The California Privacy Protection Agency (CPPA) sent out an advisory on April 2, 2024, warning businesses about compliance with the data minimization requirements of the California Consumer Privacy Act (CCPA). This the first such advisory from the agency, and also serves as a signal that its newly staffed Enforcement Division is open for business.
Here’s what we learned from the CPPA’s enforcement advisory.
Data Minimization Is a Priority
The CPPA dedicated a significant amount of space to the topic of data minimization in its updated regulations, and now its first enforcement advisory is focused exclusively on the same subject. This tells us that the agency considers data minimization to be a key component of CCPA compliance.
As a reminder, here is the general rule on data minimization, as found in the statute:
A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.
Current CCPA regulations go into great detail about what is considered “reasonably necessary and proportionate” and when an additional purpose is “compatible” with the original collection purpose.
Collecting Data for Privacy Requests
While the enforcement advisory does cover data minimization as a whole, it is primarily concerned with how those principles operate within the context of privacy requests. Specifically, it describes how data minimization can apply to two scenarios: 1) Requesting personal information in order to complete an opt-out request, and 2) requesting personal information to verify a consumer's identity.
1. Requests to Opt Out
Opt-outs are meant to be streamlined from the perspective of the consumer. No verification is required, and in fact businesses are not allowed to require verification. Also, businesses should require consumers to provide only that personal information which is necessary to complete the request.
For example, in order to opt a consumer out of cookie-based targeted advertising, it should not be necessary to collect their email address. On the other hand, if the business shares its contact lists with ad networks via a custom audiences feature, it may be necessary to collect an email address in order to remove that consumer from the list.
Overall, anything that makes privacy requests unnecessarily burdensome for consumers is a prime target for CCPA enforcement.
2. Identity Verification for Privacy Requests
For most other types of privacy requests, businesses are required to authenticate the consumer’s identity. The level of security required depends on the type of personal data at issue. If data is not particularly sensitive, email verification will probably suffice; for more sensitive data, such as financial information, a higher degree of certainty is required. This may involve matching multiple data points like email and telephone number, or even uploading a copy of a government-issued ID.
What the CPPA enforcement advisory makes clear is that businesses must balance security needs against data minimization requirements. In other words, they should not be demanding burdensome identity verification if the situation does not warrant it. For example, if a consumer is requesting that a business delete their browsing history, requiring them to submit a photo of themselves holding an ID is probably “disproportionate and excessive.”
Privacy Compliance Made Simple
The CPPA is signaling that enforcement is starting in earnest. The CCPA has been on the books for years, and regulators are much less likely now to give companies an opportunity to cure violations. The time for getting compliant is now, before an enforcement action disrupts your business and costs you hundreds of thousands of dollars in fines and legal fees.
TrueVault US simplifies privacy compliance across multiple state laws, so that businesses can handle it on their own. With an interface that is familiar to anyone who has done their own taxes online, TrueVault guides you through every step of the process, from onboarding vendors to handling privacy requests. As more states pass comprehensive privacy laws, they are added to your Privacy Center at no extra cost.
Contact our team to learn more and view a demo of how TrueVault works.
