CCPA Compliance - The Importance of Data Minimization

For consumers, data privacy is an ever-growing concern nowadays as the digital age has infiltrated the day to day.

In order to address this concern, the California Consumer Privacy Act (CCPA) was enacted, providing Californians with a range of privacy rights.

In addition to consumer rights, one of the foundational principles of the CCPA is data minimization, which aims to minimize the collection, use, retention, and sharing of personal information. This principle plays a significant role in reducing the risk of data breaches and improving data governance.

However, the Enforcement Division has noticed that some businesses collect excessive and unnecessary personal information, even when processing CCPA requests. On April 2, 2024, the CCPA released the first Advisory Note on the CCPA, focusing on this aspect of data minimization, in order to assist business with their CCPA compliance..

In this blog post, we explore the significance of data minimization in ensuring CCPA compliance and discuss how businesses can implement this strategy to mitigate risks and enhance data governance.

What is the Difference between an Enforcement Advisory Note and a Guideline?

Before we continue, it is essential to highlight that the advisory we discuss is notably different from regulatory guidelines, which are not allowed according to California’s regulations on “underground regulations.”

California state agencies must adhere to the Administrative Procedure Act (APA) – a U.S. law that governs how federal agencies create and enforce regulations, ensuring transparency and public participation – when creating regulations and orders. According to the California Office of Administrative Law, if a state agency creates, uses, enforces, or tries to enforce a rule without following the APA when necessary, it’s labeled an “underground regulation.”

The CPPA clearly states that its enforcement advisories “do not enforce, interpret, or specify the law enforced or administered by the California Privacy Protection Agency, establish concrete policies or rights, offer legal advice, or represent the opinions of the Agency’s Board.” The Agency also makes it clear that following an advisory does not serve as “alternative relief or safe harbor from potential violations.”

What is Data Minimization under CCPA?

The California Consumer Privacy Act (CCPA) defines data minimization as the limiting of the collection of personal information to what is necessary in relation to the purposes for which it is being processed. In light of this, CCPA compliance for your business means that you should only collect, use, retain, and share the minimum amount of personal information needed for specific, explicit, and legitimate purposes.

Data minimization ensures that businesses do not retain personal information indefinitely and do not use it for purposes unrelated to why it was initially collected.

In determining whether your business’s collection, use, retention, and sharing of a consumer’s personal information is reasonably necessary and proportionate to achieve the identified purpose you should consider the following:

1. Minimum Personal Information Required:

   • Evaluate and determine the minimum personal information necessary to achieve the intended purpose.
   • For instance, an online retailer may need to collect essential information, such as order details, payment and shipping information, and the consumer’s email address, to process an order and send an email confirmation to the consumer.

2. Potential Negative Impacts on Consumers:

   • Assess the potential adverse effects on consumers that may result from your business’s collection or processing of personal information.
   • For instance, collecting precise geolocation data may pose risks, as it could inadvertently disclose sensitive personal information, such as health data, based on visits to healthcare providers.
3. Existence of Additional Safeguards:
   • Consider whether additional measures are in place to mitigate potential negative impacts on consumers from handling personal information.
   • For instance, a business may implement encryption protocols or establish automatic deletion processes for personal information within a defined timeframe as potential safeguards.

How Does Data Minimization Apply to Consumer Requests under CCPA?  

To prevent unauthorized data disclosures, businesses must verify the identity of requestors. The method of verification should adhere to the following guidelines:

1. Matching Provided Information with Existing Records:

   • Whenever possible, your organization should match the information provided by the consumer with the personal information you already hold. Alternatively, you can use a third-party identity verification service that is compliant with regulations.

2. Avoiding Collection of Sensitive Information:

   • Your business should refrain from collecting certain types of sensitive personal information listed in Civil Code section 1798.81.5, subdivision (d), unless necessary for verification purposes.

3. Implementing Additional Safeguards:

   • Your business should consider implementing additional safeguards for personal information to address potential negative impacts on consumers. Examples include encryption methods or automatic deletion of personal information within a specified timeframe.

Additionally, you are encouraged to avoid requesting unnecessary additional information from consumers for verification purposes. Suppose further information is required and cannot be verified from existing records. In that case, it should only be used for verification purposes and promptly deleted after processing the consumer’s request following legal requirements. 

Clym offers you a tool which facilitates CCPA compliance by allowing individuals to submit consumer requests on your website and this is connected to our Compliance Widget where consumers can input the required details for request verification, which asks individuals for the minimum amount of information. 

Once individuals have done this and submitted their request, Clym verifies for you the request by sending a verification email to them so you don’t have to do anything. All requests you receive in the Data Subject Requests section of the Clym platform are verified requests, where we ensure the email provided is valid and belongs to a requestor. 

In addition, you have an overview of all the requests received, their status, as well as other relevant insights, all in one single place. 

Data Minimization Examples

As part of the Enforcement Advisory, the California Privacy Protection Agency provides two prevalent scenarios: one with an opt-out request and another verifying the requestor’s identity.

Responding to an opt-out request 

As a hypothetical example, Business A receives requests from consumers seeking to opt-out of the sale or sharing of their personal information, in the form of the "Do Not Sell or Share My Personal Information" request which is an important part of CCPA compliance. If you're not sure what is the 'Do Not Sell or Share My Personal Information' requirement in CCPA/CPRA you can read our associated blog article on the topic. 

In considering how to comply with consumer requests to opt-out of the sale or sharing of their personal information, Business A, covered by the CCPA, can apply data minimization principles by asking the following questions:

• Minimum Personal Information Needed:

  • What is the minimum amount of personal information required for our business to fulfill a request to opt out of sale/sharing?

