California Privacy Protection Agency Publishes Enforcement Advisory On Data Minimization

JD
Jones Day
Contributor
Jones Day is a global law firm with more than 2,500 lawyers across five continents. The Firm is distinguished by a singular tradition of client service; the mutual commitment to, and the seamless collaboration of, a true partnership; formidable legal talent across multiple disciplines and jurisdictions; and shared professional values that focus on client needs.
California's privacy enforcement agency has published crucial data minimization guidance for businesses.
United States Privacy
To print this article, all you need is to be registered or login on Mondaq.com.

In April 2024, the California Privacy Protection Agency ("CPPA") published "Applying Data Minimization to Consumer Requests," its first enforcement advisory emphasizing data minimization as a "foundational principle" of the California Consumer Privacy Act ("CCPA"). Although the advisory does not have the force of law, it provides important data minimization guidance for businesses under the CCPA's purview.

The advisory reflects the CPPA's enforcement actions concerning businesses' collection, use, retention, and sharing of consumer data. As discussed in our previous Commentary, the CCPA requires all such activity to be "reasonably necessary and proportionate" to achieve the business's purpose in collecting or processing the data. The CPPA has observed that certain businesses ask consumers to provide excessive and unnecessary personal information before processing consumer data requests.

The advisory outlines various factors that businesses should consider when deciding how to apply data minimization principles to consumer requests seeking to opt-out of the sale or sharing of their personal information. These factors include the minimum amount of personal information necessary to honor the request, how the business sells or shares personal information, and what information it sells or shares. For example, if a business only sells or shares consumers' online activities in the context of cross-context behavioral advertising, it does not need additional identifying information (e.g., name or email address) from consumers to comply with an opt-out request. By contrast, if a business sells or shares consumers' online activity and purchasing history, it may need additional identifying information to apply an opt-out that goes beyond just online activity.

The advisory signals that data minimization is an enforcement priority for the CPPA, especially as the principle relates to a business's processing of consumer requests. Applying data minimization principles requires businesses to carefully consider the context of their relationship with consumers and collect the "minimum personal information" necessary to comply with consumer requests. In light of the advisory, businesses should review their data governance practices for compliance with the CCPA's data minimization principles.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

California Privacy Protection Agency Publishes Enforcement Advisory On Data Minimization

United States Privacy
Contributor
Jones Day is a global law firm with more than 2,500 lawyers across five continents. The Firm is distinguished by a singular tradition of client service; the mutual commitment to, and the seamless collaboration of, a true partnership; formidable legal talent across multiple disciplines and jurisdictions; and shared professional values that focus on client needs.
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More