The California Privacy Protection Agency yesterday issued its first enforcement advisory, warning companies about collecting, using, keeping, or sharing more personal information of consumers than needed when processing requests.
The advisory addresses a topic and a principle known as data minimization. It’s kind of like when an attorney tells you to only answer the question that you are asked, so if someone asks you “do you know what time it is,” you answer “yes” instead of telling the person what time it is. Collecting and using only the data that is necessary helps companies minimize risk and is a foundation of sound data governance.
The CPPA, though, issued this enforcement advisory because it said it is observing that companies are asking consumers to provide excessive and unnecessary personal information in response to requests that consumers are making.
One scenario provided by the CPPA involved consumers who ask companies to delete their personal information. The company keeps consumers’ names and email addresses on file and the requests from consumers to delete their personal information are being made using the email address. To apply data minimization, the business should ask itself the following questions, according to the CPPA:
- What is the minimum personal information that is necessary to achieve this purpose (i.e., identity verification)?
- We already have certain personal information from this consumer. Do we need to ask for more personal information than we already have?
- What are the possible negative impacts posed if we collect or use the personal information in this manner?
- Are there additional safeguards we could put in place to address the possible negative impacts?