The California Privacy Protection Agency (CPPA) recently issued an enforcement advisory encouraging covered businesses to focus on their data minimization obligations related to consumer requests under the California Consumer Privacy Act (CCPA). The advisory categorizes data minimization as a “foundational principle” of the CCPA and reflects the reasons why businesses will apply this principle for better compliance with the CCPA. The advisory states: “[b]usinesses should apply this principle [of data minimization] to every purpose for which they collect, use, retain, and share consumers’ personal information.”
The publication of this advisory stems from the CPPA Enforcement Division’s observation of businesses “asking consumers to provide excessive and unnecessary personal information in response to requests that consumers make under the CCPA.”
However, note that this advisory and any others issued by the CPPA “do not implement, interpret, or make specific the law enforced or administered by the [CPPA], establish substantive policy or rights, constitute legal advice, or reflect the views of the Agency’s Board.” But note that the CPPA was also careful to note that adherence to an advisory is NOT “alternative relief or safe harbor from potential violations.”
The advisory also cites four examples of less obvious areas where data minimization applies under the CCPA: 1) the handling of user opt-out preference signals; 2) requests for data sale and sharing opt-outs; 3) requests around the use and disclosure of sensitive personal information; and 4) identity verification. To see the full advisory, click here.