Businesses need to get a whole lot smarter about how they consume data because greed is not good: it’s risky and uneconomical.

And it’s not like the warning signs weren’t there in the early data gold rush.

It might seem quaint now, but in 2017 when business publications such as The Economist reported “The world’s most valuable resource is no longer oil, but data”, they framed it as a conflict between big tech companies’ apparently unbridled growth versus rising public demand for antitrust and privacy regulations to reign them in.

The next year the EU GDPR (European Union General Data Protection Regulation) became enforceable (May 25, 2018), giving European citizens stronger personal data privacy rights, including the right to restrict processing and the right to delete. GDPR compliance requirements include data minimization as a key principle (see below).

California’s Consumer Privacy Act (CCPA) became law a month later (June 28, 2018) with a similar intent to drive greater protections of personal information, and CCPA compliance became enforceable from July 1, 2020. The CCPA was the first U.S. privacy law with data minimization as a compliance requirement (see below).

Data Minimization Requirements in Privacy Regulations Worldwide

While many enforcement actions of privacy regulations focus on privacy breaches and/or misuse of personal information, investigators also look for compliance with data minimization principles, which are now standard in many regulations. These principles were put in place to address data hoarding and focus on:

• Breach exposure minimization – minimizing the amount and detail of any personal information that could be stolen in breach
• Purpose limitations – restricting data collections to information that is provably necessary for stated purposes. Mostly this should mean for the stated purposes of delivering personalized customer experiences
• Consumer consent – limiting collection of personal data only from consumers who have given informed and explicit consent for its collection, processing, sharing, and sale.

Questions to ask about personal data collected by your organization:

• Is it mapped and tracked throughout its lifespan? Can the business quickly identify the locations of each piece of personal information collected and track its use history, including every instance of how it was accessed and processed – and why each activity was necessary?
• Is it adequate? Does the personal data collected contain enough (but not more than enough) information to help your business identify the individual and sufficiently deliver a personalized service (stated purpose)?
• Is it relevant? Is it clear how each piece of personal information is relevant to fulfilling the stated purpose?
• Is it limited to what is necessary? Does the data collection only capture information needed for the stated purpose – and no more than is probably necessary?
• Is it still useful and do you still have permission to store it? Is the information contained in a collection of personal data up-to-date and accurate or has it passed its acceptable and/or permitted use-by date?
• Is it properly secured? Is the data protected by access controls and other cybersecurity measures to prevent unauthorized and unlawful use, or accidental loss or damage?
• Is access controlled based on permissions? Does each data system, staff member, third party, or business partner only have access to the data they are explicitly permitted to access – and only what is adequate, relevant, and necessary for them to fulfill a permitted task (and nothing else)?

EU GDPR made data minimization a key principle

The EU’s GDPR set a standard for privacy that gives EU citizens strong privacy rights, especially more visibility, and control of how organizations may collect and use their personal information.

Data minimization is listed in GDPR Article 5 as one of seven principles relating to the processing of personal data:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Limited storage periods
• Integrity and confidentiality
• Accountability

The data minimization principle is explained by the European Data Protection Supervisor:

‘The principle of “data minimisation” means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose.

‘They should also retain the data only for as long as is necessary to fulfill that purpose. In other words, data controllers should collect only the personal data they really need, and should keep it only for as long as they need it.

‘The data minimisation principle is expressed in Article 5(1)(c) of the GDPR and Article 4(1)(c) of Regulation (EU) 2018/1725, which provide that personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.’

UK data protection rules on data minimization similar to EU GDPR

The UK Data Protection Act (2018) was updated post-Brexit with a set of UK GDPR rules that closely follow those of the EU GDPR. As a result, UK citizens have stronger personal data and sensitive personal data privacy rights, including more control over how organizations may collect and use their personal data.

The UK GDPR data protection principles match all seven of those listed in the EU GDPR (see above).

The data minimization principle is explained by the UK Information Commissioner’s Office:

You must ensure the personal data you are processing is:

• adequate – sufficient to properly fulfil your stated purpose;
• relevant – has a rational link to that purpose; and
• limited to what is necessary – you do not hold more than you need for that purpose.

Article 5(1)(c) says: “Personal data shall be: (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)”.

