On April 2, 2024, the California Privacy Protection Agency's (CPPA) Enforcement Division issued its first enforcement advisory, titled "Applying Data Minimization to Consumer Requests," to further emphasize the importance of data minimization obligations upon businesses under the California Consumer Privacy Act (CCPA)1.
Under the CCPA, data minimization requires that a business' collection, use, retention, and sharing of a consumer's personal information be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed. Through this enforcement advisory, the CPPA highlights data minimization as a fundamental principle of the CCPA and emphasizes that businesses should apply this principle to every purpose for which they collect, use, retain, and share consumers' personal information. Further, the enforcement advisory outlines two explanatory scenarios for businesses to consider in ensuring adherence to data minimization principles: (a) opting out of sale/sharing; and (b) verifying a consumer's identity for data deletion requests.
Scenario One: Opting Out of the Sale or Sharing of Personal Information
When a consumer requests to opt out of the sale or sharing of their personal information, businesses shall not require a consumer to verify their identity to make a request to opt-out. Instead, a business should focus on gathering only the essential information to facilitate the request without imposing undue burdens on consumers.
The enforcement advisory suggests that businesses can navigate this scenario by asking critical questions, including:
- What is the minimum personal information needed to comply with an opt-out request?
- Can existing consumer personal information fulfill verification requirements, or is additional information necessary?
- What are the potential negative impacts on consumers if more personal information is collected?
- Are there additional safeguards to mitigate these impacts?
Notably, if a business only sells or shares a consumer's online activities for cross-context behavioral advertising, it may not require additional information, like name or email address, to honor an opt-out request. Businesses should also keep in mind that the CCPA Regulations prohibit requiring consumers to create an account or submit verifiable consumer requests to exercise their opt-out rights.
However, if a business sells or shares more comprehensive consumer profiles, such as online activity and other data like purchasing history, it may need consumers to provide additional identification to apply the opt-out broadly. The additional information requested should be proportionate. For example, if a business sells or shares purchase history, then requesting unrelated personal information like a driver's license could potentially exceed the scope of "minimum personal information" necessary to comply with the opt-out request.
Scenario Two: Identity Verification for Data Deletion Requests
In scenarios where businesses need to verify a consumer's identity for requests such as deletion of personal information, they should likewise adopt a method that aligns with data minimization principles.
In addition to the critical questions outlined above, the enforcement advisory discusses key considerations, including:
- Assessing the sensitivity of the information to be deleted and potential risks to consumers.
- Exploring alternative verification methods to minimize data collection.
- The risks of harm to the consumer if acting on an unauthorized request to delete, and potential negative impacts in the event of a breach where identification numbers are accessed.
- Evaluating potential negative impacts and implementing additional safeguards.
For example, when a business has consumer names and email addresses and a consumer requests deletion of their information, the business can ask itself to what degree of certainty does the business need to verify the identity of the consumer, and whether it is necessary to request an identification number in order to comply with the request.
As another example, a business may hold personal information including photos and documents linked to names and email addresses. When a consumer requests deletion of their information, the business can evaluate whether such photos are sensitive information that should warrant a more stringent verification process than just asking for an email address. The business should also consider the possible negative impacts posed to the consumer if the business collects driver's license numbers for verification purposes when the business does not typically collect such information, and whether the business can implement alternative verification methods such as issuing a confirmation code as a means of reauthenticating the consumer's identity. As noted in the CCPA Regulations, businesses should, whenever feasible, match the identifying information provided by the consumer to the personal information of the consumer it already maintains.
The enforcement advisory serves as a valuable resource for businesses seeking to align their practices with CCPA regulatory requirements, thereby mitigating the risk of penalties and reputational damage associated with noncompliance. Michael Macko, Deputy Director of Enforcement for the CPPA notes that "we intend for our Enforcement Advisories to promote voluntary compliance, but sometimes stronger medicine will be in order" and "we won't hesitate to act when necessary."
1 Enforcement Advisory No. 2024-01.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2024 White & Case LLP