On April 2, 2024, the Enforcement Division of the California Privacy Protection Agency (CPPA) issued Enforcement Advisory No. 2024-01. This first-ever enforcement advisory focuses on promoting compliance with California Consumer Privacy Act (CCPA) data minimization obligations related to consumer requests.
Specifically, the enforcement advisory:
- Emphasizes that data minimization is a foundational principle of the CCPA and reiterates that covered businesses should apply this principle to every purpose for which they collect, use, retain or share personal information of consumers residing in California.
- Clarifies that data minimization principles apply to the processing of consumer requests.
- Observes that some businesses are asking consumers to provide unnecessary and excessive personal information in order to grant or respond to consumer requests made under the CCPA.
- Provides examples of how businesses can strengthen their data minimization practices to avoid potential enforcement actions.
Covered businesses should heed the advisory guidance as CPPA Executive Director Ashkan Soltani has stated that, along with educating the public about their rights, “[v]igorous enforcement is part of [the agency’s] mission ... ”
Data Minimization
The concept of data minimization stems from the idea that businesses should only collect consumers’ personal information to the extent it is necessary to fulfill a specific and legal business purpose. Data minimization serves many important functions, such as reducing the risk of harm from data breaches and decreasing the time it takes to respond to consumer requests to access or delete consumers’ personal information.
When Does Data Minimization Apply to Consumer Requests?
The advisory makes clear that data minimization is a foundational principle of the CCPA and thus applies to any CCPA-governed processing of personal information by covered businesses, including the processing of consumers’ CCPA requests.
The advisory highlights some of the less obvious circumstances when data minimization applies under the CCPA and emphasizes that businesses should not collect “beyond what is necessary” to respond to consumer requests. Specifically, data minimization applies to:
- The handling of consumer opt-out preference signals.
- Requests to opt-out of the sale or sharing of data.
- Requests surrounding the use or disclosure of sensitive personal information.
- Identity verification.
Likely Business Scenarios and How To Respond
The advisory outlines two situations in which a business may encounter the data minimization principle and provides guidance on how to respond in both cases.
First, if a covered business receives a consumer request to opt-out of the sale or sharing of their personal information and the business is unsure how much personal information to collect to process such request, the CPPA states that the business (1) cannot require the consumer to verify their identity to make such a request, but (2) may ask the consumer for information necessary to complete the request, provided that the process is not burdensome. For example, a business may ask the consumer for their name if necessary to complete the request, but generally should not require the consumer to send a picture of themselves with their driver’s license in order to exercise their CCPA opt-out rights.
Second, if a covered business must verify a consumer’s identity to fulfill a request, such as to delete personal information, and the consumer at issue does not have an account with the business, the CPPA recommends that the business establish a reasonable method, in line with the CCPA regulations that explain verification and that prioritizes data minimization, to verify that the person making the request is the consumer about whom the business has collected information. This method should not include collecting information that is disproportionate to and excessive relative to the information that the business collects from consumers.
For instance, if the information to be deleted is a name and email address, the business should consider to what degree of certainty it needs to verify the identity of the consumer, the sensitivity of the information to be deleted, and the risks of harm posed by unauthorized deletion.
In general, if a business is uncertain about what information is appropriate to collect when addressing consumer requests, it should consider the following questions that reflect the concepts established under the CCPA:
- What is the minimum amount of personal information necessary for our business to honor a consumer request?
- If we already have certain personal information from this consumer, do we need to ask for more?
- What are the possible negative impacts if we collect additional personal information? Could we put in place additional safeguards to address these possible negative impacts?
- Are the documents and/or photos we have on file sensitive information that should warrant a more stringent verification process than just asking for an email address?
- What is the risk of harm to the consumer if we act on an unauthorized request?
- Is asking for a certain type of information to verify a request disproportionate and excessive?
Conclusion
Covered businesses should carefully review whether they are conscientiously applying the principle of data minimization to their collection, use, retention and sharing of consumers’ personal information when responding to consumer requests. Benefits arising from periodic review of data minimization practices may include reduced exposure to enforcement-related risks and improved data governance.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.