{
    "componentChunkName": "component---src-templates-post-js",
    "path": "/blog/california-data-minimization-requirement",
    "result": {"data":{"allPrismicBlogpostpage":{"edges":[{"node":{"uid":"california-data-minimization-requirement","type":"blogpostpage","lang":"en-gb","id":"15e5fae8-c923-5b1c-8dad-585c83c92195","alternate_languages":[],"data":{"activate_public_scanner_cta_header":false,"metadescription":{"text":"Learn California data minimization requirements under CPRA. Understand purpose limitation, data collection rules, and how to implement compliant data practices."},"metatitle":{"text":"CPRA Data Minimization: California Requirements Explained"},"categories":[{"is_pilar_page_":true,"table_of_content_title":{"richText":[]}}],"backgroundpreview":{"alt":"secure privacy logo","url":"https://secure-privacy.cdn.prismic.io/secure-privacy/6b014258-aa3b-49d3-9bf0-fc6cfafbd2b7_logo-technology.svg?ixlib=gatsbyFP&auto=compress%2Cformat&fit=max&q=45"},"title":{"text":"California Data Minimization Requirement: What CPRA Requires in Practice"},"preview":{"alt":null,"url":"https://images.prismic.io/secure-privacy/afC6rcBOoF08xX8x_ccpa.png?ixlib=gatsbyFP&auto=format%2Ccompress&fit=max&q=45"},"date":"2026-04-29","canonical":{"text":"https://secureprivacy.ai/blog/california-data-minimization-requirement"},"body":[{"id":"ca44c8e8-58cd-5c6e-af03-fe42a9c0bdeb","slice_type":"text","primary":{"text":{"richText":[{"type":"paragraph","text":"","spans":[],"direction":"ltr"},{"type":"paragraph","text":"The California Privacy Protection Agency issued its first enforcement advisory in April 2024 specifically on data minimization, signaling that it considers this principle not a background obligation but an active enforcement priority. The advisory's author, CPPA Deputy Director of Enforcement Michael Macko, stated plainly: \"We intend for our enforcement advisories to promote voluntary compliance, but sometimes stronger medicine will be in order — we won't hesitate to act when necessary.\" That is a regulator telling you to audit your data collection practices before it does.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"","spans":[],"direction":"ltr"},{"type":"heading4","text":"TL;DR","spans":[{"start":0,"end":5,"type":"strong"}],"direction":"ltr"},{"type":"list-item","text":"CCPA Section 1798.100(c), added by the CPRA amendments, requires that a business's collection, use, retention, and sharing of personal information be \"reasonably necessary and proportionate\" to the purposes for which it was collected.","spans":[],"direction":"ltr"},{"type":"list-item","text":"The standard has three dimensions the CPPA regulations define: the minimum data necessary for the purpose, the potential risks to consumers from the collection, and the existence of additional safeguards to address those risks.","spans":[],"direction":"ltr"},{"type":"list-item","text":"Data minimization is not just a collection rule — it governs use, retention, and sharing simultaneously. Data collected lawfully for one purpose cannot be repurposed for an incompatible one.","spans":[],"direction":"ltr"},{"type":"list-item","text":"Sensitive personal information triggers heightened handling requirements and a specific consumer right to limit its use beyond primary purposes.","spans":[],"direction":"ltr"},{"type":"list-item","text":"Penalties reach $2,500 per unintentional violation and $7,500 per intentional violation, assessed per consumer — a structure that makes systemic over-collection extremely expensive when multiplied across a large consumer base.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"","spans":[],"direction":"ltr"}]}}},{"id":"e18aa5ec-3509-51c6-b539-a0c26cd0059d","primary":{"cta_options":"CTA Header","blog_page_cta_button_link":{"url":"https://deft-thinker-159.kit.com/privacy-by-design-checklist"},"blog_page_cta_button_text":{"richText":[{"type":"paragraph","text":"Download Your Free Privacy by Design Checklist","spans":[],"direction":"ltr"}]},"cta_header_title":{"richText":[]},"cta_header_description":{"richText":[{"type":"paragraph","text":"Prioritizing user privacy is essential. Secure Privacy's free Privacy by Design Checklist helps you integrate privacy considerations into your development and data management processes.","spans":[],"direction":"ltr"}]},"logo":{"url":"https://images.prismic.io/secure-privacy/ZiJ6NfPdc1huKpCp_Group481491.png?ixlib=gatsbyFP&auto=format%2Ccompress&fit=max&q=45","alt":null}},"slice_type":"blog_details_page_cta_button"},{"id":"632baa60-f55d-563a-a7f2-632d91442945","slice_type":"text","primary":{"text":{"richText":[{"type":"paragraph","text":"","spans":[],"direction":"ltr"},{"type":"heading2","text":"What \"Reasonably Necessary and Proportionate\" Actually Means","spans":[{"start":0,"end":60,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"The statutory language of CCPA Section 1798.100(c) is the starting point: a business's collection, use, retention, and sharing of personal information \"shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected.