Businesses subject to California's privacy law should avoid collecting more information than necessary to process consumers' requests to reject online ad targeting, the state's privacy agency warned in an enforcement advisory issued Tuesday.
“Data minimization is a foundational principle in the CCPA,” the agency wrote, referring to the California Consumer Privacy Act -- a 2018 law that enables residents to wield control over their data.
“Businesses should apply this principle to every purpose for which they collect, use, retain, and share consumers’ personal information,” the agency wrote.
California's privacy law gives state residents the right to learn what personal information has been collected about them by companies, have that information deleted, and prevent the sale of that data to third parties. That law and accompanying regulations also prohibit businesses from collecting more data than needed.
advertisement
advertisement
The California Privacy Protection Agency is tasked with implementing and enforcing the law.
The agency warned Tuesday that its enforcement division has observed “that certain businesses are asking consumers to provide excessive and unnecessary personal information in response to requests that consumers make under the CCPA.”
The agency is currently recommending that companies consider whether they can process consumers' requests, including opt-out requests, without asking for additional information.
The advisory also discusses how companies could respond to opt-out requests in different scenarios.
For instance, the agency wrote, if a business only shares information about people's online activity, that business can honor an opt-out request made through a browser tool (like the Global Privacy Control) without requiring extra information, such as an email address.
But if a business shares profiles that combine online and offline data, that company might require additional identifying information from consumers in order to fully apply their opt-outs, the agency said.