The California Privacy Protection Agency ("CPPA") has published its first ever enforcement advisory regarding data minimization. Here, we provide an overview of what the advisory is, what it does, and what businesses should consider going forward.
- What is it? The enforcement advisory is meant
to promote voluntary compliance with the California Consumer
Privacy Act ("CCPA") but notably does not serve
as an enforcement guideline, stating that it "does
not implement, interpret, or make specific the law enforced or
administered" by the CPPA. Instead, it highlights key parts of
the CPPA and the CPPA regulations that businesses should consider
in their compliance programs.
- What does it address? The advisory is narrowly
aimed at providing clarification and examples regarding the data
minimization requirements of the CPPA. Noting that the CPPA
Enforcement Division "is observing that certain businesses are
asking consumers to provide excessive and unnecessary personal
information in response to requests that consumers make," the
CPPA states that "businesses must apply" data
minimization principles "for each purpose for which businesses
collect, use, retain, and share personal information."
- What should businesses keep in mind? The CPPA
outlines two factual scenarios where businesses should carefully
review whether they are adhering to the data minimization
principle:
- Opt-Out of Sales/Shares: Per CCPA § 1798.100(c) and CCPA regulation 11 CCR § 7002(d), businesses should not require that consumers verify their identity to make a request to opt-out of sales/shares. Businesses should consider the manner in which it sells or shares information, and what information is sold or shared. For example, if sales or shares are only done in the context of cross-context behavioral advertising, a business would not need additional information, such as a name or email address to comply with an opt-out. However, if a business sells or shares profiles that include both online activity and other information, a business may need additional information to opt the user out of more than just online activity. However, asking for information unrelated to that which is sold or shared may still exceed the "minimum personal information" requirement. For example, if a business is selling or sharing consumer shopping habits, requiring a driver's license to opt-out may not comply with the data minimization requirement.
- Verification of Identity: The data
minimization principle also applies to the verification of consumer
requests. The CPPA provides two examples regarding verification of
consumer identity for effectuating consumer rights. In the first,
the business keeps consumer names and email addresses on file but
does not maintain user accounts. To create a system that applies
data minimization to user requests, the business should: (i) review
the information already in its possession; (ii) consider its degree
of certainty in the consumer's identity and the sensitivity of
the data to be deleted; and (iii) consider the proportionality of
the additional information to the consumer request (e.g. asking for
a social security number to delete a consumer's name and email
address could be disproportionate).
In its second example, a business keeps names and email addresses, and stores photographs and documents associated with the name and email. The business should review: (i) whether the documents and photos are sensitive and what the potential harm is of deletion; (ii) whether it could reasonably rely on the information already on file and whether asking for additional information would be disproportionate and excessive; (iii) the possible negative impacts of additional collection (and possible breach of the additional information); and (iv) its interaction with the consumer, including whether the consumer can request and confirm a code as verification of identity and additional safeguards that could be put in place.
There are four overall questions suggested by the CPPA when businesses are engaging in this process:
- What is the minimum personal information that is necessary to achieve this purpose (i.e., identity verification)?
- We already have certain personal information from this consumer. Do we need to ask for more personal information than we already have?
- What are the possible negative impacts posed if we collect or use the personal information in this manner?
- Are there additional safeguards we could put in place to address the possible negative impacts?
This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.