\"","spans":[],"direction":"ltr"},{"type":"paragraph","text":"The CPPA's regulations (11 CCR § 7002) translate this into an operational three-part assessment. First, the minimum personal information necessary to accomplish the identified purpose is obtained — not the maximum useful, not everything that might someday prove valuable, but the minimum the purpose actually requires. Second, the possible negative impacts to consumers posed by the collection are weighed against the purpose. A business collecting precise geolocation data faces a higher proportionality bar than one collecting a shipping address, because geolocation can reveal sensitive health, religious, or political information about the consumer through their movement patterns. Third, the existence of additional safeguards — encryption, access controls, retention limits — is considered as a factor that can support proportionality where a privacy risk exists but is mitigated.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"The proportionality test means that collection that is technically necessary for a purpose can still be impermissible if the privacy risk to consumers is disproportionate to the benefit the purpose delivers. This is a substantive test, not a formality — it requires genuine analysis, not a declaration that the data is \"used for business purposes.\" The CPPA's April 2024 enforcement advisory made clear that it expects businesses to apply this analysis to every processing activity, not just to the headline use cases described in the privacy policy.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"","spans":[],"direction":"ltr"},{"type":"heading2","text":"The Three Pillars: Collection, Use, and Retention","spans":[{"start":0,"end":49,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"CPRA's data minimization principle governs three distinct stages of the data lifecycle, each of which requires its own compliance analysis.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Collection limitation means that businesses should collect only the personal information that is actually necessary for disclosed purposes. This is a product and engineering design requirement, not just a legal policy one. A signup form that asks for date of birth when age verification is not a system requirement is collecting in excess of what is necessary. A mobile app that requests contact list access for a feature that does not depend on contacts is collecting in excess of what is necessary. A checkout flow that collects income range alongside payment information — when income range plays no role in completing the transaction — is collecting in excess of what is necessary. Understanding the full scope of what CPRA requires — including the data collection, use limitation, and disclosure requirements that apply when a business crosses the applicability thresholds — is the foundation for any data minimization compliance program.","spans":[{"start":685,"end":877,"type":"hyperlink","data":{"link_type":"Web","url":"https://secureprivacy.ai/blog/ccpa-requirements-2026-complete-compliance-guide","target":"_blank"}}],"direction":"ltr"},{"type":"paragraph","text":"Use limitation means that personal information collected for one purpose cannot be repurposed for an incompatible one. The CPPA regulations specify that further processing must be compatible with the original collection context — not merely disclosed in a privacy policy, but genuinely consistent with what a consumer would reasonably expect given the circumstances of collection. A consumer who provides their email address to receive a purchase receipt does not reasonably expect that address to be added to a behavioral targeting segment and shared with advertising partners. Using data for that secondary purpose is a CPRA violation regardless of whether the privacy policy contains a broad sentence allowing \"marketing use of customer information.\"","spans":[],"direction":"ltr"},{"type":"paragraph","text":"The \"compatible purpose\" test applies a consumer-expectations lens. The CPPA's regulations define compatible as what \"consumers would reasonably expect based on the context in which the personal information was collected.\" Context is determined by the nature of the business, the service being provided, the consumer's relationship with the business, and the manner in which collection occurs. A fitness app that uses workout data to personalize in-app recommendations is processing within consumer expectations. The same app using that workout data to train and sell a behavioral profiling model to insurance underwriters is processing outside consumer expectations and requires fresh consent or a different lawful basis.