So you should identify the minimum amount of personal data you need to fulfil your purpose. You should hold that much information, but no more.’

Data minimization rules in CCPA/CPRA

The California Consumer Privacy Act, which was amended by the California Privacy Rights Act (CPRA), led the way in the U.S. with the first comprehensive state privacy regulation to give consumers enforceable rights over how – or whether at all – businesses collect, process, store, share or sell personal data.

The amendments under CPRA place more restrictions on collection, storage and use of sensitive personal information, and include data minimization and purpose limitation rules in section 1798.100 ‘General Duties of Businesses that Collect Personal Information’ which accompany requirements for informing consumers of purposes for data collection:

• Additional categories – 1798.100 (a) (1): “A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.”
  (Note: subsection (a) (2) uses practically the same words as the rule above, applying them to ‘sensitive personal information’.)
• Storage period – 1798.100 (a) (3) “The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.”
• Proportionate use – 1798.100 (c) “A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.”

Businesses must also ensure third parties, contractors and commercial partners comply with CCPA/CPRA rules, including data minimization requirements.

Businesses can build trust with consumers (whether they’re existing or potential customers) by demonstrating they respect every individual’s privacy rights – and by making it as easy as possible for consumers to choose whether they opt in or opt out of their personal information being used to deliver targeted services and marketing.

In California, businesses must get a consumer’s consent to share or sell their personal information – before this data is collected. CCPA/CPRA gives consumers the right to change their mind and withdraw consent (opt out) via forms on websites and apps or when a Global Privacy Control (GPC) signal is detected.

Tech Explained: What is Global Privacy Control?

The GPC was designed to make it easy for individuals to tell businesses, “Do not sell or share my personal information”.

It works as a universal opt-out mechanism to save consumers from having to click through notices or locate opt-out forms or pop-ups on individual websites they visit. They simply set up an Opt-out signal once in their preferred web browser or extension that supports GPC, such as Disconnect, DuckDuckGo Privacy Browser, Firefox, or Privacy Badger by the Electronic Frontier Foundation, and the extension helps them automatically exercise their privacy rights.

Privacy Laws with Global Privacy Control Requirements

The California Consumer Privacy Act (CCPA) and its amendments under the California Privacy Rights Act (CPRA) require businesses to respect consumers’ right to opt out from having their personal information sold or shared by a business to any other business.

The CCPA regulations (§999.315) explicitly state “a business shall provide two or more designated methods for submitting requests to opt out, including an interactive form … and user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information”.

Other regulations, such as the Colorado Privacy Act and the European Union’s GDPR, are also set to include Global Privacy Control as an enforceable universal opt-out mechanism. The EU’s GDPR, like California’s CCPA/CPRA, already requires businesses to get opt-in consent from consumers.

In Colorado, businesses must give consumers easy access to opt-out mechanisms via privacy notices and in other conspicuous locations. From July 1, 2024, under the Colorado Privacy Act consumers will have the right to signal opt out from targeted advertising, profiling, and sale/sharing of their personal data via (the Act’s terminology) a ‘Universal Opt-Out Mechanism’ – such as Global Privacy Control – which will be enforceable in the state.

TrustArc Technologies with ‘GPC detected’ and ‘Known User’ Features

TrustArc is very focused on helping businesses build and maintain positive customer relationships by providing best practices and compliant privacy consent management technologies.

TrustArc Customer Consent Preference Manager

We continue to develop new features in TrustArc’s Consent & Preference Manager to help businesses streamline the consent preference experience for customers, while staying abreast of updates to privacy laws such as CCPA/CPRA with our centralized privacy regulation compliance platform.

TrustArc Financial Incentive Notice Service

The CCPA regulations state: “If a global privacy control conflicts with a consumer’s existing business-specific privacy setting or their participation in a business’s financial incentive program, the business shall respect the global privacy control but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program.”

Configurable by TrustArc account managers, our Financial Incentive Notice gives customers easy-to-understand choices about a financial incentive program that requires opt in to trackers:

• Do not Participate – and therefore opt out of the financial incentive program and related tracking; or
• Continue to participate – keeping the customer enrolled in the financial incentive program and therefore allowing the business to track the customer so it can continue to deliver marketing, discounts and/or other customer loyalty benefits.

