CCPA: CPPA’s First Enforcement Advisory Released

Posted byMarc ShullPosted inData Compliance, Data PrivacyTags:, , , ,

Data Minimization and Identify Verification

Among the more confusing aspects of the increasing number of data privacy laws, is how to interpret what is “reasonably necessary and proportionate” to verify the identify a consumer making a rights request. Earlier this month the California Privacy Protection Agency released their first ever Enforcement Advisory to provide guidance on this topic. While clearly described as not constituting legal advice, Enforcement Advisory No. 2024-01’s contents provide useful insight into one of the more unclear requirements of CCPA and other data privacy legislation.


The California Consumer Privacy Act (CCPA) states that “A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.” Which begs the question, what is reasonable and proportionate? The Enforcement Advisory states such collection should be based on the following:

  • The minimum personal information that is necessary to achieve the purpose identified
  • The possible negative impacts on consumers posed by the business’s collection or processing of the personal information
  • The existence of additional safeguards for the personal information to specifically address the possible negative impacts on consumers

Key questions:

The advisory recommends businesses answer the following questions for themselves:

  • What is the minimum amount of personal information necessary for our business to honor a consumer’s data rights request?
  • If we already have personal information from this consumer, do we need to ask for more personal information than we already have?
  • What are the possible negative impacts of collecting additional personal information to verify the identity of the consumer?
  • What additional safeguards could be implemented to address the possible negative impacts?

So what does all this mean?

  • Each business will need to assess what is “reasonable” and “necessary” based on their business model, the sensitivity of the data they collect, how that data is used, the audience they collect data from, etc.
  • Businesses should review the California Privacy Protection Agency recommendations and integrate data minimization concepts and guidance into their privacy practices, processes, policies, and governance programs.

Key Take Aways: Our Interpretation of Enforcement Advisory No. 2024-01

  1. If you don’t need the data, don’t collect it in the first place.
  2. When you no longer have a need for specific data points and are not legally required to keep them, erase them.  In many cases, different data points should have different retention periods differing from <1 minute to the length of the relationship.
  3. Verification:
    • Businesses should not retain personal information for the sole purpose of future identity verification.
    • Opting out of selling/sharing of personal information is not subject to verification. 11 CCR § 7026(c)
    • When consumers request a business limit use and disclosure of sensitive personal information, businesses cannot require the consumer submitting such a request to create an account or provide additional information beyond what is necessary.  If they have an existing account, then the process for a secure login may in many cases be adequate for identify verification while providing consumers with a smoother request process.
    • Businesses must establish, document, and comply with a reasonable method for verifying that the consumer making the request is the consumer about whom the organization has collected information.
    • Consider the same level of verification you used to collect the personal information to verify the identity.  Using email as an example, often times you just need the email address to sign up for a newsletter, and in most cases you just have to click “unsubscribe” to revoke your consent.  This is a good example of a proportionate method that leverages existing personal information to process the request.
    • When businesses need to collect supplemental personal information for identity verification, this additional personal information may only be used for this verification purpose and should be deleted promptly after the identity has been confirmed or rejected, or at the latest when the rights request has been executed.
    • When additional personal information is required for identify verification, avoid data points such as Social Security number, driver’s license, number, financial account numbers, or unique biometric data (see Civil Code section 1798.81.5, subdivision (d)), unless absolutely necessary.
  4. The more damage that could be done to a consumer by deleting, changing, or obtaining a copy of their personal information due to a falsified request, the more rigorous the verification should be.
  5. Where erasure or other request could present a risk to the data subject, provide a warning notification to an email address or other existing contact point notifying them of the data subjects right request, outlining negative consequences that may occur (i.e. “You will no longer have access or be able to download your data once it is deleted so we recommend you download a copy before you request that we delete your data.”) to provide them will an opportunity to change their mind or take the appropriate action before they execute their rights.

As always, we recommend consulting with your lawyer if you have any questions about how CCPA, GDPR, or any other data privacy law affects your business and how to comply with those regulations. 

Get up to speed with our CCPA Quick Guide or to find out more about our CCPA/CPRA Assessment Services click here or email us at mshull@mkt-iq.com.

Enforcement Advisory No. 2024-01 Disclaimer

It is critical to note that while the recommended practices in the advisory are logical and should reduce risk to businesses and consumers, the advisory also clearly states that following the recommendations will not guarantee compliance or provide businesses with any protections.  Specifically, the enforcement advisory warns that “Enforcement Advisories address select provisions of the California Consumer Privacy Act and its implementing regulations.  Advisories do not cover all potentially applicable laws or enforcement circumstances; the Enforcement Division will make case-by-case enforcement determinations. Advisories do not implement, interpret, or make specific the law enforced or administered by the California Privacy Protection Agency, establish substantive policy or rights, constitute legal advice, or reflect the views of the Agency’s Board.  Advisories do not provide any options for alternative relief or safe harbor from potential violations.  The statutes and regulations control in the event of any conflicting interpretation. The Advisory provides the questions that follow as hypothetical examples of how a business might review its practices. Businesses should consult the statute, regulation, and/or an attorney before taking any action to ensure compliance with the law.”

The contents of this blog are not legal advice.