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Retention limitation requires that personal information not be retained beyond the period reasonably necessary for the purpose that justified its collection. This is where data minimization and data retention obligations merge operationally. A marketing email list of consumers who have not engaged in two years and have not been re-consented is being retained beyond what the marketing communication purpose requires. Behavioral analytics data retained indefinitely because the data warehouse team has unlimited storage is being retained beyond what the analytics purpose requires. Operationalizing retention schedules so that automated deletion enforces the \"no longer than necessary\" standard rather than relying on manual review cycles that never actually execute is the technical enforcement mechanism that transforms a retention policy on paper into a compliance control in practice.","spans":[{"start":582,"end":767,"type":"hyperlink","data":{"link_type":"Web","url":"https://secureprivacy.ai/blog/data-minimization-retention-enforcement","target":"_blank"}}],"direction":"ltr"},{"type":"paragraph","text":"","spans":[],"direction":"ltr"},{"type":"heading2","text":"Sensitive Personal Information: The Higher Standard","spans":[{"start":0,"end":51,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"CPRA introduced sensitive personal information as a distinct category with heightened protections. Sensitive personal information under CCPA/CPRA includes Social Security numbers, financial account credentials, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric information processed for identification, health status, and sexual orientation or sex life.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Businesses may use sensitive personal information to provide requested services, ensure security, prevent fraud, and a limited set of other functions. For any use beyond these enumerated purposes, the business must allow consumers to opt out through a visible \"Limit the Use of My Sensitive Personal Information\" link, and must honor those requests. This is separate from and in addition to the data minimization obligation — a business that collects sensitive personal information lawfully for one purpose cannot repurpose it for secondary uses without either a CPRA-compliant opt-in or ensuring the consumer's right to limit has been honored.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"The proportionality assessment for sensitive personal information is structurally more demanding. The CPPA regulations' second factor — the possible negative impacts to consumers — weighs more heavily when the data at issue can reveal medical conditions, immigration status, religious affiliation, or financial vulnerability. A business must be able to articulate a purpose that specifically requires the sensitive data category, not merely a general business objective that the data might serve alongside less sensitive alternatives.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"","spans":[],"direction":"ltr"},{"type":"heading2","text":"How Data Minimization Differs From GDPR","spans":[{"start":0,"end":39,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"CPRA's data minimization obligation is substantively similar to GDPR's Article 5(1)(c) requirement that personal data be \"adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.\" Both impose a necessity test, both require purpose limitation, and both prohibit repurposing for incompatible uses. Organizations that have built GDPR-compliant data governance programs will find the CPRA framework conceptually familiar.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"The key operational differences matter for organizations managing both frameworks. GDPR applies to any processing of EU residents' personal data regardless of business size. CPRA applies only to businesses meeting threshold criteria — $26.625 million annual gross revenue (effective January 1, 2025), or processing data of 100,000 or more California residents, or deriving 50% or more of revenue from data sales. GDPR requires a documented lawful basis for every processing activity, with a positive justification for each. CPRA's minimization obligation applies to all covered processing but does not require the same lawful basis framework — consent is required in specific circumstances but is not the universal foundation for processing. GDPR enforcement is distributed across 27 member state supervisory authorities with a lead-establishment model. CPRA enforcement is centralized in the CPPA, which can both investigate and litigate, with supplementary AG authority.