California Privacy Regulator Issues First Enforcement Advisory

On April 1, 2024, the California Privacy Protection Agency (CPPA) issued its first enforcement advisory directing businesses to implement the data minimization principle when responding to consumer requests. The advisory was motivated by the CPPA's observation that "certain businesses are asking consumers to provide excessive and unnecessary personal information in response to requests that consumers make under the [California Consumer Privacy Act (CCPA)]."

Data minimization is one of the cornerstone principles of the CCPA, which requires covered businesses to restrict their processing of personal data to that which is "reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed." The regulations promulgated under the CCPA expand on this obligation and state that the necessity and proportionality assessment should be based on the following:

1. The minimum personal information that is necessary to achieve the purpose of processing that the business has disclosed to the customer.
2. The possible negative impacts on consumers posed by the business's processing of personal information.
3. Additional safeguards that the business uses to protect the personal information to specifically address possible negative impacts on customers.

As the enforcement advisory points out, the concept of data minimization is manifested throughout the CCPA. For example, when responding to a request to opt out of the sale or sharing of personal information, businesses may not require the customer to verify their identity and must restrict the personal information they collect to that which is necessary to process the opt-out request.

For other requests, including requests to access or delete personal information, businesses are required to verify the customer's identity. However, the regulations concerning identity verification require businesses, wherever feasible, to match the identifying information provided by the consumer to the information already maintained by the business; and to avoid collecting particularly sensitive personal information, such as Social Security numbers, financial account numbers, or unique biometric data to verify identity. Furthermore, if it is necessary to collect additional information from a consumer to verify their identity, businesses should only use that information for identification, security, or fraud prevention purposes. Any newly collected information must be deleted as soon as practical after verifying the consumer's identity and responding to their request.

The enforcement alert contains illustrative examples of how businesses should assess the information required to respond to opt-out requests and requests to delete personal information. The examples emphasize the importance of ensuring that data minimization is embedded in all aspects of businesses' privacy compliance programs, including in processes and procedures for responding to consumer requests.

DWT's Privacy and Security team regularly advises businesses on how to structure and implement privacy compliance programs and will continue to monitor regulatory developments in this space.