On April 2, the Enforcement Division of the California Privacy Protection Agency issued its first Enforcement Advisory, titled “Applying Data Minimization to Consumer Requests.” The Advisory highlights certain provisions of and regulations promulgated under the California Consumer Privacy Act (“CCPA”) that “reflect the concept of data minimization” and provides two examples that illustrate how businesses may apply data minimization principles in certain scenarios.
First, the Advisory includes the CCPA’s data minimization principle reflected in Civil Code § 1798.100(c): “[a] business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate” to achieve the purpose for which it was collected or processed, or another, compatible and disclosed purpose.
The Advisory notes that the regulations “underscor[e] this principle” by explaining that whether a business’s data practices are “reasonably necessary and proportionate” within the meaning of the statute is based on (1) “[t]he minimum personal information that is necessary to achieve the purpose identified,” (2) “possible negative impacts to consumers posed by the business’s collection or processing of the personal information,” and (3) “the existence of additional safeguards for the personal information” to address those possible negative impacts. The Advisory next highlights other CCPA regulations that “reflect the concept of data minimization.” For example, the Advisory identifies certain regulations that prohibit requiring consumers to provide “additional information beyond what is necessary” to exercise certain rights under the CCPA, including 11 CCR § 7025(c)(2) concerning opt-out preference signals.
The Advisory also describes two hypothetical “illustrative scenarios in which a business might encounter the data minimization principle.” The first scenario contemplates a business’s response to a consumer’s request to opt out of sale/sharing, and the second a business’s process for verifying a consumer’s identity with respect to a request to delete. In both, the Advisory provides examples of questions businesses could consider to apply data minimization principles to the scenarios. These questions reflect the three bases set out in the regulations to determine whether a business’s data practices are “reasonably necessary and proportionate.” as discussed above. For example, per the Advisory, a business verifying a deletion request could consider: “We already have certain personal information from this consumer. Do we need to ask for more personal information than we already have?”
Finally, the Advisory explains that Enforcement Advisories are intended to “provide[ ] additional detail about principles of the CCPA and highlight[ ] observations of non-compliance to deter violations.” They do not “implement, interpret, or make specific the law enforced or administered by the California Privacy Protection Agency, establish substantive policy or rights, constitute legal advice, or reflect the views of the Agency’s Board.” The Agency further states that adherence to guidance in an advisory is not a safe harbor from potential enforcement actions, which are assessed on a case-by-case basis.