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"","spans":[],"direction":"ltr"}]}}},{"id":"3d0c4f08-772e-5407-81cd-8465fa781f60","primary":{"cta_options":"CTA Header","blog_page_cta_button_link":{"url":"https://deft-thinker-159.kit.com/privacy-by-design-checklist"},"blog_page_cta_button_text":{"richText":[{"type":"paragraph","text":"Download Your Free Privacy by Design Checklist","spans":[],"direction":"ltr"}]},"cta_header_title":{"richText":[]},"cta_header_description":{"richText":[{"type":"paragraph","text":"Prioritizing user privacy is essential. Secure Privacy's free Privacy by Design Checklist helps you integrate privacy considerations into your development and data management processes.","spans":[],"direction":"ltr"}]},"logo":{"url":"https://images.prismic.io/secure-privacy/ZiJ6NfPdc1huKpCp_Group481491.png?ixlib=gatsbyFP&auto=format%2Ccompress&fit=max&q=45","alt":null}},"slice_type":"blog_details_page_cta_button"},{"id":"52a2578f-8750-5f89-8980-b258e45fa718","slice_type":"text","primary":{"text":{"richText":[{"type":"paragraph","text":"","spans":[],"direction":"ltr"},{"type":"heading2","text":"Operationalizing Data Minimization","spans":[{"start":0,"end":34,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"The gap between a data minimization policy and a data minimization program is the same gap that all privacy compliance faces: documentation of the right principles without operational controls that actually enforce them. Four operational workstreams close that gap.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Data inventory and mapping is the prerequisite. Minimization compliance requires knowing what personal information is collected at every touchpoint — signup forms, analytics SDKs, CRM enrichment processes, API integrations, mobile app permissions — and mapping each data element to the specific purpose that justifies its collection. Without a current, accurate data inventory, it is not possible to identify collection that exceeds what the disclosed purpose requires, or to identify data being retained beyond its useful life. The data mapping infrastructure that produces an accurate, queryable view of what personal information a business collects, why, and how long it retains it is equally foundational for CPRA minimization compliance and for GDPR-mapped organizations.","spans":[{"start":528,"end":684,"type":"hyperlink","data":{"link_type":"Web","url":"https://secureprivacy.ai/blog/gdpr-data-mapping","target":"_blank"}}],"direction":"ltr"},{"type":"paragraph","text":"Purpose definition requires that every data collection activity be tied to a specific, articulated purpose before collection begins — not after the data team has decided what to collect and the legal team is asked to ratify it. The purpose must be concrete enough to support the proportionality test: \"analytics\" is not a sufficient purpose because it is not specific enough to determine what data analytics actually requires. \"Calculating session duration, page views, and conversion paths for product optimization\" is a purpose specific enough to determine whether full user identity records, device fingerprints, and cross-site behavioral profiles are \"reasonably necessary and proportionate\" to achieve it (they are not).","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Collection controls translate purpose definitions into technical enforcement. Form fields that do not serve the stated purpose should not exist in the form. SDK integrations that collect data categories beyond what the stated purpose requires should be configured to limit collection or removed. Data warehouse ingestion pipelines should be designed to bring in only the fields the analytics use case requires, not all available fields. These are engineering decisions that must be informed by the legal purpose definition — which means privacy engineers and product engineers need to collaborate at the design stage, not the compliance review stage after the product has shipped.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"Retention enforcement requires that retention periods defined in the data inventory are actually implemented as technical controls — not aspirational policies. Automated deletion processes, lifecycle management configurations in storage systems, and periodic audit triggers for long-lived data sets are the mechanisms that ensure retention is limited to what the purpose requires. The CPPA's enforcement advisory explicitly notes that data minimization supports faster responses to CCPA rights requests — a business that retains only necessary data for defined periods can respond to deletion requests more efficiently than one that has accumulated years of undifferentiated data across dozens of systems.","spans":[],"direction":"ltr"},{"type":"heading2","text":"\nTeam-Level Implications","spans":[{"start":1,"end":24,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"For product teams, data minimization means that every new data collection in a product feature must be reviewed against a specific, articulated purpose before it ships. The question \"do we need this data for this feature?