The California Privacy Protection Agency (CPPA) published an enforcement advisory April 2, providing insight on companies’ data minimization obligations related to consumers’ privacy rights requests under the California Consumer Privacy Act (CCPA).
The enforcement authority doesn’t change the law or companies’ obligations, but provides insight and recommendations — and, importantly, may indicate a focus on data minimization in upcoming CPPA enforcement actions.
The IAPP’s Joe Duball has published a comprehensive summary of the document here, so we’ll focus on what companies should do in response to the publication.
To Do List:
Know your obligations
While most rights requests require identity verification under CCPA, opt-out requests do not.
The law allows for companies to collect additional information as necessary to verify consumers; however, companies are encouraged to “match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identity verification service” whenever feasible.
Where companies require additional information for verification it should not be “beyond what is necessary” for the purpose. And they must delete the information collected for this purpose as soon as practical after completing the request — with an exception for minimal information maintained for record-keeping purposes.
Review selling and sharing practices
While companies do not have to verify the identity of an individual requesting to opt out of the sale or sharing of their personal information, companies may need to collect additional information in order to honor the request.
The information necessary to do this depends on the ways you share or sell information.
Review your selling and sharing practices to determine the minimum amount of additional information necessary to comply with a consumer’s request — if any at all. Review the type of information you sell/share and the methods you use for selling/sharing it to determine what data minimization looks like for you.
Review verification process
For rights requests including access, deletion, rectification and limiting the use of sensitive personal information, companies must verify the identity of the requestor. The stringency of the verification should be related to the sensitivity of the information the company holds and the harm to the consumer if the information were to be lost or inappropriately accessed.
While CCPA and its regulations allow companies to ask for more information from consumers to appropriately verify them, companies should ensure they are using the data minimization principle here.
The enforcement advisory recommends you ask the following questions when reviewing your verification and rights response process:
- What is the minimum amount of personal information necessary for our business to verify the consumer?
- We already have certain personal information from this consumer. Do we need to ask for more personal information than we already have?
- What are the possible negative impacts if we collect additional personal information?
- Could we put in place additional safeguards to address the possible negative impacts?
When reviewing your verification process, consider the sensitivity of the information you hold about the consumer, how you use it and how you disclose it to third parties. Whenever possible, avoid collecting Social Security numbers, driver’s license numbers, financial account numbers, or biometric information.
Review retention practices
Make sure you are storing information collected for verification and to honor rights requests separate from other personal information. You don’t want that information used by business units to market to consumers or involved in any activity other than the privacy rights process.
Review your retention and deletion policy and processes as well as your data retention schedule to ensure these documents include rules and procedures for privacy rights-related information and that it is appropriate and aligns with your practices.
Audit your systems to ensure that information collected for the provision of rights is being retained and deleted according to policy and your legal obligations.
Review record-keeping process
Companies must maintain records of their privacy rights requests for 24 months, including how the company responded to those requests. This means companies need to retain data related to privacy rights requests; but again, the minimization principle applies.
The CPPA’s regulations state that companies must maintain, “the date of request, nature of request, manner in which the request was made, the date of the business’s response, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part.”
Where verification information does not relate to this record-keeping obligation, companies should delete it as soon as practical after it is no longer necessary.
Examples:
Minimization for opt-outs
A CCPA-covered company sells consumers’ personal information, such as name, email address and purchase history. To comply with consumers’ right to opt out of this sale, the company may need to collect additional information from the consumer — e.g., a cookie preference setting will not address the totality of the sale.
To know what data to block from sale, the company will need to connect the individual to the data. What information might the company request, and would it meet minimization requirements?
| Additional info requested | Does it meet minimization obligations? |
| Email address | Likely yes – this is a unique data element the company already has about the consumer it can then match with the data provided by the consumer. |
| Phone number | No – the company doesn’t have this data element in its records, so this will not help them identify the data to block. |
| Last purchase | Likely no – the company collects this information, and it will help them identify the data to block from sale. However, depending on the negative impacts of the collecting the information it may represent an overreach. Plus, if the company can achieve the goal with only email address, there is no reason to collect this additional information. |
| Home address | No – because this is not information the company has previously collected it will not be in its records, so this will not help them identify the data to block. |
| Photo of the consumer with their driver’s license | No – companies should avoid the collection of government issued IDs whenever possible. |
Minimization for access verification
A CCPA-covered online retailer receives a request from an existing customer who has previously made a purchase. The CPPA regulations require that companies verify the identity of the consumer to a “reasonably high degree of certainty” and recommend companies match three data elements to comply with consumers’ right to access their information.
To verify the consumer to honor the access request, what might the company ask for?
| Additional info requested | Does it meet minimization obligations? |
| Email address | Yes – the company would have this information in its existing dataset and could use this to match the consumer to the data. However, email addresses are often shared widely, so this would not be adequate on its own for a “high degree of certainty.” |
| Phone number | Yes – the company would have this information in its existing dataset and could use this to match the consumer to the data. However, phone numbers are often shared widely, so this would not be adequate for a “high degree of certainty.” |
| Last purchase | Likely yes – this is information the company would have and is more likely to be information known only to the consumer and the business. Combined with other data elements, this may help the company meet both minimization and “high degree of certainty” thresholds. |
| Home address | Likely yes – the company would likely have this information and could use this to match the consumer to the data. However, home addresses are easily accessible, so this would not be adequate for a “high degree of certainty.” |
| Photo of the consumer with their driver’s license | Likely no – companies should avoid collecting government-issued IDs for verification, and the retailer likely has enough information to verify without this information. However, access requests require the highest level of verification, and if the information is highly sensitive this may be appropriate. |
The information above is for informational purposes only and not for the purpose of providing legal advice. Red Clover Advisors, LLC is not a law firm and if you need legal advice, please contact an attorney who is competent to provide appropriate legal advice with respect to your specific problem. The ideas or opinions expressed on this website are the opinions of the specified author and do not necessarily reflect the opinion of the company.