Earlier this month, the California Privacy Protection Agency (CPPA) issued its first-ever enforcement advisory (No. 2024-01). The advisory addresses what it calls the “foundational principle” of data minimization, and more specifically, as applied to the processing of consumer requests.
The advisory was issued in response to the Enforcement Division’s purported observation of certain business practices that require consumers to “provide excessive and unnecessary personal information” when processing consumer requests. It outlines a few less obvious circumstances where the concept of data minimization applies and provides examples and guidance on how to respond. The examples include handling of consumer requests to opt-out of the sale or sharing of data and the verification of a consumer’s identity.
Putting into practice: Covered businesses should carefully evaluate their internal policies and procedures and assess the extent to which they could be viewed as collecting more information than “strictly necessary” to verify and process consumer requests.