Data Minimization Just Got Real with the CCPA’s First Enforcement Advisory

There’s a clause in the California Consumer Protection Act (CCPA) on data minimization that the Rolling Stones could have written. It says that, as a business, you can’t always get the data you want, but you get what you need. Data minimization means only collecting enough data for the necessary purpose, and no more. As an extreme example, if you want to send someone an electronic newsletter, you’d be allowed to ask for their email address but not for a scanned copy of their driver’s licence.

Six years after mandating data minimization in the act, California’s Privacy Protection Agency (CPPA) has issued an enforcement advisory explaining just how seriously it takes this issue.

The CCPA allows consumers to ask organizations for access to the data held about them, and to correct or delete it where necessary. The April 2 advisory reports that many organizations have been asking for too much information when fulfilling these requests. The message is clear: cut it out.

Doing as the Europeans Do

The CPPA’s approach here closely mirrors Europe’s, according to Odia Kagan, partner and chair of the GDPR Compliance & International Privacy Practice at Fox Rothschild LLP.

“The rule about not using the information that you get in connection with requests for any other purposes and only collecting what you need is exactly the same in Europe,” she tells ISMS.online. “We have European Data Protection Authority guidance on this.”

So why aren’t companies simply applying data minimization as requested when processing requests? It’s not a simple no-brainer, points out Kagan; it’s a balance between convenience and safety. It’s particularly important when processing requests to access and delete information.

“Delete and access are more important because you’re giving information that could be risky to the person if compromised,” she says.

Geolocation data is a good example. If someone impersonates the legitimate owner of geolocation data and requests access, they could find out sensitive information. As Kagan points out, this could include whether they went to an abortion clinic – a particularly sensitive issue in the US today.

Deletion requests are also risky. “What if somebody is requesting to delete family photos?” she adds. Drive-by photo deletions might not be life threatening, but they’re still highly upsetting – and potentially legally damaging to the data holder.

Impersonation Is a Real Threat

Impersonation when making data access requests is a real threat, as demonstrated by University of Oxford researcher James Pavur in 2019. With his fiancee’s permission, he pretended to be her when submitting requests for data access under the GDPR regulations.

Almost a quarter of the 83 companies that he contacted which held data provided it without verifying his identity at all, while 16% requested an easily forged type of ID. He was given the results of criminal record checks, along with travel records and school grades.

Companies must do their due diligence, but mustn’t be too restrictive, explains Kagan.

“You don’t want to make it too difficult to carry out a request and you don’t want to get implicated with data that’s sensitive,” she points out. Collecting too much sensitive data to verify someone’s identity doesn’t just put them at risk of regulatory action; it also risks more liabilty if that verification data is subsequently breached.

How to Walk the Line

So how can companies toe the line without stepping over it? The enforcement advisory provides two examples of how companies receiving requests can comply with these rules.

The first example is an opt-out request from selling personal information. This is the easiest one to navigate, because processing opt-out applications doesn’t require identify verification at all under the CCPA. It just needs the information necessary to reference the customer, such as an email address.

The second example involves someone asking a company to delete their personal information, when they do not have an account with the organisation. This business does have to verify the individual’s identity.

The most basic questions are set out in 11 CCR § 7002(c)-(d) and are essentially these:

• Is the information we’re collecting more than the minimum we need?
• What are the potential negative impacts on individuals of collecting or processing the information?
• Are there safeguards (such as encryption or automation deletion) that might protect consumers?

In the examples given, the advisory warns business to ask themselves whether they need to collect any more information than they already have from the consumer. The CCPA generally frowns upon requesting more information for verification unless absolutely necessary, and tells businesses to delete it if collected.

Time to Prepare

Kagan warns her clients to prepare for these questions by conducting a risk analysis. This includes assessing the data that the organization has on the individual, along with the sensitivity of that data. They can they determine the appropriate level of authentication given the nature of the request, and can decide whether they can use data they already have to help authenticate a person.

Companies should take data minimization seriously, she says, as it is becoming a key issue in data handling. The UK Information Commissioner’s Office (ICO) has its own guidance, as do various US states. The US Federal Trade Commission has also become increasingly interested in the topic, prioritizing data minimization in its case against alcohol delivery service Drizly, and reportedly focusing on the point in its forthcoming commercial surveillance and data security rule.

Different jurisdictions mostly have the same requirement: that data collected is necessary for the intended purpose.

“The fact that it’s common and simple doesn’t mean that it’s easy,” Kagan concludes. “It’s not easy to implement at all. But the standard is fairly common right now.”