CPPA Issues Data Minimization Enforcement Advisory

The California Privacy Protection Agency (CPPA) issued its first Enforcement Advisory addressing California Consumer Privacy Act (CCPA) requirements. The initial Enforcement Advisory is focused on data minimization, a foundational principle under the CCPA.

The CPPA Enforcement Division says it is seeing businesses ask customers to provide unnecessary personal information when responding to consumer requests. The advisory reinforces businesses’ responsibility to apply data minimization principles when collecting, using, retaining, and sharing personal data. Data minimization principles also apply to the processing of consumers’ CCPA requests.

CCPA Data Minimization Rules

Data minimization rules are included in the CCPA to ensure businesses collect consumers’ personal information only to the extent that it is relevant and limited to what is necessary concerning the purposes for which it is being collected, used, and shared. When determining what data is necessary to achieve the identified purpose, businesses need to consider:

• The minimum personal information that is necessary to achieve the purpose identified.
• The possible negative impacts on consumers posed by the business’s collection or processing of personal information.
• The existence of additional safeguards for personal information to specifically address the possible negative impacts on consumers.

Here is how data minimization applies to CCPA regulations:

• Opt-out Preference Signals: “The business shall not require a consumer to provide additional information beyond what is necessary to send the signal.”
• Requests to Opt-out of Sale/Sharing: “A business shall not require a consumer submitting a request to opt-out of sale/sharing to create an account or provide additional information beyond what is necessary to direct the business not to sell or share the consumer’s personal information.”
• Requests to Limit Use and Disclosure of Sensitive Personal Information: “A business shall not require a consumer submitting a request to limit to create an account or provide additional information beyond what is necessary to direct the business to limit the use or disclosure of the consumer’s sensitive personal information.”
• Verifying a consumer’s identity:
  • Whenever feasible, match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identity verification service that complies with this section.
  • Avoid collecting personal information such as Social Security number, driver’s license number, financial account numbers, or unique biometric data, unless necessary for the purpose of verifying the consumer.
  • Avoid requesting additional information from the consumer for purposes of verification. If the business cannot verify the identity of the consumer from the information already maintained, the business may request additional information from the consumer, which shall only be used to verify the identity of the consumer seeking to exercise their rights under the CCPA, security, or fraud prevention. The business shall delete any new personal information collected for verification as soon as practical after processing the consumer’s request.

Business Takeaways

The Enforcement Advisory walks readers through hypothetical data minimization scenarios involving opt-out requests and verifying identity for deletion requests. To effectively apply data minimization principles to these actions, the CPPA recommends answering these questions.

• What is the minimum amount of personal information needed to honor a request to opt out of sale/sharing?
• What is the minimum personal information needed to verify the consumer’s identity?
• Do we need to ask for more information than we already have?
• What are the possible negative impacts if we collect additional information and how can we address those impacts?

What is an Enforcement Advisory?

The CPPA says Enforcement Advisories do not provide any safe harbor from potential violations. They provide guidance for implementing CCPA-compliant practices. The CPPA provided the following description of Enforcement Advisories.

“Enforcement Advisories address select provisions of the California Consumer Privacy Act and its implementing regulations. Advisories do not cover all potentially applicable laws or enforcement circumstances; the Enforcement Division will make case-by-case enforcement determinations. They do not implement, interpret, or make specific the law enforced or administered by the California Privacy Protection Agency, establish substantive policy or rights, constitute legal advice, or reflect the views of the Agency’s Board.

Advisories do not provide any options for alternative relief or safe harbor from potential violations. The statutes and regulations control in the event of any conflicting interpretation. The Advisory provides the questions that follow as hypothetical examples of how a business might review its practices. Businesses should consult the statute, regulation, and/or an attorney before taking any action to ensure compliance with the law.”

CompliancePoint has a team of consultants devoted to helping organizations comply with privacy regulations, including the CCPA, GDPR, and all other applicable state laws. Reach out to us at connect@compliancepoint.com to learn more about how we can help.