Data minimization is not addressed by most privacy laws in the United States and was not mandated by the CCPA. Privacy laws in the United States that do touch upon data minimization recommend it as a best practice or as a condition for achieving a safe harbor from allegations of improper security. However, unlike the CCPA, the CPRA appears to contain a data minimization requirement. The data retention language of the CPRA is similar to the language contained within the European GDPR which permits a company to retain personal data for “no longer than is necessary for the purposes for which the personal data are processed.” Read more.
Compliments Greenberg Traurig