The California Privacy Protection Agency is advising covered entities under the California Consumer Privacy Act to shore up data minimization practices to avoid potential enforcement.
The agency released 2 April its first-ever enforcement advisory focused specifically on CCPA data minimization obligations tied to consumer requests. More specifically, the advisory focuses on minimization standards under California Civil Code § 1798.100(c), the implementing CCPA regulations concerning minimization, and additional CCPA regulations that "reflect the concept of data minimization."
"Vigorous enforcement is part of our mission, along with educating the public about their rights and responsibilities. The Enforcement Division’s advisories will serve both purposes," CPPA Executive Director Ashkan Soltani said.
The advisory, intended to encourage voluntary compliance, calls data minimization a "foundational principle" of the CCPA. It also outlines business and consumer benefits stemming from application and compliance.
However, the advisory explained the CPPA Enforcement Division is observing improper practices, including some unidentified entities "asking consumers to provide excessive and unnecessary personal information in response to requests that consumers make under the CCPA."
Advisory vs. guidelines
The advisory is explicitly different from regulator guidelines, which are not permitted under California's rules around "underground regulations."
California state agencies are required to follow the Administrative Procedure Act when drafting regulations and orders. According to the California Office of Administrative Law, "If a state agency issues, utilizes, enforces, or attempts to enforce a rule without following the APA when it is required to, the rule is called an 'underground regulation.'"
The CPPA clearly stated its advisories "do not implement, interpret, or make specific the law enforced or administered by the California Privacy Protection Agency, establish substantive policy or rights, constitute legal advice, or reflect the views of the Agency’s Board." The agency was also explicit about how adherence to an advisory does not constitute "alternative relief or safe harbor from potential violations."
"We intend for our Enforcement Advisories to promote voluntary compliance, but sometimes stronger medicine will be in order," CPPA Deputy Director of Enforcement Michael Macko said. "We won’t hesitate to act when necessary."
Agency emphasis
The CPPA highlighted some of the less obvious areas where data minimization applies in CCPA regulations. The advisory cites four instances, including the handling of user opt-out preference signals, requests for data sale and sharing opt-outs, requests around the use and disclosure of sensitive personal information, and identity verification.
In each instance the agency put emphasis on how the regulation used the phrase "beyond what is necessary" when referring to the collection of information to reply to a request. The agency also indicated that "periodically assessing" data minimization practices can "reduce (a company's) exposure risks and improve their data governance."
"It's like going to the library. To check out a book, you don’t need to show your passport when a library card will do," Deputy Director Macko said regarding minimization application.
Additionally, the advisory details "factual scenarios" where covered entities may run into data minimization obligations and how to best approach requirements.
The hypotheticals put forth cover sale and sharing opt-out requests and verification. The scenarios are accompanied by questions entities can ask themselves regarding their best approach to applying minimization standards.