FTC Act may not sound like a data minimization mandate, the FTC has considered unreasonable data security practices to qualify as an unfair or deceptive practice, including collecting consumer data and retaining it longer than a legitimate business purpose justifies (FTC 2023 Privacy and Data Security Update at 12; also see Penalties for Over-Retention Are Becoming More Prevalent).

The FTC also updated its Safeguards Rule that applies to financial institutions effective as of December 1, 2022, and generally  requires financial institutions to implement procedures to securely dispose of customer information within two years of it last  using that information.  However, financial institutions may keep the information longer for a legitimate business or legal purpose.  (16 C.F.R. § 314.4(c)(6)(i).)

For more information on:

Other Consumer Privacy Laws

To date, 19 US states have adopted comprehensive data privacy laws that are either now in effect or will be effective by January 1, 2026.  Each state's legislation similarly applies to different types of entities and promotes data minimization.  Most state privacy  laws provide that a covered organization must collect only adequate and relevant personal data limited to what it reasonably  needs in relation to the specific purpose for which it processes the data.  Only Rhode Island and Utah's privacy laws do not  include requirements for data minimization or a purpose limitation.

Due to various legislative and regulatory mandates, organizations that fail to practice proper data hygiene, collect too much consumer data, or over-retain this data risk drawing enforcement actions and potentially hefty penalties.   Regulators have  demonstrated a heightened willingness to enforce these data minimization mandates. Several developments that illustrate the  trend include the following:

In April 2024, the federal American Privacy Rights Act of 2024 (H.R. 8188) (APRA) was introduced, which contains similar requirements to the ADPPA. As proposed, APRA-covered entities and service providers are prohibited from collecting, processing, retaining, or transferring personal data beyond what is necessary, proportionate, and limited to provide the requested product or service (or for certain enumerated permissible purposes).  In June 2024, APRA was referred to the House Committee on Energy and Commerce for discussion. (Federal Privacy-Related Legislation Tracker: Omnibus Privacy or Data Protection Bills.)

Data minimization is no longer an aspirational feature of an organization's approach to privacy.  Similarly, data security is not something an organization does only to reduce exposure from a potential data breach.  Data minimization and security have  become an independent obligation that organizations ignore at their own peril.  Now, more than ever, is the time for organizations  to carefully evaluate the records they retain and for what purpose.  They should develop and document processes to ensure data,  especially personal and sensitive data, is disposed of once it no longer serves a business need.

To achieve a healthy information lifestyle, organizations should:

It is also critical that changing practices affecting the retention of personal data are not misaligned with written policies and procedures.  The only thing worse than not having a robust information governance program is having a set of policies and  procedures that the organization does not follow due to confusion or inconsistency.

Two key components of a svelte information profile are to: