At the recent 2026 Global Summit hosted by the International Association of Privacy Professionals in Washington, D.C., one theme surfaced repeatedly across the conference sessions on privacy, AI governance, and cybersecurity law: Data Minimization. While the topic had a dedicated session, it emerged repeatedly as a portion of many other sessions throughout the conference.
At first glance, data minimization seems straightforward: collect only the data necessary for your specific intended purpose. But there are additional aspects that make this a key topic in the industry.
What Can You Collect, Use and Keep?
Data minimization means limiting the amount and types of data that collected, for example, what patient data are collected for a clinical trial. Each data point collected needs to be justified by having a specific purpose. The collected data point needs to be used only for the purpose for which it was collected. The data subject needs to be informed of this information; i.e., what data are being collected and what are they being used for. The data must be maintained for only as long as they are needed for the stated purpose, or as required by law.
The entity collecting the data must have a “legitimate interest” for collecting the data; i.e., the data must be necessary and for a legitimate purpose of the data collector. This legitimate interest, however, may be “overridden by the interest or fundamental rights and freedoms of the data subject” (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016; the “General Data Protection Regulation” Article 6 section 1.f).
Some examples of legitimate interests are conducting scientific research (with the subject’s consent); administrative processing of employee data, for example, for payroll or benefits administration; or for providing customer support.
Hidden Costs of Excess Data
Despite the regulatory guidance, some organizations believe that collecting more data can provide benefits by potentially generating unanticipated insights in the future. But, in addition to not complying with industry standards and privacy regulations, collecting too much data can:
- Increase the workload for clinical sites responsible for data entry, which in turn can increase costs for the Sponsor;
- Increase the burden on patients, caregivers, or guardians, potentially reducing engagement or increasing dropout rates;
- Lead to “data fatigue,” wherein teams struggle to manage and interpret overwhelming volumes of information;
- Create ambiguity around which data points are the most important.
- Contribute to the potential impact of a data breach.
To the last point, if a breach does occur, and we know that the number of individuals affected by data breaches is on the rise, having additional data, particularly personally identifiable data, can lead to additional liability. Unnecessary personal information, such as names, addresses or Social Security numbers that were not required to derive clinical results, can become exposed as part of a breach.
Enforcement of Standards is Happening
Though outside of the clinical research area, one of the landmark cases involving data minimization was a March 2025 case in which American Honda Motor Co., Inc. reached a $632,500 settlement with the California Privacy Protection Agency (CPPA) regarding violations of the California Consumer Privacy Act (CCPA). In order to opt out of the sale or use of their data, Honda required consumers to provide eight separate pieces of information (e.g., name, address, email, phone number) when only two pieces of information were needed to identify the consumer.
In another case in May 2025, clothing retailer Todd Snyder, Inc. paid a $345,178 fine for violating the CCPA. Among other violations, the company was accused of requiring customers to provide excessive information when submitting privacy requests, including copies of government issued IDs, which is not only unnecessary, but also against California law.
Other cases involve keeping data longer than needed, in some cases indefinitely, and keeping the data without an identified business need. Holding onto data just in case they “might be useful in the future” falls into this category.
Momentum in State-Level Regulation
The Massachusetts Data Privacy Act, or MDPA, recently passed the Massachusetts State Senate and is now in the Massachusetts House of Representatives. Among other restrictions, the MDPA would
- Ban the sale of sensitive personal data;
- Prohibit selling or using the personal data of minors for targeted advertising;
- Limit the amount of personal data that companies can collect.
From Principle to Practice
For organizations operating in regulated environments, including clinical research, data minimization is no longer optional. It is a strategic imperative that affects compliance, ethics, and operational efficiency.
PROMETRIKA helps our clients comply with the principle of data minimization by identifying excessive or unnecessary data requests, recommending alternative approaches to collecting excessive data, and recognizing data that are restricted for collection by laws and regulations in various regions of the world.
Data-driven innovation and compliance will increasingly depend not on how many data sets organizations collect, but on how thoughtfully they collect, use, and protect them.
