Data Minimization
The principle that organizations should collect and process only the personal data that is strictly necessary for the specified purpose.
Data minimization is a fundamental principle under the GDPR (Article 5(1)(c)) stating that personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. In practice, this means organizations should only collect the data they actually need, avoid gathering data on the assumption it might be useful later, and regularly review their data collection practices to ensure they remain proportionate.
Applying data minimization to websites means carefully evaluating every form field, tracking technology, and data collection point. Do you really need a date of birth for a newsletter signup? Does your analytics tool need to collect full IP addresses? Are you storing data longer than necessary? Regulators increasingly expect organizations to demonstrate how they applied data minimization principles in their system design, a concept known as data protection by design and by default (Article 25 GDPR). Violations of this principle have resulted in significant fines, particularly in cases where organizations collected excessive data through forms or deployed disproportionate tracking.