Enforcement Advisory from California’s New Privacy Regulator 

Privacy Tips & GuidesData SecurityLegal & Regulatory UpdatesPrivacy TechnologyPrivacy News & TrendsOnline Privacy PracticesPrivacy Rights & AdvocacyPersonal Data ProtectionPrivacy in HealthcarePrivacy in FinancePrivacy in EducationPrivacy in IoT (internet of Things)Privacy in Business (& EnterprisePrivacy and Government SurveillanceCalifornia Consumer Protection Act (CCPA)data minimization
Written By Fazila Moosa

On April 2, 2024, the California Privacy Protection Agency issued its first Enforcement Advisory 2024-01, reminding businesses that data minimization is a foundational principle of the California Consumer Protection Act (CCPA). The advisory states that this principle should be applied “to every purpose for which businesses collect, use, retain and share consumers’ personal information, and that the Agency’s Enforcement Division is noticing that many businesses are asking consumers to provide excessive and unnecessary personal information in response to requests that consumers make under the CCPA. More specifically, the advisory focuses on minimization standards under California Civil Code § 1798.100(c) and additional related CCPA regulations. The Agency emphasizes that when a consumer makes a request (for example, to opt out of the sharing of their personal information or limit use of sensitive personal information), business must not request additional information beyond what is necessary, and shall delete any new information collected for the purpose of verifying the consumer’s identity. 

A number of hypothetical scenarios are provided with questions businesses should ask themselves to ensure they are appropriately applying data minimisation principles. I strongly recommend that businesses to whom the CCPA applies review these questions to gain an in-depth understanding of how the Agency is interpreting regulations that apply to their efforts in exercising data subjects rights. 

Being the first of its kind for the CCPA, the Agency generally notes the following about its advisories: “Advisories do not implement, interpret, or make specific the law enforced or administered by the California Privacy Protection Agency, establish substantive policy or rights, constitute legal advice, or reflect the views of the Agency’s Board.” 

While it appears that an enforcement advisory will not provide a compliance safe harbor, there are valuable insights to be gained by businesses seeking to minimize risk. The concept of data minimization is not new to the CCPA – it is also one of the Fair Information Practice Principles (FIPPs) foundational to many privacy laws globally, and also addressed in the Health Insurance Portability and Accountability Act (HIPAA). 

There has been a heavy focus by businesses on what’s communicated in privacy policies for privacy law compliance in California. But beyond a business’s publicly available notice, Enforcement Advisory 2024-01 reminds us to think carefully about what categories of personal information are being collected, the sensitivity of those categories of personal information, the purpose(s) of that collection, and whether the information collected is minimized while still serving those purposes. 

For an in-depth look at privacy compliance in the United States, join us for CIPP/US training in Los Angeles

Fazila Moosa
Next

CalOPPA Brought to the Forefront in Recent California Privacy Case