LOGIN Request a call


A Warning to Business: California Privacy Protection Agency Issues Enforcement Guide

22 May

Update Applicable to:Effective date
All covered employersImmediately

What happened?

On April 2, 2024, The California Privacy Protection Agency published its first Enforcement Advisory on data minimization under the state’s hallmark data privacy law, focusing on a specific context: when businesses respond to consumer requests under the California Consumer Privacy Act (CCPA).

What are the details?

The April 2 Enforcement Advisory is noticeably clear in providing a warning to businesses. The Agency believes businesses are over-collecting consumer data during CCPA requests. California officials warn against unnecessary data collection and retention.

Data minimization under CCPA requires businesses to collect, use, retain, and share consumer data only as necessary and proportionate for its intended purpose. This is based on:

  • Collecting minimum necessary personal information.
  • Considering potential negative consumer impacts.
  • Implementing additional safeguards to mitigate these impacts.

The advisory was issued due to observed practices of excessive data collection during consumer requests. It provides guidance on less obvious data minimization scenarios and how to respond.

The advisory highlights four less apparent scenarios where CCPA’s data minimization principle applies: 1) Managing user opt-out preferences; 2) Handling requests for opting out of data sale and sharing; 3) Dealing with requests related to the use and disclosure of sensitive personal information; and 4) identity verification.

For a breakdown of the Enforcement Advisory click here.

Business Considerations

  • Employers should examine your process for handling requests to opt out of data selling/sharing and limiting data use or disclosure. Only ask for the minimum necessary information to process requests.
  • Employers should audit if their website uses third-party tracking technologies or shares data for targeted advertising, and ensure it accepts Global Privacy Controls as an opt-out preference signal.
  • Employers should review their identity verification methods for Requests to Know/Access, Delete, and Correct; verify identities based on existing data and avoid collecting sensitive information not already in your possession.
  • Employers should comply with CCPA’s prohibition on retaining personal information longer than necessary. Ensure adherence to your data retention schedule and that vendors also delete stale data.

Source References


Need help understanding how changes to employment laws will affect your business?

Learn more about how Vensure's California PEO services can help you navigate complex employment laws and keep your business compliant.

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.

Keep Your Business Compliant

Fill out the form below to receive monthly Employment Law Updates right in your inbox.

Keep Your Business Compliant

Fill out the form below to receive monthly Employment Law Updates right in your inbox.


You're all set.

Thanks for subscribing. Be on the look out for the Legal HR updates in your email.

Tracking Convertion image