Insights

California Privacy Protection Agency Issues Enforcement Advisory on Data Minimization

California Privacy Protection Agency Publishes Enforcement Advisory on Data Minimization

California's privacy enforcement agency has published crucial data minimization guidance for businesses.

In April 2024, the California Privacy Protection Agency ("CPPA") published "Applying Data Minimization to Consumer Requests," its first enforcement advisory emphasizing data minimization as a "foundational principle" of the California Consumer Privacy Act ("CCPA"). Although the advisory does not have the force of law, it provides important data minimization guidance for businesses under the CCPA's purview. 

The advisory reflects the CPPA's enforcement actions concerning businesses' collection, use, retention, and sharing of consumer data. As discussed in our previous Commentary, the CCPA requires all such activity to be "reasonably necessary and proportionate" to achieve the business's purpose in collecting or processing the data. The CPPA has observed that certain businesses ask consumers to provide excessive and unnecessary personal information before processing consumer data requests.

The advisory outlines various factors that businesses should consider when deciding how to apply data minimization principles to consumer requests seeking to opt-out of the sale or sharing of their personal information. These factors include the minimum amount of personal information necessary to honor the request, how the business sells or shares personal information, and what information it sells or shares. For example, if a business only sells or shares consumers' online activities in the context of cross-context behavioral advertising, it does not need additional identifying information (e.g., name or email address) from consumers to comply with an opt-out request. By contrast, if a business sells or shares consumers' online activity and purchasing history, it may need additional identifying information to apply an opt-out that goes beyond just online activity. 

The advisory signals that data minimization is an enforcement priority for the CPPA, especially as the principle relates to a business's processing of consumer requests. Applying data minimization principles requires businesses to carefully consider the context of their relationship with consumers and collect the "minimum personal information" necessary to comply with consumer requests. In light of the advisory, businesses should review their data governance practices for compliance with the CCPA's data minimization principles.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.