• Existing Personal Information:

  • Do we already possess certain personal information from this consumer? Is it necessary to request additional personal information beyond what we already have?

• Potential Negative Impacts:

  • What are the potential adverse consequences of collecting additional personal information from the consumer?

• Additional Safeguards:

  • Can we implement additional measures to mitigate the potential negative impacts of collecting more personal information?

The information necessary to process the consumer’s request will vary depending on how Business A sells or shares personal information, as well as the nature of the information sold or shared. For instance:

• If Business A only shares a consumer’s online activities for cross-context behavioral advertising, additional personal information such as name or email address may not be needed to comply with an opt-out request.
• However, if Business A shares comprehensive profiles of consumers, including online activity and purchasing history, further identification may be necessary to apply the opt-out to all aspects of the profile.
• Similarly, if Business A shares purchase history, requesting unrelated personal information like a driver’s license may exceed the “minimum personal information” needed to comply with the opt-out request.

Verification of consumer’s identity 

Business B, covered by the CCPA, receives requests from consumers to delete their personal information, even if they don’t have accounts with Business B. The company keeps consumers’ names and emails on file and receives deletion requests from consumers using their emails on record. Business B must find a reasonable way to verify that the person making the request is actually the consumer they have information about.

Business B's main goal in handling the consumer's personal information is to confirm that the person making the request is the same one they have information about.

Business B’s main goal in handling the consumer’s personal information is to confirm that the person making the request is the same one they know about. When figuring out how to do this, Business B considers following the rule to keep data collection to a minimum and any specific rules about verifying identities.

To keep it simple, Business B could start by asking:

1. What’s the least personal information we need to confirm their identity?
2. Do we already have some of their information? Do we really need more?
3. What bad things could happen if we ask for or use their information this way?
4. Can we add extra protection to prevent any bad stuff from happening?

Considering Business B’s possession of consumer names and email addresses, it could ask itself:

• How certain do we need to be (reasonable or reasonably high) when verifying the identity of the consumer requesting deletion, considering the information to be deleted is a name plus email? What’s the potential harm to the consumer if deletion happens without proper verification?

• Since we have the consumer’s email on file, can we rely solely on it for verification, or do we need additional information like a driver’s license or social security number? Is requesting such information disproportionate and excessive when verifying a deletion request involving an email address?

In this scenario, Business B possesses a name, email address, photographs, and documents associated with a consumer. Consumers access their photos and documents by logging in with their email and password, and a code is sent to their email for verification. Business B receives a request from the consumer’s email address, asking to delete all personal information.

When reviewing its verification method, Business B evaluates compliance with the data minimization principle and relevant regulations (e.g., 11 CCR § 7060 - General Rules Regarding Verification and 11 CCR § 7061 - Verification for Password-Protected Accounts). These regulations inform the data minimization analysis outlined in § 7002.

In this context, Business B could ask itself:

• Are the documents and photos sensitive information that requires a stricter verification process than just asking for an email address? What’s the risk if we act on an unauthorized deletion request?

• Can we rely solely on the email address, or is it vulnerable to spoofing? Is it necessary to use a stricter verification process, like requesting the consumer’s driver’s license number or a copy of the license itself? Is asking for this information excessive when verifying a deletion request?

• We typically don’t store driver’s license numbers. What are the potential negative impacts if we start collecting them? What harm could occur if there’s a breach and these numbers are accessed?

• Can we implement additional safeguards to mitigate potential negative impacts? How does our business interact with consumers? Can we use a code sent to the consumer’s email to verify their identity in connection with their deletion request? Should we require the consumer to request and confirm the code to re-authenticate their identity?

“A business shall not require a consumer to verify their identity to make a request to opt -out of sale/sharing or to make a request to limit. A business may ask the consumer for information necessary to complete the request; however, it shall not be burdensome on the consumer. For example, a business may ask the consumer for their name, but it shall not require the consumer to take a picture of themselves with their driver’s license.”

11 CCR § 7060(b)

In conclusion, safeguarding consumer privacy and ensuring compliance with regulations like the CCPA require businesses to consider their data handling practices carefully. By adopting principles of data minimization, businesses can mitigate risks associated with collecting and processing personal information. Additionally, implementing robust and thought-through verification methods helps protect against unauthorized access and deletion requests.

As businesses navigate the complex data protection landscape, a thoughtful approach that prioritizes consumer privacy and regulatory compliance is essential for building trust and maintaining integrity in today’s digital world.

How Can Clym Help You?

Clym helps your business with its CCPA compliance by offering you a tool that streamlines the management of consumers’ data privacy. Our platform makes it simple for your business to notify consumers about what personal information is being collected and why, at the time of collection. 

Furthermore, Clym aids in verifying the identity of people making requests about their personal information, helping your business prevent fraud while respecting consumer rights. We provide your business with a way to keep track of consumer requests and a way to respond to these as well.

Clym’s tool also allows you to manually add DSRs so you can manage ALL of your DSRs in one place,  regardless of how they were submitted - mail, email, phone, or through your website.

In addition to this you are provided with a time-stamped, audit-ready trace of the data subject (access) request from start to finish, and you are able to keep any communication between the requester and your organization in one place, with already pre-configured DSR templates for various regulations that are only going to be displayed for the relevant jurisdiction.

This means that if you receive a request under the CCPA/CPRA the templates available to you will be the ones relevant for this data privacy law, allowing your business to comply with the law without hassle, to avoid fines, and to build trust with your customers by showing them that you take data protection seriously.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.