Are you doing business in California? If you are, the California Privacy Protection Agency (CPPA) is reminding you to keep only the data on your customers who reside in the state that is essential under the California Consumer Privacy Act (CCPA) and delete whatever is not needed. The agency issued Enforcement Advisory No. 2024-01 recently that directs companies doing business with state residents to use California Code of Regulations, Title 11 Section 7002 [11 CCR § 7002(d)] as guidance on the restrictions and use of personal information.
The advisory, the first ever issued by the agency, is not in itself legally binding, the agency noted, but is meant only to bring into focus the agency’s foundational principle: “Businesses should apply [data minimization] to every purpose for which they collect, use, retain, and share consumers’ personal information.” The seven-page advisory includes a number of scenarios, along with questions companies should ask themselves, about the data they retain.
Advisory takeaways
The San Francisco- based law firm Wilmer Cutler Pickering Hale and Dorr LLP (WilmerHale) issued a blog addressing the agency’s advisory, noting “this enforcement advisory should serve as a warning for companies that the CPPA is ramping up its own CCPA enforcement efforts and will be paying particular attention to companies that engage in unnecessary or disproportionate collection or use of personal information.”
WilmerHale cited three key takeaways from the advisory:
- The reaffirmation of the data minimization principle (collect, use, retain only what you need)
- Data minimization and responses to data subject requests (“… the data minimization principle should inform all of a company’s data processing activities — including its responses to data subject requests.”)
- Legal status of advisories (the advisory is not legally binding)
It points out that data minimization reduces a company’s risk of exposing private or personal data should a data breach occur.
According to the state privacy law, “A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.”
Beyond what is necessary
Thompson Hine LLP, a Cleveland-based law firm, also posted a blog, clarifying the advisory’s use of the term “beyond what is necessary,” which comes from Section 1798.135 (c) of the law about what a company requires of its customers. In its blog, the firm made these four recommendations:
- Avoid collecting certain types of personal information (e.g., Social Security number, driver’s license number, financial account numbers, or unique biometric data) unless necessary
- Avoid requesting additional information from the consumer for purposes of verification
- If additional information is required, use any new information solely for the purposes of verifying the identity of the consumer seeking to exercise their rights under the CCPA, security, or fraud-prevention and delete new personal information as practical after processing the consumer’s request, except as required for record-keeping under the CCPA
For companies that are obligated to follow this law, the misuse of private data could have a negative impact beyond the legal obligations of the law. Depending on how a cyber insurance policy is written, should a company fail to delete information as required by law, it potentially could affect whether or not the claim is paid if the data is compromised.
The message from regulators and privacy is clear: Collecting and maintaining private data in California is both a cybersecurity risk and potentially a legal risk as well should the data leave the control of the collecting organization. CCPA is drawing a proverbial line in the sand and warning companies to take proactive action to minimize personal information or face potential sanctions if the data is compromised.