TrustArc Cookie Consent Manager – Unique Known User Feature

TrustArc’s Cookie Consent software accelerates the set up and management of complex cookie activities for businesses across all domains while ensuring compliance with privacy laws in all countries they operate in.

Cookie Consent Manager includes features such as auto-detect for Global Privacy Control (GPC) signals – and the world’s first CCPA/CPRA-compliant Known User feature.

TrustArc’s Known User Feature addresses the CPRA amendments to CCPA that becomes enforceable on March 29, 2024, which requires businesses to record and remember a consumer’s consent preferences across every device and browser they might use to provide a frictionless experience.

The California Privacy Agency noted on February 3, 2023, in its Final Statement of Reasons: “Subsection (c)(1) has been modified to add language that the opt-out preference signal shall be treated as a valid request to opt out of sale/sharing for any consumer profile, including pseudonymous profiles, that are associated with the browser or device for which the opt-out preference signal is given.

“Additional language has also been included to further clarify that, if known, a business is also required to treat the opt-out preference signal as a valid request to opt-out of sale/sharing for the consumer.

“This change is necessary to address the realities of how the internet works, i.e., sometimes the business may only know the consumer pseudonymously and other times they may match the online actions with an offline consumer. This modification ensures that the opt-out preference signal applies to both situations.”

TrustArc solves the challenge of identifying customers and respecting their choices across devices and browsers with a Known User feature in our proprietary technology, which can be configured by a TrustArc Technical Account Manager on behalf of your business to ensure a frictionless consent choice experience for your customers – and compliance with CCPA amendments under CPRA.

Get Help from TrustArc For Managing GPC Signals and Known User Consent

TrustArc’s privacy experts are committed to helping businesses understand and address privacy law updates – such as CCPA/CPRA rules when a GPC signal is detected – with a comprehensive and easy-to-search database of TrustArc Privacy Insights.

Businesses subject to the California Consumer Privacy Act of 2018 (CCPA) and its amendments under the California Privacy Rights Act (CPRA) have faced considerable administrative burdens since these rules began to be enforced by the California Privacy Protection Agency.

The enforcement dates for California’s wide-reaching privacy legislation were:

• July 1, 2020 – CCPA
• July 1, 2023 – CPRA amendments

CPRA vs CCPA: Extra Rights for California Consumers

The Californian Consumer Privacy Act amendments to the CCPA gave California consumers even more control over how businesses may collect and then use their personal information.

The main updates to individual rights are:

• Stronger right to know – when a California consumer makes a data subject request under CCPA they have a right to know the details of the pieces of personal information collected about them, along with the categories of information a business then discloses/shares or sells – and the purposes for those disclosures.
• Right to correct or delete – California consumers who make a data subject request can also ask for records of their personal information to be corrected or permanently deleted.
• Right to limit use of sensitive personal information – this additional right allows consumers to request businesses not disclose sensitive personal information (SPI) including precise geolocation, racial or ethnic origin, beliefs or sexual orientation – it also allows consumers to limit how long a business can store SPI records. (For more information about SPI under CPRA, read TrustArc’s Summary of the California Privacy Rights Act (CPRA) Main Rules.)
• Expanded right to opt-out of sale or sharing of personal information – the amendments allow consumers to opt-out from having personal data shared by a business with third parties, including via automated decision-making technology and tools used for cross-context behavioral advertising purposes.

To be considered CCPA compliant businesses must also undertake:

• regular privacy risk assessments;
• annual cybersecurity audits;
• data minimization activities (restricting the amount of data processed to only be what is “reasonably proportionate” to the business purpose); and
• purpose-limitation activities (restricting the processing of data for a “predetermined or compatible purpose”).

California Attorney General Privacy Enforcement Actions

TrustArc’s privacy experts reported on the first round of CCPA enforcement actions by the California Attorney General in our September 2022 article: Critical CCPA Compliance Lessons to Learn from AG Enforcement.

The AG’s judgment against makeup retailer Sephora included a $1.2 million settlement penalty for several CCPA violations:

• Failure to disclose to consumers it was selling personal information;
• Failure to process consumer requests to opt-out of sale of their personal information signalled via consumer-enabled Global Privacy Control settings; and
• Failure to cure these violations within the 30-day cure period allowed at the time.

