Data Minimization

This episode examines data minimization through the lens of consumer protection law, exploring what it means for data collection to align with reasonable consumer expectations. Drawing on IAB guidance and California's framework, the discussion uses the flashlight app as a vivid illustration — a tool that has no legitimate reason to collect location data, and whose privacy policy disclosure of that practice does not cure the problem. The core principle is proportionality: data collection must have a clear nexus to the product or service being offered, and disclosures alone cannot legitimize collection that would shock a reasonable consumer's conscience. The conversation addresses whether explicit consent can serve as a workaround to data minimization obligations — a kind of consent veto that retroactively validates otherwise disproportionate collection. The prevailing view is that regulators will focus first on low-hanging fruit rather than testing the outer boundaries of the law, and that narrow, single-issue, plain-language consent presented transparently is unlikely to draw enforcement scrutiny. Bundled legalese consent, by contrast, fails the informed consent standard entirely. The freemium model raises a related question: if consumers understand that a free product involves their data being sold, does that shift the reasonable expectation calculus — and California's financial incentive framework adds an additional layer requiring affirmative opt-in consent for such exchanges. The episode closes on the tension between data minimization and artificial intelligence, where the value proposition of AI depends on ingesting large volumes of data before determining what is actually useful — the opposite of a minimization approach. The French data protection authority's position is cited: companies must trim data down once they have identified what is useful, even if large-scale ingestion was necessary to get there. Practically, this makes data retention the most underappreciated compliance challenge, as most companies lack confidence in their retention practices and policies — a gap that may prove harder to close than many of the more visible obligations under emerging state privacy laws.

**Jonathan:** Hey, Alyssa. Good morning. **Alysa:** Hi, JJ. **Jonathan:** How are you? **Alysa:** Excellent. How are you? **Jonathan:** It's been crazy busy in the privacy world. **Alysa:** When isn't it crazy busy in the privacy world? I mean, really? **Jonathan:** Hey. So, couple things. I've been obsessed with data minimization lately. I wanted to talk to you about that. And can we take a moment? Just let me quote that. I've been obsessed with data minimization lately, end quote. I don't think anybody has ever been caught saying that out loud, but let's go with it. **Alysa:** No. And don't tell anybody that I said that, by the way. **Jonathan:** You do it all the time. Vermont is the other thing. Right? Like, is it at the point today where the governor has to veto or sign? **Alysa:** Today is the day. So I am refreshing my page periodically to see, is there a press release? We'll see. But so far, last time I checked, he has not signed it or has not at least given notice that he signed it. **Jonathan:** Gotcha. Oh, it's gonna be an interesting one. Yeah. I'm with you that we probably need to find a life outside of this. Hey. So on data minimization, we're seeing through some IAB sessions. We're unpacking those. We're having good discussions about all kind of different pieces to it. One of the things that IAB shared is a nice little flowchart on how to think about it, right, relative to all the state laws, but specifically kind of starting with California. One of the things I thought was really interesting was this idea that does the consumer reasonably expect this level of data collection for the thing that you're doing? And so, I mean, this reasonable expectation — is there some kind of foundation on the law on what a reasonable person does in this context when it's about using data generally? **Alysa:** Oh, it's such a challenge because I think we start off with consumer protection. It's what is a reasonable consumer expect, period. And usually, you start with, well, in the advertising world, it's, well, what did you say? And what is the context of what you said? And I think in the privacy sphere, it's what is the relationship, what is the exchange with the consumer, what product or service, for example, or how else they're engaging with you that the kind of data that you're collecting in, it's not gonna shock the conscience. They expect there's a nexus to how and why they're engaging with you. Right? That is the reasonable expectations, and then your privacy policy or notices help cement that. But the newer trend that we're thinking about in terms of data minimization is, well, it still has to be proportionate. So you can't do the all you can eat buffet bar and say, I put it in the privacy policy. We're good. But that is such a harder question when you take out the extremes. Right? The flashlight example — well, shouldn't need your location or your Social Security number to have a flashlight at work. But how close? Right? What is that nexus? How tight does that nexus need to be to be proportionate and compatible with reasonable expectations, particularly when you think about how companies innovate and use data — like today you buy a product, but the next version of that product or a companion product probably does need some amount of data to be able to be created. That order of operations is important. Right? And I think it's a lot of common sense. I don't know how you legislate common sense, but