Purpose-Limited Data Collection

This question asks whether you only collect customer information for specific reasons you've told them about. It's about not being greedy with data - only gathering what you actually need for the service you're providing. If you're running an email service, you need email addresses, but you probably don't need social security numbers. It's about collecting data with purpose, not just because you can.

Collecting unnecessary data increases your risk without adding value - each additional data field increases breach costs by 5-10%. Purpose limitation is a core GDPR requirement with fines up to 4% of revenue for violations. Companies practicing data minimization have 40% lower compliance costs and faster sales cycles as security reviews find fewer concerns. Customers trust businesses that only ask for what they need.

The trap many fall into is collecting data 'just in case' it might be useful later - this violates privacy laws and increases risk. Another mistake is having different purposes stated in contracts versus privacy policies, creating legal conflicts that regulators and customers will exploit.