Data Minimization.
The privacy principle of collecting and retaining only the personal data strictly necessary for the stated purpose — codified in GDPR Article 5 and similar regimes, and a defense against breach blast radius.
The two-line argument for data minimization: collecting less data has compounding benefits (lower compliance burden, smaller breach blast radius, less storage cost, less ML / analytics noise) and almost no costs in modern progressive-profiling-friendly designs. The exception is regulated industries with explicit collection mandates (KYC for financial services, HIPAA for healthcare), where the minimization principle still applies within the regulated minimum.
Common questions
What does GDPR data minimization actually require?
How does data minimization affect signup forms?
Is data minimization a regulatory or security principle?
Related terms
In the guides
CCPA and CIAM: California Privacy Compliance for Consumer Apps
How CCPA / CPRA intersects with CIAM, opt-out, sale-of-data, consumer rights, and the architectural choices that satisfy California compliance.
Customer Onboarding and Progressive Profiling: The Conversion-Aware CIAM Pattern
Every field at signup costs conversion. Progressive profiling defers data collection to the moment of contextual need — better UX, better data quality, better GDPR posture, all at once.
GDPR and CIAM: A Practical Compliance Guide
How CIAM platforms intersect with GDPR, lawful basis, consent, data minimization, subject rights, and the architectural choices that make compliance maintainable.