CPPA Releases First Advisory Note on CCPA

On April 2, 2024, the California Privacy Protection Agency (CPPA) took a significant step towards enhancing consumer privacy by issuing its first ever advisory note, as part of the Agency's efforts to clarify and enforce the California Consumer Privacy Act (CCPA). 

The Agency’s Executive Director, Ashkan Soltani, gave a statement in the official news release through which he reaffirmed that the CPPA underscores its dual mission of strict law enforcement and educating the public about their privacy rights and obligations: 

Vigorous enforcement is part of our mission, along with educating the public about their rights and responsibilities. The Enforcement Division’s advisories will serve both purposes.

This first advisory focuses on one of the key principles under the CCPA, data minimization, alerting businesses to the critical importance of collecting no more personal information from consumers than is absolutely necessary, especially when responding to consumer requests. 

Michael S. Macko, Deputy Director of Enforcement at the CPPA, highlighted the Agency's hope for voluntary compliance by businesses but made it clear that they are prepared to take decisive action if necessary:

We intend for our Enforcement Advisories to promote voluntary compliance, but sometimes stronger medicine will be in order [...]. We won’t hesitate to act when necessary.

The CPPA plans to continue issuing advisories throughout the year, guiding businesses on how to adhere to privacy laws and protect consumer data effectively.

Summary of the Advisory: 

• Main goal: Businesses need to follow data minimization, which means only collecting the personal information that is really needed, especially when handling customer requests. While not an official rule, the Advisory Note offers advice to help businesses better comply with the privacy law and includes examples of how to use data minimization in real situations.
• Why this matters: it helps protect personal info from being accessed by the wrong people, such as during a data breach; and it makes it easier for businesses to manage their data and respond to customer privacy requests more quickly.
• What some businesses are doing wrong: Some companies ask for too much unnecessary information from customers when they ask for their rights under the privacy law.
• Examples:

1) Opting-Out of Data Sharing: If a customer doesn't want their data shared or sold, a business should not ask for more information than necessary to complete this request.

2) Deleting Personal Information: When a customer wants their information deleted, the business should verify the customer's identity using the least amount of information required.

• Questions Businesses Should Ask Themselves:
  •  What's the least amount of info we need to complete a customer's request?
  •  Do we need to collect more information than we already have?
  •  What could go wrong if we collect more information?
  •  Can we add any extra protections for the information we collect?

As the CPPA continues to issue further advisories, businesses in California are encouraged to stay informed and proactive in adjusting their data practices. In doing so, they contribute to a more privacy-conscious marketplace, where consumers feel safe and respected. This first advisory is just the beginning of a broader conversation about privacy in California, setting a precedent for how personal information should be treated not just within the state but as a model for privacy standards nationwide.