CPPA Enforcement Division Issues First Enforcement Advisory on Data Minimization
Nicholas Ntovas, Business Strategy and Innovation
Business Strategist & Innovator Consent Management SaaS Platforms
On April 2, 2024, the California Privacy Protection Agency's (CPPA) Enforcement Division issued its first enforcement advisory, titled "Applying Data Minimization to Consumer Requests," to further emphasize the importance of data minimization obligations upon businesses under the California Consumer Privacy Act (CCPA)1.
Under the CCPA, data minimization requires that a business' collection, use, retention, and sharing of a consumer's personal information be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed. Through this enforcement advisory, the CPPA highlights data minimization as a fundamental principle of the CCPA and emphasizes that businesses should apply this principle to every purpose for which they collect, use, retain, and share consumers' personal information. Further, the enforcement advisory outlines two explanatory scenarios for businesses to consider in ensuring adherence to data minimization principles: (a) opting out of sale/sharing; and (b) verifying a consumer's identity for data deletion requests.
Scenario One: Opting Out of the Sale or Sharing of Personal Information
When a consumer requests to opt out of the sale or sharing of their personal information, businesses shall not require a consumer to verify their identity to make a request to opt-out. Instead, a business should focus on gathering only the essential information to facilitate the request without imposing undue burdens on consumers.
The enforcement advisory suggests that businesses can navigate this scenario by asking critical questions, including:
Notably, if a business only sells or shares a consumer's online activities for cross-context behavioral advertising, it may not require additional information, like name or email address, to honor an opt-out request. Businesses should also keep in mind that the CCPA Regulations prohibit requiring consumers to create an account or submit verifiable consumer requests to exercise their opt-out rights.
However, if a business sells or shares more comprehensive consumer profiles, such as online activity and other data like purchasing history, it may need consumers to provide additional identification to apply the opt-out broadly. The additional information requested should be proportionate. For example, if a business sells or shares purchase history, then requesting unrelated personal information like a driver's license could potentially exceed the scope of "minimum personal information" necessary to comply with the opt-out request.
领英推荐
Scenario Two: Identity Verification for Data Deletion Requests
In scenarios where businesses need to verify a consumer's identity for requests such as deletion of personal information, they should likewise adopt a method that aligns with data minimization principles.
In addition to the critical questions outlined above, the enforcement advisory discusses key considerations, including:
For example, when a business has consumer names and email addresses and a consumer requests deletion of their information, the business can ask itself to what degree of certainty does the business need to verify the identity of the consumer, and whether it is necessary to request an identification number in order to comply with the request.
As another example, a business may hold personal information including photos and documents linked to names and email addresses. When a consumer requests deletion of their information, the business can evaluate whether such photos are sensitive information that should warrant a more stringent verification process than just asking for an email address. The business should also consider the possible negative impacts posed to the consumer if the business collects driver's license numbers for verification purposes when the business does not typically collect such information, and whether the business can implement alternative verification methods such as issuing a confirmation code as a means of reauthenticating the consumer's identity. As noted in the CCPA Regulations, businesses should, whenever feasible, match the identifying information provided by the consumer to the personal information of the consumer it already maintains.
The enforcement advisory serves as a valuable resource for businesses seeking to align their practices with CCPA regulatory requirements, thereby mitigating the risk of penalties and reputational damage associated with noncompliance. Michael Macko, Deputy Director of Enforcement for the CPPA notes that "we intend for our Enforcement Advisories to promote voluntary compliance, but sometimes stronger medicine will be in order" and "we won't hesitate to act when necessary."
Nicholas Ntovas
CM Consultant & GDPR Data Protection Practitioner [email protected]
www.usercentrics.com Leader in Consent Management