California Privacy Regulator Issues First Enforcement Advisory

The California Privacy Protection Agency (CPPA) issued its first-ever enforcement advisory, discussing the principle of data minimization as applied to consumer requests. The advisory explains that data minimization is a “foundational principle in the CCPA”, and that it applies also to the processing of consumers’ CCPA requests.

The advisory begins with an overview of the data minimization principle and the various provisions in the CCPA and its implementing regulations where the principle is expressed in practice. The advisory then goes on to present two hypothetical scenarios in which businesses could face the data minimization principle: a consumer’s request to opt-out of the sale or sharing of their information, and verification of a consumer’s identity in the course of the consumer’s deletion request.

The advisory explains that if the business only “sells or shares a consumer’s online activities only in the context of cross-context behavioral advertising”, then it “would not need additional information, such as name or email address, to comply with a consumer request to opt-out of sale or sharing made by way of an opt-out preference signal”.

In the consumer deletion request scenario, the advisory suggests that the business should ask itself “How sensitive is the information to be deleted and what is the risk of harm to the consumer posed by unauthorized deletion?”. More concretely, a key question that the business should consider is whether “the documents and photos … on file [are] sensitive information that should warrant a more stringent verification process than just asking for an email address?”

Click here to read the California Privacy Protection Authority’s Enforcement Advisory 2024-01.