United States of America: Adopted California Privacy Protection Agency Enforcement Advisory No. 2024-01 on Data Minimisation Principles

On 2 April 2024, the Californian Privacy Protection Agency (CPPA) adopted the enforcement advisory No. 2024-01 on data minimisation principles. Under the California Consumer Privacy Act (CCPA) minimisation principle, businesses must ensure that they only collect, use, retain, and share the necessary amount of personal information. The CCPA further stipulates that the use of personal information should be necessary and proportionate to the purpose for which the information was collected. This principle should be considered when businesses process consumer requests that fall within the scope of the CCPA. The enforcement advisory outlines two scenarios that illustrate the data minimisation principles, the opt-out of sale/sharing request and the verification of the consumer's identity. In the former scenario, businesses should not ask for more information than necessary to process an opt-out request. The information requested should be minimal without burdening the consumer. In the latter scenario, businesses must verify the consumers' identity by employing a reasonable method while avoiding requesting sensitive information such as social security numbers.