Under the settlement, Sephora had to comply with the following injunctive terms:

• Make it clear to consumers it intends to sell data through updated online disclosure notices and its Privacy Policy.
• Ensure consumers can opt-out of sale of personal information, including via the Global Privacy Control.
• Update its service provider contracts to ensure third parties are CCPA compliant, and document compliance monitoring in the annual report.
• Provide reports to the Attorney General about its sale of personal information, status of its service provider relationships, and its efforts to honor Global Privacy Control.

Note: the CCPA’s 30-day cure period expired on January 1, 2023, giving both regulators (AG and the Agency) the power to impose penalties; however, a new regulation that is sent to come into force in March 2024, gives the Agency discretion in how it proceeds, allowing it to consider in all of its investigations all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements (see §7301).

Kaiser Foundation’s Patient Privacy Violation Part of $49 Million Settlement

On September 8, 2023, California Attorney General Rob Bonta, in partnership with six district attorneys, announced a major ruling against healthcare provider Kaiser, which operates the Kaiser Foundation Health Plan and Kaiser Foundation Hospitals.

Under the ruling Kaiser must pay a $47.25 million settlement and undertake other remedies to resolve allegations it illegally disposed of hazardous waste, medical waste and protected health information.

These violations were discovered during undercover inspections of dumpsters at 16 Kaiser facilities by the district attorneys’ offices. The business faces an additional $1.75 million in civil penalties if by September 2028 it hasn’t spent $3.5 million to ensure compliance with laws it has alleged to have violated in California.

Although the case wasn’t prosecuted under CCPA/CPRA regulations, it is noteworthy for privacy sector professionals because along with hazardous and medical waste (in violation with several waste-disposal regulations) the dumpsters were found to hold more than 10,000 paper records containing the personal information of more than 7,700 patients.

As the contents of Kaiser’s dumpsters would normally be disposed of at publicly accessible landfills, the business had unlawfully exposed patients’ information, including sensitive personal information, in violation of California’s Confidentiality of Medical Information Act and Customer Records Law, as well as the federal Health Insurance Portability and Accountability Act (HIPPA).

Kaiser had previously paid $150,000 in penalties and attorneys’ fees to settle a privacy lawsuit brought by the California Department of Justice in 2014. Kaiser was found to have delayed notifying its employees about the discovery of an unencrypted USB drive containing more than 20,000 employee records at a Santa Cruz thrift store.

Under the ruling, Kaiser agreed to:

• comply with California Data Security Reporting requirements to notify California residents of data breaches that expose unencrypted personal information;
• provide notification of any future data breach; and
• implement additional training across the business and with suppliers about the sensitive nature of employee records and how they should be properly handled and protected.

California AG’s CCPA Enforcement Sweep of Employers

California Attorney General Rob Bonta announced on July 14, 2023 his office is conducting an investigative sweep of employers to review companies’ CCPA compliance related to personal information of employees and job applicants.

The CCPA exemptions to employee data expired on January 1, 2023. Under the CPRA amendments to CCPA, California citizens who are employees or involved in business-to-business relationships with a company gained new personal data rights protections in line with consumer rights.

In his announcement, AG Bonta said:

“The California Consumer Privacy Act is the first-in-the-nation landmark privacy law, and starting this year, the personal information of employees, job applicants, and independent contractors received greater data privacy protections because of it. We are sending inquiry letters to learn how employers are complying with their legal obligations. We look forward to their timely response.

California Consumer Privacy Act Assessments

If your business hasn’t already done so, we recommend it undertakes a California Privacy Assessment with TrustArc to:

1. Review your current CCPA privacy position and identify remedies for any gaps in compliance
2. Develop an action plan based on a heatmap outlining risks and estimating the levels of effort and resources needed to achieve compliance
3. Build consensus across the business for compliance and create an audit of your CCPA compliance efforts.

For more background on the implications of CCPA, we also recommend reading our experts’ earlier commentary:

• What You Need to Know About California Consumer Privacy Act Updates
• California Consumer Privacy Act (CCPA) Compliance: Expert Commentary