How Data Minimization Protects Privacy by Reducing Digital Risk
March 10, 2025
Every commercial organization wants to understand its customers. Retailers want to know consumer preferences. App developers want to know their users. This kind of knowledge is a valuable asset.
Most organizations satisfy this need by collecting data on their customers. But until recently, there were no real limits on how much data a company could collect for this purpose. Modern technology gives companies the ability to collect far more data than ever before.
This can lead to problems. People are rarely aware of how much data organizations have on them until that data gets used, often without their permission. In some cases, hackers may infiltrate a company to steal data and use it to commit identity theft, amongst other crimes. The question is—why did the company have all that data in the first place?
Organizations that commit to data minimization help reduce these risks for their users. If you’re concerned about data privacy, using software built with data minimization in mind can help you stay safe and secure.
What is Data Minimization?
Data minimization is the policy of only keeping the data you need and deleting the rest. For app developers in the EU, it is a legal compliance requirement. As of 2025, the EU GDPR has the world’s strictest data minimization rules.
According to Article 5(1)(c) of the GDPR, personal data should be “adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.” In other words, it would be used only when needed.
The GDPR doesn’t define exactly what “adequate, relevant, and limited,” means. However, it does require stored data to be “necessary” for processing. If a business holds information it doesn’t use for processing, it will be difficult to make an argument for keeping it on file.
As a policy, data minimization has an important purpose. It motivates companies to avoid keeping large volumes of data on their customers. Without it, organizations could argue that keeping records of everything users do is simply a good business practice.
What About Data Minimization in the United States?
In the United States, data minimization is part of the California Consumer Privacy Act (CCPA), the Maryland Online Data Privacy Act, and similar regulations in several other states. However, many of these regulations fall short of the high standards set by the European Union. For example, in Virginia and Connecticut, companies can collect any data they want as long as they “disclose” it on their website’s privacy policy page—which very few people take the time to read.
Some US businesses sell their excess data to data brokers who operate people finder sites. These services violate user privacy by collecting and sharing personal information without permission. They gather and correlate information from different sources to build profiles that include addresses, phone numbers, and family connections.
However, this doesn’t mean every American business operates on the assumption that more data is always better. Some choose to be selective with user data without regulatory pressure and ignore the chance to make extra money by partnering with data brokers.
Data Minimization Around the World
- The United Kingdom adheres to its own version of Europe’s GDPR. The original regulation came into effect when the UK was part of the European Union, and was not immediately changed.
- Asia-Pacific Economic Cooperation (APEC) members subscribe to a Privacy Framework that includes data minimization principles. Its 21 members include major economies like China, Singapore, Australia, Japan, Mexico, and Russia.
- Canada has its own Personal Information Protection and Electronic Documents Act (PIPEDA), which includes data minimization under “fair information principles”.
- The Turkish Personal Data Protection Law (PDPL) requires organizations to follow data minimization principles. First introduced in 2016, Turkish authorities updated the law in 2024 to coincide with the standards set by the EU GDPR.
Voluntary Data Minimization is Good Business Practice
It’s a well-known fact that many US technology companies collect, analyze, and sell user data. Many large companies became household names by leveraging this data in innovative ways. However, large volumes of data can also be a risk.
For example, in 2022 the Federal Trade Commission filed a complaint against WW International (owner of the popular Weight Watchers brand) for collecting and retaining information on minors without notice or consent. This information included sensitive health data that should have been deleted when it was no longer relevant. Instead, the company kept the data indefinitely.
Companies that collect huge volumes of data aren’t just exposed to regulatory risks. They also lose money because data storage isn’t free. Neither is the energy or infrastructure needed to store and process data. Securing data against hackers and cybercriminals only adds to business costs.
When an organization chooses to delete data it doesn’t need, it makes itself leaner and more efficient. It also becomes more trustworthy than competitors who collect that kind of data and feel pressure to monetize it. Companies that choose to minimize data value their users' trust.
Messaging Apps Often Collect More Data Than They Need
Secure messaging apps are marketed for their privacy features, but often collect far more data than they need. Many track user behavior, contacts, and location data that has nothing to do with their core purpose. Prioritizing profit over privacy has landed major tech companies in trouble in the past:
- WhatsApp updated its privacy policy to mandate data sharing with its parent company Facebook (now Meta) in 2021. Users were given an ultimatum to accept these terms or stop using the app, leading to widespread concern over data misuse.
- Telegram presents itself as a secure messaging platform but collects more user metadata than it needs. Users automatically share their IP addresses, device information, and Telegram app data with the company whenever they use the platform.
- Facebook and Instagram retain user data up to 180 days after they delete their accounts. That means users could discover their information in a data breach long after they believe it was removed from the platform.
- Snapchat claims to automatically delete Snaps after 24 hours, but also mentions it retains “some data” for up to 30 days to help personalize the user experience. It holds onto deleted user information for 60 days after users delete their accounts.
None of this extra information is necessary for sending and receiving messages. Secure messaging apps only need the most basic metadata to route messages to their destination and authenticate them.
Prioritize Apps and Software that Follow Data Minimization Principles
Everyone should use software applications that respect their privacy wishes. If you are concerned about tech companies manipulating your data to target you, sign up for apps that practice data minimization.
For example, you don’t need to use the same popular social media messaging apps as everyone else. Find the best secure messaging platform for your needs and introduce your contacts to it.
Communication apps that follow data minimization principles won’t ask you for sensitive information or anything that links back to your real identity when you sign up. Since they are committed to avoiding data storage on their users, there is no need to collect it in the first place.
3 Secure Messaging Apps that Practice Data Minimization
Only a few secure messaging apps truly practice data minimization. Here are some of the best choices for people who value data privacy.
- Signal is one of the best privacy-focused messaging apps available. It provides open-source encryption to users without collecting additional metadata. However, signing up to Signal requires sharing your phone number, which means truly anonymous usage is not possible.
- Threema is a paid cross-platform messaging app that temporarily logs messages on its servers and then stores them on your device. Deleting your account does not delete messaging content stored on your device, though—you’ll need to do that manually. Threema does retain user ID records after deletion, to make sure users can’t register a new ID with the same credentials.
- OffGrid does not store messages on servers or devices. It allows GDPR-compliant real-time chat between online users and retains no conversation data. When the conversation ends, it deletes the data. OffGrid users who delete their accounts can completely erase all records, as if their account never existed.
Your Data Belongs to You
Data minimization empowers you to take control of your digital privacy. Not every messaging app adheres to the same standards when it comes to user data, but you have the power to choose. Using apps that ignore data they don’t need reduces your exposure to data breaches, tracking, and exploitation risks. Making smart choices about the apps you use is a meaningful step toward maintaining confidentiality.