ClearLaunch
Feature CheckerRegulations & PoliciesEnforcementRadarVendorsChangelogGuides
FAQ
← All Controls

Data minimization documentation

data-minimization-docDomain: data-privacyType: policy

Description

Data minimization is the GDPR Article 5(1)(c) principle that has propagated into LGPD, CPRA, the Quebec Law 25 framework, and the contemporary read of FTC Section 5 unfairness: collect only what is necessary for the stated purpose, and keep it only as long as that purpose is live. Operationalizing the principle requires per-data-category documentation: for each field collected (each form field, each event property, each identifier), the necessity case has to be documented in the form of why this data is needed for the stated purpose, what would happen if it were not collected (the counterfactual is the regulator's preferred test), and what the lawful basis for the collection is. Minimization is read against a moving target: regulators evaluate necessity against current state-of-the-art, so a field that was justifiable when the product launched may stop being justifiable as alternative architectures (privacy-preserving analytics, on-device processing, differential-privacy aggregation) become standard. Annual review of the minimization documentation against the current architecture tends to be the operative cadence; programs that file the document once at launch and never revisit it are the recurring pattern in enforcement actions.

Required by (7 regulations)

  • CA AADC

    Cal. Civ. Code §§1798.99.28-1798.99.40 (AB 2273, 2022)

  • GDPR

    Article 5(1)(c) — data minimization principle; Article 25 — privacy by design.

    Regulation (EU) 2016/679 of the European Parliament and of the Council

  • LGPD

    Article 6 § III — necessity principle.

    Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)

  • MODPA

    Md. Code Ann., Com. Law §§14-4601 to 14-4616

  • PIPA

    Personal Information Protection Act (Act No. 10465, enacted March 29, 2011; last wholly amended by Act No. 19234, effective September 15, 2023)

  • PIPEDA

    S.C. 2000, c. 5 (Personal Information Protection and Electronic Documents Act)

  • Singapore PDPA

Fulfilled by (4)

  • In-house build · medium effort
  • onetrust · partial · medium effort · $$
  • bigid · partial · medium effort · $$$
    Data discovery + classification for minimization assessment.
  • securiti · partial · medium effort · $$$
    Privacy-ops platform with data-minimization workflows.

ClearLaunch does not accept payment from vendors. Methodology.

Evidence formats

  • data inventory
  • purpose-by-field mapping
  • design-review notes

ClearLaunch provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

ClearLaunch

Regulatory intelligence for people who ship products.

Tools
Feature CheckerRegulations & PoliciesVendorsGuidesFor LegalFor EngineeringFor ExecutivesFor Investors
About
AboutMethodologyChangelogFAQRegulatory UpdatesClearLaunch on LinkedIn
Legal
Terms of ServicePrivacy PolicyHow we handle your dataCoverage scope & limitations

Built by Neel Patel, in-house game counsel. Games touch more compliance domains at once than anything else in tech. That's what ClearLaunch was designed around.

ClearLaunch provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. ClearLaunch provides legal information; consult a licensed attorney in your jurisdiction. Data reviewed through March 2026. Methodology

© 2026 ClearLaunch · Terms · Privacy