California Privacy Protection Agency Issues First-Ever Enforcement Advisory – Privacy Protection

On April 2, the California Privacy Protection Agency (CPPA or
“the Agency”) issued the Agency’s first-ever enforcement advisory. The advisory
(“Applying Data Minimization to Consumer Requests”)
reaffirms data minimization as a core principle of the California
Consumer Privacy Act (CCPA) and stresses, in particular, that this
principle applies to businesses’ processing of CCPA data
subject requests, such as the right to delete or right to
opt-out.

To date, the California Attorney General (AG) has been the more
active enforcer of the CCPA, bringing two enforcement actions and initiating a slew of investigative
sweeps into areas such as streaming services, employee and job applicant information, and mobile applications. However, this enforcement
advisory should serve as a warning for companies that the CPPA is
ramping up its own CCPA enforcement efforts and will be paying
particular attention to companies that engage in unnecessary or
disproportionate collection or use of personal information.

In this post, we summarize key takeaways from the CPPA’s
enforcement advisory. To keep abreast of the latest developments in
California privacy law, please be sure to subscribe to the WilmerHale Privacy and Cybersecurity Law
Blog.

KEY TAKEAWAYS

1. Reaffirmation of the data minimization
principle. The advisory asserts that data minimization is
a “foundational principle in the CCPA,” and that
“[b]usinesses should apply this principle to every purpose for
which they collect, use, retain, and share consumers’ personal
information.” The advisory then points to statutory and
regulatory provisions explicitly articulating this principle, such
as California Civil Code § 1798.100(c), which states that
“[a] business’ collection, use, retention, and sharing of
a consumer’s personal information shall be reasonably necessary
and proportionate to achieve the purposes for which the personal
information was collected or processed, or for another disclosed
purpose that is compatible with the context in which the personal
information was collected” (emphasis added). The advisory also
highlights additional regulatory provisions that reflect the data
minimization principle, such as the CCPA regulations’
provisions related to opt-out preference signals, requests to
opt-out and limit, and verification of consumer identity.

2. Data minimization and responses to data subject
requests. Much of the advisory is concerned specifically
with the application of data minimization principles in the context
of businesses’ responses to data subject requests. Here, the
Enforcement Division notes “that certain businesses are asking
consumers to provide excessive and unnecessary personal information
in response to [data subject] requests.” The advisory
accordingly reminds businesses that the CCPA’s data
minimization principle applies with equal force to businesses’
processing of data subject requests. To aid companies in applying
the data minimization principle in this context, the advisory
includes two illustrative scenarios — (1) responding to a
request to opt-out of sale or sharing of personal information and
(2) verifying a consumer’s identity in relation to a request to
delete personal information— that aim to shed light on how
businesses should assess whether they are processing personal
information in a manner consistent with the data minimization
principle. Ultimately, the key takeaway for businesses here is that
the data minimization principle should inform all of a
company’s data processing activities — including its
responses to data subject requests.

3. Legal status of advisories. The advisory
takes care to emphasize that it does not have binding legal force,
noting that enforcement advisories “do not implement,
interpret, or make specific the law enforced or administered by the
[CPPA], establish substantive policy or rights, constitute legal
advice, or reflect the views of the Agency’s Board.” The
advisory further explains that it does not provide any sort of safe
harbor for businesses, and that the CCPA statute and regulations
take precedence over the advisory in the event of any conflicting
provisions. Thus, while businesses should consult the enforcement
advisory as a helpful resource, compliance decisions should
ultimately be based on analysis of the relevant statutory and
regulatory provisions.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.