If you don't collect the data in the first place, you can't misuse it - and it's much easier to prove that you didn't misuse it, because all you have to show is that you never had the dangerous data in the first place. This is the same advice we give about handling PII in applications.