Companies take note. California officials warned that collecting unnecessary data or retaining data for longer than necessary is prohibited by law. On April 2, the California Privacy Protection Agency released its first enforcement recommendation regarding data minimization under the state's signature data privacy law. It focuses on a very specific situation when a business responds to a consumer request under the California Consumer Privacy Act (CCPA). Here's what you need to know and four important steps you can take to avoid over-collecting data when responding to CCPA consumer requests (including requests from employees, job applicants, and more). I will explain.
What is data minimization and why are we issuing an enforcement advisory?
Although enforcement recommendations are not intended to interpret the CCPA or enact new law, they nonetheless provide insight into the agency's priorities going forward. And the April 2 enforcement advisory is a very clear warning to businesses.
The agency appears to be under the impression that companies are asking consumers for too much information when filing CCPA consumer requests. “Data minimization is a fundamental principle of his CCPA,” it states. This principle is undermined by making it too difficult for a consumer to exercise her CCPA rights to achieve data minimization or by requiring too much information to verify a consumer's identity. Masu.
Data minimization enforces the CCPA requirement that a business' collection, use, retention, and sharing of consumers' personal information is “reasonably necessary and appropriate to accomplish the purposes for which the personal information was collected or processed.” It is assumed. We will determine whether the collection, use, retention, and/or sharing of your personal information is reasonably necessary and appropriate to achieve the identified purposes based on:
- The minimum personal information necessary to achieve the identified purposes or for which the business obtains consumer consent (at the time of collecting data from the consumer or prior to collecting data from the consumer) use of the data disclosed to the consumer (for which the consumer can demonstrate consent);
- Possibility of adverse effects on consumers.and
- The existence of additional safeguards for personal information that specifically address potential adverse effects on consumers.
To illustrate this concept, the Enforcement Advisory highlights this principle found in the CCPA Regulations regarding opt-out preference signals (also known as global privacy controls), requests to opt-out of the sale/sharing of personal information, and requests to limit use and information. doing. General Rules Regarding Disclosure of Sensitive Personal Information and Consumer Identification.
Additionally, the enforcement advisory provides two fact-based scenarios in which companies should consider and implement data minimization. To verify a consumer's identity in response to a CCPA request to delete personal information.
Minimize your data by opting out of sharing and selling your personal information
In the first scenario, an enforcement advisory would require a business to contact consumers in connection with a request to opt out of the sale or sharing of the consumer's personal information or to limit the use or disclosure of sensitive personal information. We would like to remind you that we cannot require you to verify your identity. information. This means that the processes that receive, process, and respond to these two types of requests cannot include identity verification steps.Additional information may be required to enable your opt-out; do not have It's the same as verifying the consumer's identity. Additionally, if additional information is required, you should request the minimum amount of information necessary for your request to be valid.
The Enforcement Recommendation first envisions a scenario in which consumers opt out of cross-context behavioral advertising through an opt-out preference signal. Certain web browsers allow users to set such signals, so an automatic signal from the browser indicating that the user has opted out of having data shared through cookies for targeted advertising purposes can be sent to her. will be sent to the website. In such cases, no additional information is required to read, process, and comply with out-out signals.
However, if personal information is sold or shared offline and we are unable to connect online users to offline activities, additional information is required to enable offline opt-outs. That being said, the requested information must be sufficient to complete the offline request. Requiring irrelevant personal information (e.g., requiring a driver's license to opt out of having a company sell a consumer's purchase history) would likely be more than necessary (this enforcement According to the recommendations).
Minimizing data when verifying consumer identity
In the second scenario, the Enforcement Advisory provides an example of how to apply the principles when receiving a consumer request to delete personal information. Here, the agency did not provide an easy answer or a suggested answer. Instead, we have presented a series of questions (without suggested answers) that you can ask when evaluating what information to request when evaluating whether to delete consumer data.
Although the answer to the question itself is avoided, the question itself provides insight into what to consider when deciding how to verify identity.
- Assess the harm to consumers from unauthorized deletions. Although this example focuses on the destruction of information that has sentimental value, you should also consider whether the destruction of the information could have significant negative financial or other consequences. Higher ranges of potential harm to consumers require more rigorous testing. If the information you want to remove is not important, there is no need to overcomplicate the verification process. The important point here is that the validation process should not be a one-size-fits-all approach.
- Evaluate the harm of asking consumers for additional new information. Requesting sensitive information such as a driver's license or social security number puts consumers at risk for identity theft in the event of a data breach. Although not addressed in the Enforcement Advisory, you should ask yourself how requesting information from a consumer that you do not already have (and therefore cannot verify) helps verify the consumer's identity.
It is important to emphasize that it is not business damage that is at issue. The agency's questions are consumer-centric and consider only the benefits and harms faced by consumers. When determining the appropriate validation process, you need to view the process through that lens.
Next four steps: Compliance guide
We recommend that you consider the following four steps to best position your organization for compliance.
1. Review your habits
Review the mechanisms for processing requests to opt out of the sale/sharing of your personal information and to limit the use or disclosure of your personal information. If you are verifying identities to process these requests, you should stop immediately. If we need additional information to understand who the person is in order to process your request (perhaps they have a common name), we may need additional information to process or enable your request. Only minimal information should be requested.
2. Determine if you need global privacy controls
If the Website uses third-party cookies, pixels, beacons, tags, or other tracking technologies or discloses data to third parties that may be used for targeted advertising; and does not currently process or accept Global Privacy Controls (GPCs) as opt-out preference signals, so you should set one up now.
3. Make sure your validation process is in place
Find out how we verify consumer identity for requests to know/access, delete, and correct. Ideally, you should verify your identity based on information you already have. To do this, you need to look at what you have and adjust your verification questions based on that data. While it may be easier to simply request a copy of your driver's license or other government identification, you will be collecting information you don't already have (and information that is considered sensitive under the CCPA). , which may result in social chaos. Data minimization standards included in the law.
4. Delete old data
Although not specifically mentioned in the enforcement advisory, the CCPA prohibits retaining personal information beyond legitimate business purposes. If your business doesn't have or aren't following a data retention schedule, you need to make it a priority. This includes ensuring that vendors who process and store data on your behalf also delete old data. The excuse that “our vendor won't or can't delete the data” is no longer adequate. Laws require that old data be deleted, so you need a viable solution to delete legally responsible data wherever it resides.