California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
The California Privacy Protection Agency (CPPA) sent out an advisory on April 2, 2024, warning businesses about compliance with the data minimization requirements of the California Consumer Privacy Act (CCPA). This the first such advisory from the agency, and also serves as a signal that its newly staffed Enforcement Division is open for business.
Here’s what we learned from the CPPA’s enforcement advisory.
The CPPA dedicated a significant amount of space to the topic of data minimization in its updated regulations, and now its first enforcement advisory is focused exclusively on the same subject. This tells us that the agency considers data minimization to be a key component of CCPA compliance.
As a reminder, here is the general rule on data minimization, as found in the statute:
A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.
Current CCPA regulations go into great detail about what is considered “reasonably necessary and proportionate” and when an additional purpose is “compatible” with the original collection purpose.
While the enforcement advisory does cover data minimization as a whole, it is primarily concerned with how those principles operate within the context of privacy requests. Specifically, it describes how data minimization can apply to two scenarios: 1) Requesting personal information in order to complete an opt-out request, and 2) requesting personal information to verify a consumer's identity.
Opt-outs are meant to be streamlined from the perspective of the consumer. No verification is required, and in fact businesses are not allowed to require verification. Also, businesses should require consumers to provide only that personal information which is necessary to complete the request.
For example, in order to opt a consumer out of cookie-based targeted advertising, it should not be necessary to collect their email address. On the other hand, if the business shares its contact lists with ad networks via a custom audiences feature, it may be necessary to collect an email address in order to remove that consumer from the list.
Overall, anything that makes privacy requests unnecessarily burdensome for consumers is a prime target for CCPA enforcement.
For most other types of privacy requests, businesses are required to authenticate the consumer’s identity. The level of security required depends on the type of personal data at issue. If data is not particularly sensitive, email verification will probably suffice; for more sensitive data, such as financial information, a higher degree of certainty is required. This may involve matching multiple data points like email and telephone number, or even uploading a copy of a government-issued ID.
What the CPPA enforcement advisory makes clear is that businesses must balance security needs against data minimization requirements. In other words, they should not be demanding burdensome identity verification if the situation does not warrant it. For example, if a consumer is requesting that a business delete their browsing history, requiring them to submit a photo of themselves holding an ID is probably “disproportionate and excessive.”
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.