On April 2, the Enforcement Division of the California Privacy Protection Agency issued its first Enforcement Advisory, titled “Applying Data Minimization to Consumer Requests.”  The Advisory highlights certain provisions of and regulations promulgated under the California Consumer Privacy Act (“CCPA”) that “reflect the concept of data minimization” and provides two examples that illustrate how businesses may apply data minimization principles in certain scenarios.

First, the Advisory includes the CCPA’s data minimization principle reflected in Civil Code § 1798.100(c): “[a] business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate” to achieve the purpose for which it was collected or processed, or another, compatible and disclosed purpose. 

The Advisory notes that the regulations “underscor[e] this principle” by explaining that whether a business’s data practices are “reasonably necessary and proportionate” within the meaning of the statute is based on (1) “[t]he minimum personal information that is necessary to achieve the purpose identified,” (2) “possible negative impacts to consumers posed by the business’s collection or processing of the personal information,” and (3) “the existence of additional safeguards for the personal information” to address those possible negative impacts.  The Advisory next highlights other CCPA regulations that “reflect the concept of data minimization.”  For example, the Advisory identifies certain regulations that prohibit requiring consumers to provide “additional information beyond what is necessary” to exercise certain rights under the CCPA, including 11 CCR § 7025(c)(2) concerning opt-out preference signals.  

The Advisory also describes two hypothetical “illustrative scenarios in which a business might encounter the data minimization principle.”  The first scenario contemplates a business’s response to a consumer’s request to opt out of sale/sharing, and the second a business’s process for verifying a consumer’s identity with respect to a request to delete.  In both, the Advisory provides examples of questions businesses could consider to apply data minimization principles to the scenarios.  These questions reflect the three bases set out in the regulations to determine whether a business’s data practices are “reasonably necessary and proportionate.” as discussed above.  For example, per the Advisory, a business verifying a deletion request could consider: “We already have certain personal information from this consumer.  Do we need to ask for more personal information than we already have?”

Finally, the Advisory explains that Enforcement Advisories are intended to “provide[ ] additional detail about principles of the CCPA and highlight[ ] observations of non-compliance to deter violations.”  They do not “implement, interpret, or make specific the law enforced or administered by the California Privacy Protection Agency, establish substantive policy or rights, constitute legal advice, or reflect the views of the Agency’s Board.”  The Agency further states that adherence to guidance in an advisory is not a safe harbor from potential enforcement actions, which are assessed on a case-by-case basis. 

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Andrew Longhi Andrew Longhi

Andrew Longhi is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Technology and Communications Regulation Practice Groups.

Andrew advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, commercial…

Andrew Longhi is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Technology and Communications Regulation Practice Groups.

Andrew advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, commercial transactions involving personal information and cybersecurity risk, and responses to regulatory inquiries.

Andrew is Admitted to the Bar under DC App. R. 46-A (Emergency Examination Waiver); Practice Supervised by DC Bar members.

Photo of Jessica Ke Jessica Ke

Jessica Ke is an associate in the firm’s Privacy and Cybersecurity and Advertising and Consumer Protection practice groups. Jessica advises clients on a wide range of regulatory and compliance issues, including compliance with state comprehensive privacy laws, advertising substantiation issues, and participation in…

Jessica Ke is an associate in the firm’s Privacy and Cybersecurity and Advertising and Consumer Protection practice groups. Jessica advises clients on a wide range of regulatory and compliance issues, including compliance with state comprehensive privacy laws, advertising substantiation issues, and participation in the regulatory process. Jessica also maintains an active pro bono practice.