Yesterday, the California Privacy Protection Agency (CPPA) issued its first enforcement advisory regarding the California Consumer Privacy Act (CCPA). Enforcement Advisory No. 2024-01(the Advisory) is solely devoted to data minimalization, which the CPPA describes as “a foundational principle in the CCPA.” An enforcement advisory is not an implementing rule, regulation, or law; it is not even an interpretation of the law or legal advice. Instead, CPPA enforcement advisories are intended to be informational bulletins to inform the public about nascent legal privacy issues that CPPA is engaging with at a given time.
In its Advisory, CPPA explains that it is currently investigating several businesses “asking consumers to provide excessive and unnecessary personal information in response to requests that consumers make under the CCPA.” Borrowing from similar concepts found in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the European Union’s General Data Protection Regulation (GDPR), the CCPA states that a business’ collection, use, retention, and sharing of a consumer’s personal information “shall be reasonably necessary and proportionate” to achieve the purposes for which the personal information was collected. California Civil Code § 1798.100(c). In other words, businesses should not collect or use more personal information than needed to satisfy a consumer’s request for services; including data subject requests under CCPA. Not only should businesses evaluate “the minimum personal information that is necessary to achieve the purpose identified,” but businesses should also analyze “the possible negative impacts on consumers posed by the businesses’ collection or processing of the personal information.” 11 CCR § 7002(d). CPPA notes that several CCPA regulations reflect the concept of data minimization, including:
- Opt-out preference signals,
- Requests to opt-out of sale/sharing of personal information,
- Rules regarding verification of a consumer’s identity, and
- Requests to limit use and disclosure of sensitive personal information.
CPPA explains that the purpose of the Advisory is to remind businesses to apply the data minimization principle to each purpose for which the business collects, uses, retains, and shares consumers’ personal information. CPPA also reminds businesses that this principle should also be in place for information that the business collects when processing consumers’ CCPA requests. In doing this, businesses must determine what data is “reasonably necessary and proportionate” to the purpose for which it is collected. That analysis should answer the following three questions:
- What is the minimum information necessary to achieve this purpose?
- What is the potential negative impact of the collection of Personal Information?
- What safeguards are in place to mitigate negative effects of this data collection?
CPPA’s Advisory also provides two helpful examples to illustrate data minimization in practice. The first relates to responses to opt-outs of selling/sharing personal information. In this example, CPPA reminds businesses that opting out of selling/sharing of personal information is not subject to verification. Therefore, businesses should scrutinize what information, if any, it requests to process an opt-out. The second example relates to verification of a consumer’s identity. In this example, CPPA explains that businesses must establish, document, and comply with a reasonable method for verifying that the person making a request under CCPA is the consumer about whom the business has collected information. That method should include assessment of the following questions set forth in 11 CCR § 7002(c)-(d):
- What is the minimum personal information necessary to achieve identity verification?
- Do we need to ask for more personal information than we already have to achieve this purpose?
- What negative impacts could occur if we collect or use personal information in this manner?
- Are there additional safeguards that can address such negative impacts?
This is just the first of several enforcement advisories planned by CPPA. The choice to focus on data minimization in the first publication indicates that California may seek enforcement actions against businesses collecting and processing personal information that is neither necessary nor proportionate to the services requested. Businesses should take CPPA’s recommendations and incorporate data minimization into periodic reviews of privacy practices, including data governance programs.
Taft’s Privacy and Data Security team has extensive experience counseling clients on CCPA, data minimization strategies, and data governance program development. We will continue to monitor updates from CPPA and its future Enforcement Advisories. For more data privacy and security-related updates, please visit Taft’s Privacy and Data and Security Insights blog and the Taft Privacy and Data Security Mobile Application.