California’s Privacy agency signals Priority: Data Minimization

The California Privacy Protection Agency (CPPA) issued its first advisory last week reminding businesses that data minimization is a foundational principle under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act . The advisory made clear that businesses should analyze and consider what data is necessary to achieve the purpose for which the data is collected, used, retained, and disclosed. In other words, the CPPA will look to businesses to justify possession of individual data, as well as, link that possession and use to a legitimate purpose and expectation of the consumer.

The advisory highlights the CPPA’s enforcement priorities around data minimization and encourages businesses to consider the following (implying that these will also be the considerations CPPA will review when determining enforcement and fines):

• How does data minimization (or lack thereof) affect consumers when a business suffers a data breach?
• Is a business’ data governance hindered as a result of failing to effectively minimize the type or amount of data it collects?
• Does the business require a consumer to provide more data than is necessary to achieve the purpose for which the consumer is providing it?
• Is the business conducting an assessment of any negative impacts to consumers relating to the amount or types of data collected?
• Is the business appropriately safeguarding data that it is collecting?

The advisory also provides examples and reasoning, along with citations to the statute, for businesses to consider when building out a data minimization program. Generally, the advisory encourages businesses to understand why certain data is collected, for what purpose the data is collected, and to ensure that the data that is collected is necessary and appropriate for the purpose for which it is collected.

The CPPA has signaled increased enforcement under the CCPA and its implementing regulations. We can expect that the CPPA will continue to use these advisories as key tools in messaging the agency’s compliance expectations.