The California Privacy Protection Agency (CPPA) recently issued an enforcement advisory encouraging covered businesses to focus on their data minimization obligations related to consumer requests under the California Consumer Privacy Act (CCPA). The advisory categorizes data minimization as a “foundational principle” of the CCPA and reflects the reasons why businesses will apply this principle for better compliance with the CCPA. The advisory states: “[b]usinesses should apply this principle [of data minimization] to every purpose for which they collect, use, retain, and share consumers’ personal information.”

The publication of this advisory stems from the CPPA Enforcement Division’s observation of businesses “asking consumers to provide excessive and unnecessary personal information in response to requests that consumers make under the CCPA.”

However, note that this advisory and any others issued by the CPPA “do not implement, interpret, or make specific the law enforced or administered by the [CPPA], establish substantive policy or rights, constitute legal advice, or reflect the views of the Agency’s Board.” But note that the CPPA was also careful to note that adherence to an advisory is NOT “alternative relief or safe harbor from potential violations.”

The advisory also cites four examples of less obvious areas where data minimization applies under the CCPA: 1) the handling of user opt-out preference signals; 2) requests for data sale and sharing opt-outs; 3) requests around the use and disclosure of sensitive personal information; and 4) identity verification. To see the full advisory, click here.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.