Data minimisation is the GDPR principle (Article 5(1)(c)) that personal data collection should be limited to what is necessary for the specified purpose. The structural concept that underlies privacy-by-design: collect less, retain shorter, share less. Codified in EU law, increasingly reflected in US state-law frameworks (CCPA, Virginia VCDPA, Colorado, Connecticut, others), and the operational principle that distinguishes privacy-respecting service designs from data-maximizing ones.
What it means in practice
The principle has two operational dimensions. Collection minimisation: the service collects only the data fields actually needed for the function (the email service does not need your phone number, the calculator app does not need your contacts, the flashlight app does not need your location). Retention minimisation: the service holds the data only as long as the function requires (the food-delivery service does not need your 5-year-old order history, the messaging service does not need to retain delivered messages indefinitely). The GDPR enforcement framework around minimisation has produced significant fines (Meta, Google, Amazon, multiple smaller cases) for over-collection and over-retention; the US state-level equivalent enforcement is developing through 2024-26. The user-side application of the principle: choose services that minimize structurally, configure retention settings on services that allow it, delete what you can on services that retain by default.
Where it shows up
Operationally relevant for: provider selection (the no-log VPN architecture is data-minimisation applied to network traffic; the end-to-end encrypted messenger is data-minimisation applied to communication content; the privacy-by-design email provider is data-minimisation applied to email metadata), retention configuration on services you use (Google Account auto-delete for Web and App Activity, Location History off, YouTube History off; Apple equivalent settings; Amazon order-history deletion where permitted), and the broader operational discipline of asking “does this service need this data” before providing it. The Predaxia editorial frame: data minimisation is the structural alternative to “trust the provider with everything”; the architecture that does not collect cannot be compelled to produce or breached to expose.
What you can change today
Three habits. First, default to minimal data when signing up for new services: no real name unless required, alias email rather than primary, no phone number unless required, no birthday unless required. The data field that is not provided cannot be retained. Second, audit retention settings on existing services: Google Account auto-delete (Data and Privacy, set Web and App Activity to auto-delete after 3 months, similar for Location History and YouTube History), Apple equivalents (Settings, Apple ID, iCloud, manage and turn off categories not needed), social-media archive-old-posts options where available. Third, periodic deletion sweeps: every quarter, audit one service for deletable old data and act on it; the cumulative effect over years is meaningful and the structural posture (the service holds less) compounds with each iteration.