The California Privacy Protection Agency (“CPPA”) has published its first ever enforcement advisory regarding data minimization. Here, we provide an overview of what the advisory is, what it does, and what businesses should consider going forward. 

  • What is it? The enforcement advisory is meant to promote voluntary compliance with the California Consumer Privacy Act (“CCPA”) but notably does not serve as an enforcement guideline, stating that it “does not implement, interpret, or make specific the law enforced or administered” by the CPPA. Instead, it highlights key parts of the CPPA and the CPPA regulations that businesses should consider in their compliance programs.
     
  • What does it address? The advisory is narrowly aimed at providing clarification and examples regarding the data minimization requirements of the CPPA. Noting that the CPPA Enforcement Division “is observing that certain businesses are asking consumers to provide excessive and unnecessary personal information in response to requests that consumers make,” the CPPA states that “businesses must apply” data minimization principles "for each purpose for which businesses collect, use, retain, and share personal information.” 
     
  • What should businesses keep in mind? The CPPA outlines two factual scenarios where businesses should carefully review whether they are adhering to the data minimization principle: 
    • Opt-Out of Sales/Shares: Per CCPA § 1798.100(c) and CCPA regulation 11 CCR § 7002(d), businesses should not require that consumers verify their identity to make a request to opt-out of sales/shares. Businesses should consider the manner in which it sells or shares information, and what information is sold or shared. For example, if sales or shares are only done in the context of cross-context behavioral advertising, a business would not need additional information, such as a name or email address to comply with an opt-out. However, if a business sells or shares profiles that include both online activity and other information, a business may need additional information to opt the user out of more than just online activity. However, asking for information unrelated to that which is sold or shared may still exceed the “minimum personal information” requirement. For example, if a business is selling or sharing consumer shopping habits, requiring a driver’s license to opt-out may not comply with the data minimization requirement. 
    • Verification of Identity: The data minimization principle also applies to the verification of consumer requests. The CPPA provides two examples regarding verification of consumer identity for effectuating consumer rights. In the first, the business keeps consumer names and email addresses on file but does not maintain user accounts. To create a system that applies data minimization to user requests, the business should: (i) review the information already in its possession; (ii) consider its degree of certainty in the consumer’s identity and the sensitivity of the data to be deleted; and (iii) consider the proportionality of the additional information to the consumer request (e.g. asking for a social security number to delete a consumer’s name and email address could be disproportionate).

      In its second example, a business keeps names and email addresses, and stores photographs and documents associated with the name and email. The business should review: (i) whether the documents and photos are sensitive and what the potential harm is of deletion; (ii) whether it could reasonably rely on the information already on file and whether asking for additional information would be disproportionate and excessive; (iii) the possible negative impacts of additional collection (and possible breach of the additional information); and (iv) its interaction with the consumer, including whether the consumer can request and confirm a code as verification of identity and additional safeguards that could be put in place.

There are four overall questions suggested by the CPPA when businesses are engaging in this process:

  • What is the minimum personal information that is necessary to achieve this purpose (i.e., identity verification)?
  • We already have certain personal information from this consumer. Do we need to ask for more personal information than we already have?
  • What are the possible negative impacts posed if we collect or use the personal information in this manner?
  • Are there additional safeguards we could put in place to address the possible negative impacts?