On April 2, the California Privacy Protection Agency (CPPA or "the Agency") issued the Agency's first-ever enforcement advisory. The advisory ("Applying Data Minimization to Consumer Requests") reaffirms data minimization as a core principle of the California Consumer Privacy Act (CCPA) and stresses, in particular, that this principle applies to businesses' processing of CCPA data subject requests, such as the right to delete or right to opt-out.
To date, the California Attorney General (AG) has been the more active enforcer of the CCPA, bringing two enforcement actions and initiating a slew of investigative sweeps into areas such as streaming services, employee and job applicant information, and mobile applications. However, this enforcement advisory should serve as a warning for companies that the CPPA is ramping up its own CCPA enforcement efforts and will be paying particular attention to companies that engage in unnecessary or disproportionate collection or use of personal information.
In this post, we summarize key takeaways from the CPPA's enforcement advisory. To keep abreast of the latest developments in California privacy law, please be sure to subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.
KEY TAKEAWAYS
1. Reaffirmation of the data minimization principle. The advisory asserts that data minimization is a "foundational principle in the CCPA," and that "[b]usinesses should apply this principle to every purpose for which they collect, use, retain, and share consumers' personal information." The advisory then points to statutory and regulatory provisions explicitly articulating this principle, such as California Civil Code § 1798.100(c), which states that "[a] business' collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected" (emphasis added). The advisory also highlights additional regulatory provisions that reflect the data minimization principle, such as the CCPA regulations' provisions related to opt-out preference signals, requests to opt-out and limit, and verification of consumer identity.
2. Data minimization and responses to data subject requests. Much of the advisory is concerned specifically with the application of data minimization principles in the context of businesses' responses to data subject requests. Here, the Enforcement Division notes "that certain businesses are asking consumers to provide excessive and unnecessary personal information in response to [data subject] requests." The advisory accordingly reminds businesses that the CCPA's data minimization principle applies with equal force to businesses' processing of data subject requests. To aid companies in applying the data minimization principle in this context, the advisory includes two illustrative scenarios — (1) responding to a request to opt-out of sale or sharing of personal information and (2) verifying a consumer's identity in relation to a request to delete personal information— that aim to shed light on how businesses should assess whether they are processing personal information in a manner consistent with the data minimization principle. Ultimately, the key takeaway for businesses here is that the data minimization principle should inform all of a company's data processing activities — including its responses to data subject requests.
3. Legal status of advisories. The advisory takes care to emphasize that it does not have binding legal force, noting that enforcement advisories "do not implement, interpret, or make specific the law enforced or administered by the [CPPA], establish substantive policy or rights, constitute legal advice, or reflect the views of the Agency's Board." The advisory further explains that it does not provide any sort of safe harbor for businesses, and that the CCPA statute and regulations take precedence over the advisory in the event of any conflicting provisions. Thus, while businesses should consult the enforcement advisory as a helpful resource, compliance decisions should ultimately be based on analysis of the relevant statutory and regulatory provisions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