that flashlight example you gave is a perfect one. You've got a flashlight app on your phone. Should that be collecting location data? Like, just ask any reasonable person, and they say, well, I wouldn't think that that would happen. And then in terms of your operations, you can't disclose that way. Like, if you said, well, I'll put that in my policy that I do that with my flashlight app. Doesn't quite fix things. Right? **Jonathan:** Is that the right way to — well, that's right. And that is not a new concept in consumer protection law. You can't bury things that are material in terms and conditions or a privacy policy. If something is important, right, it's going to be important to a consumer, that needs to be brought forward more. It needs to be much more prominent so that a consumer actually understands before they make a decision that would be impactful. And then is there this consent veto where it's like, oh, well, we did all that but now actually we went and got consent for it. **Alysa:** Another good question. There's the what is academic or what is in theory with these new laws and what is going to be in practice. So the concept in these laws is you can't just get consent for anything and everything. But if we think about that, what does it mean to have informed consent under these laws — it's really near impossible to do a whole bundled legalese consent. That's not gonna be consent. We're talking more on single issues, very specific, user-friendly consent. So I have a hard time seeing a regulator really enforce something that is very focused and limited and presented in plain language — they're gonna say that went over the line? Because I don't think companies are gonna do that. So I think we're still in terms of what are these creative, imaginative versions of this that really challenge the law on whether it could be held up — I think we're a ways away. I think there's the low hanging fruit, and there's plenty of low hanging fruit type issues that we're gonna see the regulators focus on first. **Jonathan:** Gotcha. Yes. Well, but if we can have a little bit more fun — like, some of the interesting examples here are, like, a lot of free products, free technology products. I mean, you know the old saying, right, if it's free you're the product. And one of the things I wonder about is we saw it with social media. Right? It was free, but your data was getting sold. Okay. Does that mean now that consumers expect when they see a free product that they are the product? And then, actually, that means that they should reasonably expect their data to be sold. But it gets into some really interesting use cases. **Alysa:** It absolutely does. And particularly when you layer on a lot of these laws — you mentioned California — have a concept there for the freemium products on what is a financial incentive and having to get opt-in consent when one is exchanging their data in return for some type of specific benefit. And so if you have this affirmative obligation to get affirmative consent, are you gonna then come after and say, well, that consent's invalid because you can't get consent for that? I don't think so. Right? That it's a secondary use and it's not proportionate. I have a hard time seeing all the aspects of the law hold up with that kind of challenge. **Jonathan:** Gotcha. Now with AI, I think it's kind of interesting because, like, for me, when I think about how AI drives value, you throw a ton of data at it at a specific problem. It analyzes all of that, comes back and says, here's the part that was probably useful, and here's kind of the answer. So it seems like a data maximization strategy rather than data minimization. Like, how do you reconcile that with principles like data minimization when you're using data for AI? **Alysa:** Right. Well, you can tell the regulators are dealing with the easier issues first. They put out the guidance on — you can't change your privacy policy to account for AI ingestion and then retroactively apply it to data you already collected without meaningful consent. So, of course. But then the question that they haven't addressed is if there's a value exchange to a consumer, if they are giving their data to help train models, but they know it and they're getting some clear benefit in return, why wouldn't that be okay? And I think it just goes to that question of, is there a value exchange? Does the consumer know that that is what they are providing, or is it more passive in the back end and it's not within their expectations? And look. The market is pretty mixed now on how that's actually occurring. **Jonathan:** Gotcha. You know, I've been thinking about the eight OECD principles that were the basics of GDPR, data minimization being one, and wondering if all of those, especially data minimization, still work in a world with AI. And I had heard through an analyst that the French regulator has something on this where they talked about preserving data minimization in AI. And one of the ways that they suggested they're gonna enforce it is to say, we get it that you're throwing a ton of data against a specific problem. But as soon as you understand the data that's useful, you gotta trim. And I don't know how you actually do that, by the way, or get to pulling data out. I think retention is the wild card. I really do. Like, we talk about all these other concepts, but do a survey of how confident companies feel about their retention practices and policies — and that is a hard nut to crack. **Alysa:** That's a good one. Okay. Alyssa, thanks. I'll let you go back to refreshing your screen on Vermont, and I'll do the same. Thank you. **Jonathan:** Nice seeing you.