An Enforcement Advisory has been issued by the CPPA Enforcement Division to help businesses ensure compliance with the CCPA.
On April 2, 2024, the Enforcement Division of the California Privacy Protection Agency (CPPA) released its inaugural Enforcement Advisory, marking a significant step in its efforts to ensure compliance with the California Consumer Privacy Act (CCPA) of 2018. This move highlights the agency’s focus on enforcing regulations and educating both the public and businesses about their rights and obligations. The CPPA Enforcement Division, in this new advisory, emphasizes the critical role of data minimization in the CCPA, guiding businesses towards responsible data handling practices. The Enforcement Advisory aims to warn businesses against non-compliance, and specifically addresses the importance of data minimization in handling consumer requests, advising businesses to not require a consumer to provide additional information beyond what is necessary for the business to fulfill the request. CPPA Deputy Director of Enforcement, Michael S. Macko, emphasized the agency’s preparedness to enforce compliance assertively, indicating that while the advisories are designed to encourage voluntary adherence to the law, the agency is fully ready to take decisive actions if needed.
The CPPA reminds businesses of the importance of data minimization under the CCPA.
In this first ever enforcement advisory, titled Enforcement Advisory No. 2024-01, the Enforcement Division of the CPPA emphasized the importance of the principle of data minimization under the CCPA. This principle is fundamental to the CCPA, aiming to limit the collection, use, retention, and sharing of personal information to only what is necessary and proportionate for the intended use. Businesses are reminded to consistently apply data minimization across all processes, including when responding to consumers’ CCPA requests. The Enforcement Division notes that some businesses request excessive information from consumers when processing CCPA requests, which contradicts the data minimization principle.
Businesses are encouraged to avoid the collection of unnecessary data, by assessing the necessity and proportionality of the data they collect.
The advisory from the CPPA Enforcement Division details regulations under the CCPA that reflect data minimization principles, including guidelines on opt-out preference signals, requests to opt-out of sale/sharing, and requests to limit the use and disclosure of sensitive personal information. The importance of avoiding unnecessary data collection during these processes is emphasized as a means of mitigating risks like data breaches and improving overall data governance. To aid compliance, the CPPA encourages businesses to assess their practices themselves, asking several questions to determine the necessity and proportionality of the personal information collected in relation to the purposes of processing.
Need help complying with the CCPA or other US state privacy laws? Aphaia’s privacy support subscription services now include the option of US Privacy Bundle. Contact Aphaia today.
