California Data Minimization Guide

Use Transcend to help ensure compliance with the latest data minimization requirements in the California Privacy Rights Act (CPRA).

While we do our best to provide general background about regulatory issues, this guide is provided for informational purposes only, and should not be construed as legal advice. You should consult with your legal counsel on any specific CCPA questions you have.

  • The California Privacy Rights Act (CPRA) went into effect on January 1st, 2023 and set new requirements for how California businesses may collect and process personal information. Businesses are responsible for tracking data collection and ensuring unnecessary collection or processing is not occuring.
  • As a result of continuous system sprawl and shadow IT, two-thirds of companies today report that they don’t have an accurate picture of the personal data they collect and process. 57% of tech leaders say new systems containing user data are added weekly, and in some cases, daily within their companies.
  • Transcend can help businesses identify data systems, track their processing activities, and comply with CPRA’s new data minimization requirements.

Limit and Track Collection

  • CPRA prohibits collecting more personal info than what is ”reasonably necessary and proportionate to achieve the purposes for which its being collected or processed” (Section 1798.100)

Limit and Track Use

  • CPRA requires only using personal information for the purpose for which it was originally collected, and prohibits using it for additional purposes that are incompatible with the disclosed original purpose.

Manage Retention

  • CPRA requires having retention policies in place and ensuring that retention of data aligns with the purpose for which it was collected. “A business shall not retain a consumer’s personal information […] for longer than is reasonably necessary for [the] disclosed purpose.” (Section 1798.100)

There are several ways that Transcend can help you understand when new data trackers or systems are added within your organization.

Transcend Consent monitors data collection happening on your marketing website and flags newly discovered data flows in the Triage area.

Transcend Consent showing an initial list of detected data flows You should coordinate with the appropriate internal stakeholders to ensure newly detected data flows align with the processing purposes you have disclosed to consumers in your Privacy Policy. Learn more about Data Flows in Transcend Consent.

Transcend Data Mapping continuously monitors your data systems and provides a live, system-level representation of all data in your business that is kept in sync with changes to your company’s tech stack. The New Silos graph on the Data Mapping dashboard will help you keep track of new systems and SaaS tools that have been discovered or manually added where data collection may be occurring. New Silos graph on Transcend Data Mapping Dashboard

You can use the Record of Processing Activities (ROPA) tab in Data Mapping to get a high-level view of processing activities by purpose and category. Reference our ROPA documentation for detailed instructions.

Transcend Data Mapping ROPA

Go a level deeper by using the Data Inventory tab to view system-level processing purposes, associated owners, retention periods, and more.

Transcend Data Inventory

You may need more questions answered about some data systems to fully understand usage and ensure processing activities are compatible with the original disclosed processing purpose. There are a couple of ways to collaborate with coworkers and get more insights. You can assign an Owner to a given data silo in the Data Inventory or row in the ROPA. They’ll be invited to Transcend and prompted to provide missing information from the row they've been assigned.

ROPA Owner Assingment

You may also choose to conduct a full privacy assessment. This is especially useful for complex processing activities, projects, or systems. Assessments can help ensure that “purpose creep” isn’t occurring and give a detailed view of a purposed activity to help evaluate risks. Use the DPIA Status column in the Data Inventory to seamlessly initiate an assessment in Transcend Assessments. You can also add a link to an external assessment in this field.

Learn more about this workflow in our Assessments documentation.

Transcend Data Inventory

The effectiveness of your data monitoring and minimization efforts is only as good as your visibility into how data is being used across your organization. A collaborative relationship with data consumers and stewards within your organization can go a long way towards improving visibility and compliance.

To this end, Transcend offers a number of tools to empower engineers to seamlessly collaborate on privacy initiatives without ever having to leave the codebase. Engineering teams can connect integrations, label and classify personal data, update processing purposes, and more right from the code. These updates are then synced directly into Transcend so the whole organization is always in sync with the latest changes to processing activities and can understand privacy implications.

Learn more about Transcend’s infrastructure as code tools.