The California Privacy Protection Agency (CPPA) has issued its first enforcement advisory regarding the California Consumer Privacy Act (CCPA). In Enforcement Advisory No. 2024-01, the CPPA addresses the fundamental principle of data minimization. Much of the attention surrounding CCPA appears to be focused on website privacy policies, collection notices, and consumer rights requirements. With its first data minimization recommendation, the CPPA requires covered businesses, service providers, and others to take a deeper look at their organizations' practices for collecting, using, retaining, and sharing personal information in order to comply with the CCPA. It may be reminding you of that.
First, I would like to talk about the CPPA “Enforcement Recommendation”. Since this is a first for CCPA, we thought it would make sense to share what CCPA noted about these recommendations.
The Enforcement Advisory addresses certain provisions of the California Consumer Privacy Act and its implementing regulations. The Advisory does not cover all laws or enforcement situations that may apply. The enforcement department makes enforcement decisions on a case-by-case basis. Recommendations do not implement, interpret, embody any law enforced or administered by the California Privacy Protection Agency, establish substantive policies or rights, constitute legal advice, or reflect the views of the Board of Directors of the California Privacy Protection Agency. there is no.
Based on this language, the Enforcement Recommendation does not appear to provide compliance security, but it does provide valuable insight into the potential application of the CCPA.
For organizations concerned about data risk, data minimization is certainly one way to reduce that risk. Most organizations work diligently to design and build information systems that prevent unauthorized access to their systems. However, if unauthorized access occurs, your data is at risk. If there is less data in a compromised system, the risk is reduced, if not eliminated.
The concept of data minimization did not originate from CCPA. For example, HIPAA requires covered entities and trading partners to follow a minimum number of rules. According to the CPPA:
Data minimization serves an important function. For example, data minimization reduces the risk of personal information being accessed by unintended persons or entities, such as through a data breach. Data minimization similarly supports good data governance, including through potentially faster responses to consumer requests to exercise their CCPA rights. Companies reduce exposure to these risks and improve data governance by regularly evaluating the collection, use, retention, and sharing of personal information from a data minimization perspective.
The process of achieving data minimization can be difficult as it does not lend itself to a one-size-fits-all approach. Under the CCPA, businesses must apply data minimization principles to “each purpose for which they collect, use, retain, or share a consumer's personal information, including information that a business collects in processing a consumer's CCPA request.” Must be applied. As stated in the Enforcement Advisory, the CCPA requires consideration and enforcement of data minimization measures, including requests to opt out of the sale or sharing of personal information and to limit the use and disclosure of sensitive data. There are many obligations. personal information.Of course, companies also collect personal information. “The personal information must be reasonably necessary and appropriate to achieve the purposes for which it was collected or processed.””
According to the Enforcement Advisory, applying this basic principle essentially amounts to asking questions about the specific collection, use, retention, and sharing of personal information. As an example, this recommendation describes how data minimization can be applied to the process of verifying a consumer's identity to process requests to delete personal information. The following questions are provided as examples of what businesses might ask themselves.
- What is the minimum personal information required to achieve this purpose (identity verification)?
- We already have certain personal information from this consumer. Should we request more personal information than we already have?
- What adverse effects may result from collecting or using personal information in this way?
- Are there additional safeguards that can be put in place to address possible negative effects?
Considering CCPA's verification rules and a company's needs for its personal information, companies should determine their verification process with a minimum in mind. Additionally, minimization should be evaluated periodically.
The need to apply data minimization principles makes it clear that CCPA compliance is more than just posting a privacy policy on a company's website. Among other things, companies should carefully consider what categories of personal information they are collecting, the sensitivity of those categories of personal information, the purposes for that collection, and whether the information collected is minimized. is needed. Applicable purpose.