On April 2, 2024, the Enforcement Division of the California Privacy Protection Agency issued its first Enforcement Advisory (No. 2024-01) (the Advisory). The Advisory addresses the obligation of businesses to practice data minimization, particularly when responding to and fulfilling consumer rights requests under the California Consumer Privacy Act (CCPA). As stated in the Advisory, its release was prompted by the agency's observation that some businesses are "asking consumers to provide excessive and unnecessary personal information" when responding to consumer rights requests.
Like many privacy laws, the CCPA provides consumers with the right to make various requests to businesses that handle their personal information, including requests to access, correct, and delete personal information; to opt out of the sale or "sharing" (which, under the CCPA, means transmitting to a third party to use for targeted advertising) of personal information; and to limit the use and disclosure of sensitive information. Such requests are often typically referred to as "consumer rights requests." Under the agency's CCPA regulations, businesses are permitted to collect only very limited personal information in order to verify the identity of a consumer making such a request. For example, the regulations surrounding opt-out preference signals, requests to opt-out of sale or sharing, and requests to limit use and disclosure of sensitive information prohibit the collection of personal information "beyond what is necessary" to fulfill a consumer rights request. The regulations more broadly require that a business' handling of personal information be "reasonably necessary and proportionate" to achieve a permitted purpose. At bottom, businesses are required to practice data minimization, both generally and when handling consumer rights requests under the CCPA.
In assessing the reasonableness and proportionality of collecting personal information when handling consumer rights requests, the Advisory suggests that businesses conduct an analysis based on answers to certain questions, such as:
- What is the minimum amount of personal information necessary to fulfill this request?
- What personal information have we already collected from consumers? Is there a need to request additional information from consumers to fulfill their requests?
- What are the potential negative impacts if we collect additional personal information from the consumer? For example, what negative impact would collecting a consumer's social security number have on the consumer if a data breach were to occur?
- What are some additional safeguards we can implement to address the potential negative impacts of collecting additional information? For example, can we require that a consumer request and confirm a code in order to verify their identity in connection with their request?
The Advisory further provides hypothetical examples of what this analysis may look like in practice when responding to a request to opt out of the sale or sharing of personal information and when verifying a requestor's identity.
Although the Advisory focuses primarily on data minimization in connection with consumer rights requests, it underscores the general principle of data minimization and the importance of the agency in its role as enforcer of the CCPA. With the agency's increased commitment to enforcement, businesses may need to review frequently and, as necessary, to supplement their privacy compliance procedures to ensure that they practice data minimization in all areas, particularly in the context of responding to consumer rights requests.
* Vanessa Villarruel contributed to this blog. Vanessa is a graduate of the University of California College of the Law, San Francisco.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.