CPPA Publishes Enforcement Advisory on Applying Data Minimization to Consumer Requests
On April 2, 2024, the California Privacy Protection Agency’s (CPPA) Enforcement Division published enforcement advisory No. 2024-01 titled ‘Applying Data Minimization to Consumer Requests.’
The enforcement advisory addresses data minimization as a foundational principle of the California Consumer Privacy Act (CCPA) and emphasizes its importance due to its ability to reduce the risk of unauthorized access and support good data governance.
Key Takeaways
The CPPA Enforcement Division reminds businesses that the principle of data minimization must be applied to each purpose for which they collect, use, retain, and share consumers’ personal information, including information that is collected when processing consumers’ CCPA requests.
Additionally, when applying the data minimization principle to consumer requests, the CPPA Enforcement Division states that businesses should consider the following questions:
- What is the minimum amount of personal information necessary for our business to honor a request to opt out of sale/sharing?
- Do we need to ask for more information than we already have?
- What are the possible negative impacts if we collect additional information?
- Could we put in place additional safeguards to address the possible negative impacts?
The CPPA Enforcement Division provides factual scenarios to illustrate when businesses may encounter the data minimization principle and how the questions above can be answered in the given scenarios.