\" must have a documented yes answer before the data is added to a schema or a SDK configuration. Feature specifications should include a data section that lists what personal information the feature collects and why. Data that might be \"useful later\" does not pass the minimum-necessary test.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"For marketing teams, data minimization means that behavioral data collected for one campaign cannot be freely repurposed for a different campaign or shared with a partner whose purposes were not disclosed at collection. Third-party data enrichment — importing behavioral profiles, inferred characteristics, or demographic data from data brokers — requires a specific purpose justification and a disclosed use that is compatible with the consumer's original collection context. Marketing use cases are not exempt from minimization; the CPPA has specifically flagged profiling and behavioral advertising data as areas of enforcement focus.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"For engineering teams, data minimization is a schema and pipeline design constraint. The \"collect everything and figure out later what to use\" approach to data architecture is incompatible with CPRA compliance. Database schemas should reflect only the data fields the system's documented purposes require. Logging infrastructure should be reviewed for personal information that accumulates incidentally — IP addresses in web server logs, user identifiers in debugging traces, email addresses in error notifications — and each should be justified, limited, or anonymized as appropriate.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"","spans":[],"direction":"ltr"},{"type":"heading2","text":"Enforcement Context","spans":[{"start":0,"end":19,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"The CPPA has signaled through its enforcement advisory program that data minimization is not a background compliance principle — it is an active investigation trigger. The agency's first enforcement advisory went directly to data minimization, and its stated intent is to identify and act on businesses that collect personal information beyond what their disclosed purposes require.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"The per-violation structure of CPPA penalties — $2,500 per unintentional violation and $7,500 per intentional violation — interacts with the per-consumer framework in ways that make systemic over-collection extremely costly at scale. A business that has collected unnecessary data from one million California consumers is not facing a fixed fine — it is facing exposure that is bounded only by the CPPA's discretion in how it counts violations.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"The CPPA's enforcement priorities announced for 2025 and 2026 include automated decision-making technology, data broker practices, and the handling of sensitive personal information — all areas where data minimization violations are likely to be identified as part of broader investigations. Organizations that wait for an enforcement inquiry before conducting a data minimization audit are significantly more exposed than those that conduct the audit proactively and document the remediation.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"","spans":[],"direction":"ltr"},{"type":"heading2","text":"FAQ","spans":[{"start":0,"end":3,"type":"strong"}],"direction":"ltr"},{"type":"heading4","text":"What is data minimization under CPRA? ","spans":[{"start":0,"end":37,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"The requirement that a business's collection, use, retention, and sharing of personal information be reasonably necessary and proportionate to achieve the purposes for which it was collected — and not further processed in a manner incompatible with those purposes.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"","spans":[],"direction":"ltr"},{"type":"heading4","text":"What does \"reasonably necessary and proportionate\" mean? ","spans":[{"start":0,"end":56,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"Under CPPA regulations, it means: the minimum personal information necessary for the purpose is collected, the potential negative impacts to consumers are weighed against the purpose, and any privacy risks are mitigated by appropriate safeguards.