Commercial use of personal data has exploded in recent years, with large tech firms in particular processing staggering amounts of data. In response, data privacy laws like the CCPA have started imposing data minimization rules that restrict the collection and use of personal information.

The California Privacy Protection Agency (CPPA, in case you needed another acronym to remember) released an updated set of regulations to provide clarity on this and many other issues.

For some context on how many “other issues” were clarified in these regulations, it is worth mentioning that they were over 65 pages long. This will be the first of a series pulling out the highlights to keep you informed.

Note: Examples in italics are taken directly from the regulations.

The Rule Explained

Under the CCPA, all processing of personal information must be reasonably necessary and proportionate to achieve one of the following:

1. The purpose the personal information was collected or processed for, or
2. Another disclosed purpose that is compatible within the context that the personal information was collected

The CPPA’s regulations go on at some length explaining this rule, providing many answers and signaling that the agency considers this to be an important area of compliance.

1. “Reasonably Necessary and Proportionate”

Because many might disagree on what “necessary and proportionate” means, the CCPA regulations have identified three factors to consider:

• The minimum amount of personal information necessary to achieve the purpose
  Think of this as the baseline; anything above what is absolutely necessary has to be justified as reasonable.
  Example: In order to process a customer’s online order, a business may need their payment details, order info, shipping info, and email address.

• Possible negative impacts on the consumer
  Consider factors such as whether the data is sensitive or could harm the consumer if your system is breached.
  Example: Collecting precise geolocation data may reveal other sensitive information, such as visits to a healthcare provider.
• Existence of safeguards to address possible negative impacts
  What can your business do to reduce the risk of harm to consumers presented by the processing of their data?
  Example: Encryption or automatic deletion of personal information may reduce the likelihood of negative impacts.

2. “The purpose for which the personal information was collected”

Any purpose for which personal information is collected or processed must be consistent with consumers’ reasonable expectations.

Determining what “reasonable expectations” are is context-specific and based on a couple factors:

• The relationship between the consumer and the business
• The type, nature, and amount of personal information
• The source of the personal information and the business’s method for collecting or processing it
• The specificity, explicitness, prominence, and clarity of disclosures to the consumer
• The degree to which the involvement of service providers, contractors, third parties, or other entities is apparent to the consumer

Example: If a mobile flashlight application is collecting consumers’ geolocation data in order to share it with advertisers, this likely does not meet consumers’ reasonable expectations.

3. “Another disclosed purpose that is compatible with the context”

This applies to “further processing,” i.e., when a business uses personal information for purposes beyond why it was originally collected.

When determining whether such processing is compatible with the original context in which it was collected, businesses should consider the strength of the link between the processing purpose and the consumer’s reasonable expectations.

Examples: A strong link exists when a consumer provides their personal information in connection with receiving a service and their information is also used to fix errors that impair that service. A weak link exists when a person provides photographs to be stored in a cloud server and those photos are used to research and develop an unrelated facial recognition software.

 What Happens If Processing Doesn’t Meet This Standard?

If your business determines that a processing activity does not meet these requirements, it may still be allowed if you first collect the consumer’s consent.

Consent under the CCPA must be informed, unambiguous, and affirmatively given (meaning no pre-checked boxes). It is important to note, however, that even with consent, collection and use of personal information must be reasonably necessary and proportionate to achieve a disclosed purpose.

Here’s an example: A business collects customers’ email addresses for the purpose of sending them an electronic receipt, but also shares that data along with information about their purchases with a social media site in order to serve targeted ads to them on that site.

This use of their personal information does not meet consumers’ reasonable expectations and is not compatible with the original context for collecting the data (i.e., sending them a receipt). However, the business can still use the data in this way if it gets consent when collecting the email addresses.

‍