California Privacy Protection Agency Publishes Enforcement Advisory on Data Minimization
California's privacy enforcement agency has published crucial data minimization guidance for businesses.
In April 2024, the California Privacy Protection Agency ("CPPA") published "Applying Data Minimization to Consumer Requests," its first enforcement advisory emphasizing data minimization as a "foundational principle" of the California Consumer Privacy Act ("CCPA"). Although the advisory does not have the force of law, it provides important data minimization guidance for businesses under the CCPA's purview.
The advisory reflects the CPPA's enforcement actions concerning businesses' collection, use, retention, and sharing of consumer data. As discussed in our previous Commentary, the CCPA requires all such activity to be "reasonably necessary and proportionate" to achieve the business's purpose in collecting or processing the data. The CPPA has observed that certain businesses ask consumers to provide excessive and unnecessary personal information before processing consumer data requests.
The advisory outlines various factors that businesses should consider when deciding how to apply data minimization principles to consumer requests seeking to opt-out of the sale or sharing of their personal information. These factors include the minimum amount of personal information necessary to honor the request, how the business sells or shares personal information, and what information it sells or shares. For example, if a business only sells or shares consumers' online activities in the context of cross-context behavioral advertising, it does not need additional identifying information (e.g., name or email address) from consumers to comply with an opt-out request. By contrast, if a business sells or shares consumers' online activity and purchasing history, it may need additional identifying information to apply an opt-out that goes beyond just online activity.
The advisory signals that data minimization is an enforcement priority for the CPPA, especially as the principle relates to a business's processing of consumer requests. Applying data minimization principles requires businesses to carefully consider the context of their relationship with consumers and collect the "minimum personal information" necessary to comply with consumer requests. In light of the advisory, businesses should review their data governance practices for compliance with the CCPA's data minimization principles.