The California Privacy Protection Agency (Agency) is responsible for creating and enforcing California’s Privacy Rights Act (CPRA) regulations that took effect March 29, 2024.

As discussed here, the CPRA amended and expanded the California Consumer Protection Act (CCPA) by, among other things, giving consumers the right to correct inaccurate personal information collected by a covered business and to limit a covered business’s use and disclosure of “sensitive personal information” (e.g., social security number, racial or ethnic origin, religious beliefs, genetic data, precise geolocation) to specific identified purposes.

In its inaugural Enforcement Advisory No. 2024-01 (issued April 2, 2024), the Agency focuses on the importance of data minimization. “Data minimization” is a principle of data privacy that stipulates organizations should only collect, process, and store the minimum amount of personal data necessary to fulfill their purpose or service.

According to the Agency, data minimization serves several important functions such as supporting good data governance and reducing the risk that unintended persons or entities will access personal information. The Agency recommends an ongoing and periodic assessment of personal information collected, used, retained and shared by businesses. Such auditing will help to ensure information collected is relevant and limited to what is necessary in relation to the purpose for which it is being collected, used and shared.

Whether information collected, used, retained or shared is reasonably necessary and proportionate to achieve the purpose identified, is based on the following:

• The minimum personal information that is necessary to achieve the purpose identified (e.g., to complete onboarding procedures and send an email confirmation of documents sent to the consumer[i], an employer may need the consumer’s physical address, phone number and email address).
• The possible negative impacts on consumers posed by the business’s collection or processing of the personal information (e.g., a possible negative impact of collecting precise geolocation information is that it may reveal other sensitive personal information about the consumer, such as health information based on visits to healthcare providers).
• The existence of additional safeguards for the personal information to specifically address the possible negative impacts on consumers (e.g., a business may consider encryption or automatic deletion of personal information within a specific window of time as potential safeguards).

What Does it All Mean?

Data minimization, like all other CPRA mandates, does not lend itself to a ‘one-size fits all’ approach when it comes to compliance. Employers must review their own specific collection, use, retention and sharing practices to be able to effectively manage the personal information provided by employees for any given purpose (e.g., onboarding, promotions, providing healthcare and other benefits).

Employers can assess their data risk – and use data minimization to mitigate that risk – by asking the following questions:

• What is the minimum personal information that is necessary to achieve any given purpose (e.g., identity verification)?
• For any given purpose, what specific personal information do we already have? Do we need to ask for more personal information than we already have?
• What are the possible negative impacts posed if we collect or use the personal information for the identified purpose?
• Are there additional safeguards we could put in place to address the possible negative impacts?

[i] Consumer – in the employment context – means job applicant/candidate, current/former employee.