California’s First Privacy Enforcement Advisory: What You Should Know

May 17, 2024

In April, the enforcement division of the California Privacy Protection Agency (CPPA) issued its first Enforcement Advisory. The Enforcement Advisory stresses the importance of data minimization, noting that businesses must carefully consider their purpose in collecting consumer data, especially when that consumer is attempting to submit a CCPA consumer request.  

What Is An Enforcement Advisory? 

An Enforcement Advisory is a document issued by a regulatory body (in this case the CPPA) to provide guidance, clarification, or warn about potential enforcement priorities. It is not a legally binding document or an addition to existing rules.  

While the CPPA’s Enforcement Advisory is not legally binding, companies should take heed whenever a regulator signals that it considers certain practices problematic and should stop engaging in that behavior (if relevant). This Advisory sends a strong signal that the CPPA is aware of trends showing that some businesses are making it challenging and data intensive for consumers to exercise their rights under California’s privacy laws and is likely to enforce non-compliances limits on data collection. 

What Is Data Minimization?  

We discussed this previously in our blog post about data minimization (your business superpower). To summarize:  

Data minimization is a principle of privacy and security that involves collecting the minimum amount of personal data necessary to achieve a specific purpose.    

Adopting data minimization requires businesses to avoid over–collecting data. To do this, simply don’t (or stop) collecting data that you do not currently need or that isn’t relevant.    

Data Minimization and California Law 

California’s law requires the collection, use, retention and sharing of a consumer’s personal information to be reasonably necessary and proportionate to achieve the purposes for which the collection or processing occurred.   

This standard takes what the minimum possible collection to achieve that purpose is into consideration, alongside the potential negative impacts and the existence of additional safeguards to protect that information. 

In other words, if your business is collecting personal information beyond what you reasonably need to achieve your purposes, you will need to have grounds justifying that collection as well as additional safeguards and a crystal-clear privacy notice. 

 

   

Key Takeaways From The Enforcement Advisory 

  • Businesses should not require consumers to create an account to submit a request to opt-out of the sale or sharing of their personal information  (though it’s okay to use logging into an account to verify a requesters ’identity – if the consumer already has an account set up with you. Businesses should generally not request or collect additional information to verify the identity of a consumer trying to exercise their rights.  
  • If you need to request additional information for the consumer to exercise their rights (if, for example, you have multiple consumers in your systems with the same name), then you should only use that information for the purpose of responding to that consumer request and delete that new information as soon as practical, unless retention is required by law.  
  • If you need to request more information to verify the consumer’s identity, avoid collecting sensitive personal information wherever possible.  
  • Consumers and regulators will not look favorably on businesses that prioritize the business benefit of collecting additional personal information. Weigh the risk to the consumer carefully before collecting any more personal information than the absolute minimum required.  

A Quick Overview of Next Steps 

  1. Review your data collection points, especially on forms consumers complete to exercise their rights.  
  2. Update your privacy notices to clearly outline what data is being collected and why. Also delete any data points from the notice that are no longer being collected if you have reduced your data collection 
  3. Train your team on the dangers of overcollection and ensure they know about and understand the company’s privacy notice and privacy practices.  
  4. Update your data maps to reflect any reduced collection practices and any additional data collection points you identified during your review.  

You can read the full advisory here. It is 7 pages long and takes around 10-15 minutes to read and digest. 

If your company needs assistance building a complete data map or introducing more mature privacy practices, reach out. Our attorneys would love to help.  

Disclaimer

The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you