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"","spans":[],"direction":"ltr"},{"type":"heading4","text":"Does CPRA limit data collection? ","spans":[{"start":0,"end":32,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"Yes, explicitly. Businesses cannot collect personal information beyond what is necessary for their disclosed purposes. Data that is collected \"just in case\" it may be useful later, or that is gathered for unarticulated purposes, is not compliant with the minimum-necessary standard.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"","spans":[],"direction":"ltr"},{"type":"heading4","text":"How is CPRA different from GDPR on minimization? ","spans":[{"start":0,"end":48,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"Both require data minimization and purpose limitation. GDPR applies universally to EU-resident data processing; CPRA applies to businesses meeting specified thresholds. GDPR requires a positive lawful basis for each processing activity; CPRA imposes a necessity and proportionality standard without a lawful-basis framework. Enforcement mechanisms and penalty structures also differ significantly.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"","spans":[],"direction":"ltr"},{"type":"heading4","text":"What happens if you collect too much data? ","spans":[{"start":0,"end":42,"type":"strong"}],"direction":"ltr"},{"type":"paragraph","text":"Penalties of $2,500 per unintentional violation and $7,500 per intentional violation, assessed per consumer. Systemic over-collection across a large consumer base produces compounding exposure. The CPPA has also signaled reputational and operational consequences, including required remediation and public enforcement action disclosures.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"","spans":[],"direction":"ltr"},{"type":"paragraph","text":"","spans":[],"direction":"ltr"},{"type":"paragraph","text":"California's data minimization requirement is already in effect, already being enforced, and already the subject of the CPPA's first published enforcement advisory. The businesses that face enforcement actions are not those with sophisticated privacy programs that made defensible judgments about proportionality — they are the ones that never conducted the inventory, never articulated the purposes, and never built the technical controls to enforce the policies they claimed to follow.","spans":[],"direction":"ltr"},{"type":"paragraph","text":"See how Secure Privacy's privacy governance platform helps businesses build the data inventory, purpose documentation, and retention enforcement infrastructure that CPRA data minimization compliance requires.","spans":[{"start":0,"end":208,"type":"hyperlink","data":{"link_type":"Web","url":"secureprivacy.ai/privacy-governance","target":"_blank"}}],"direction":"ltr"},{"type":"paragraph","text":"","spans":[],"direction":"ltr"}]}}},{"id":"6bb4703a-221f-57bf-b32a-a7cb5d978117","slice_type":"centralized_cta_from_blog_single"},{"id":"177f48c4-ba32-5f84-8612-bf5c94b3fa88","slice_type":"articles","primary":{"title":{"richText":[{"type":"heading2","text":"Blog Posts\nThat also interest you","spans":[{"start":11,"end":33,"type":"strong"}]}]},"buttontext":{"richText":[]}}}],"description":{"text":"Your analytics team wants to add household income range to the signup form to improve ad targeting. Your product team is capturing full browsing histories for all logged-in users in case the data becomes useful for a recommendation feature later. Your marketing team is enriching CRM records with third-party behavioral profiles because the data was available. None of these are theoretical risks — all three are exactly the kind of practice that California's data minimization requirement, codified in CCPA Section 1798.100(c), is designed to prohibit. "}},"tags":["Privacy Governance"]}}]},"allPrismicBlogpage":{"edges":[{"node":{"uid":"blog","type":"blogpage","lang":"en-gb","id":"8be6fe51-0ae2-581d-9e23-8b00e02986c1","data":{"cta_button_text":{"richText":[{"type":"paragraph","text":"Sign-up for FREE","spans":[],"direction":"ltr"}]},"cta_button_link":{"url":"https://cmp.secureprivacy.ai/onboarding"},"cta_banner_text":{"richText":[{"type":"paragraph","text":"No credit card required","spans":[],"direction":"ltr"}]},"cta_banner_heading":{"richText":[{"type":"paragraph","text":"Get Started For Free with the\n#1 Cookie Consent Platform.","spans":[{"start":16,"end":20,"type":"strong"}],"direction":"ltr"}]}}}}]}},"pageContext":{"id":"15e5fae8-c923-5b1c-8dad-585c83c92195","uid":"california-data-minimization-requirement","lang":"en-gb","type":"blogpostpage","url":"/blog/california-data-minimization-requirement"}},
    "staticQueryHashes": ["106289065","1254728886","1714079170","2867542246","3445072782","764283450"]}