April 9, 2026

More Data, More Problems: The Hidden Risks of Collecting Too Much

data privacy

More Data, More Problems: The Hidden Risks of Collecting Too Much

By Corporate Associate Katelynn Brennan and Counsel Michael Antone

In today’s data-driven world, businesses may be tempted to collect as much data as possible—just in case it proves useful later. But when it comes to personal information and confidential information, more data means more compliance obligations and legal exposure.

The principle of data minimization—limiting collection to only what is necessary for your specific purpose—isn’t just a best practice; it’s a critical safeguard that helps protect your business.

Not all data is treated equally under the law. Each country and U.S. state has its own laws governing data security and breach notification. Certain categories of information—such as Social Security numbers, financial account details, biometric data, personally identifiable information (“PII”), and personal health information (“PHI”) —may trigger strict notification requirements if compromised, while other types may require fewer notifications or be exempt altogether. The collection and retention of personal data beyond that necessary to conduct business, particularly financial data, PII, and PHI, increases your liability and could turn a minor security incident into a regulatory and reputational crisis that could significantly damage or prove fatal to your business.

Consider a home contractor, who needs to collect a customer’s address to know where to perform the service, but doesn’t need the additional information found on the customer’s driver’s license (such as the customer’s birthday or identification number). Or a landlord, who needs to collect certain financial data to evaluate a potential tenant’s creditworthiness, but does not need to retain social security numbers, credit reports, or other financial data for people who ultimately did not rent the property.

If your organization hasn’t recently reviewed its data collection practices, now is the time to take inventory of what personal information you’re collecting—and why. A clear, intentional strategy centered on data minimization can help protect your customers and your business.

Our Certified Information Privacy Professionals (CIPP/US) can provide legal counsel on your most important matters. Contact us to request a consultation.

Tags:

 Recent Highlights

View All