
By Michael Gordan, defi SOLUTIONS VP, Compliance
The past five or so years of consumer protection legislation in California may understandably have resulted in some discombobulation on the part of spectators. To recap, in 2018 California passed the California Consumer Privacy Act (CCPA), which became effective in 2020, and which adopted a number of privacy concepts including the so-called “right to be forgotten.” Also in 2020, California voters passed the California Privacy Rights Act (CPRA), which amended and expanded the CCPA. The CPRA also created the California Privacy Protection Agency (CPPA), whose charge is to implement and enforce the CCPA. If at this point you are thinking that relevant initials might be CCCP, we won’t stop you, other than to say that you are dating yourself.
In any event, the CPPA recently issued “Enforcement Advisory No. 2024-01.” Yes, that does work out to a rate of one Enforcement Advisory every four years, but speed isn’t everything, and the Enforcement Advisory is worth more than a moment of your time. It highlights a particular issue that is relevant to all of us who have the opportunity to store consumer data and illustrates how the CPPA’s rulemaking and enforcement powers provide it an influential perch from which to set the consumer protection agenda in California and, through its leadership role among the states, throughout the country, in some cases without regard to the letter of the law it is enforcing.
The issue addressed by the Advisory is data minimization, a foundational principle in the CCPA. Or rather, a principle that the CPPA says is foundational in the CCPA. Whether it is or is not (one tip-off is that the phrase never appears in the CCPA) is immaterial, because the CPPA writes the regulations that implement the CCPA. So the Enforcement Advisory is also a lesson in how government agencies can use their rulemaking powers to expand their authority beyond what the legislature may have contemplated.
The CPPA is at least up front about this. The Enforcement Advisory first quotes the CCPA, which states that a business shall collect personal information in a manner “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected,” and that’s fair enough. The statute goes on to allow the use of that information “for another disclosed purpose,” again, a provision that seems consistent with other U.S. laws in making proper disclosure the key to use of personal information.
Observe, though, the power of rulemaking to redirect the law. The CPPA cites its own regulations as the method through which it reads “data minimization” into the law. So, for instance, the regulations state that determining whether a business has followed the law’s direction can be determined by whether the business has collected the “minimum personal information” necessary for the business’s purpose. This approach can be contrasted with the European Union’s General Data Protection Regulation (GDPR), which is the inspiration for many U.S. data protection laws and which explicitly names data minimization as a guiding principle. Regulators in the EU thus have a clear basis for making data minimization a cornerstone of their enforcement efforts and have done so.
Complaining about regulatory overreach is easy enough, so the question is what makes this Enforcement Advisory worth consideration? I would suggest that it makes two important points that need to be addressed by companies that obtain consumer information as part of their day-to-day operations.
The first is that both consumers and businesses have become accustomed to a model in which consumers provide businesses with certain personal information in order to take advantage of the services those businesses provide. In this environment, it is easy for us to require consumers to provide more information than is strictly necessary for us to do our work. Perhaps, we think, this information will come in useful in the future. Perhaps it complements other services I now provide, or might one day provide. Perhaps it includes information that data analytics tools might be able to exploit to help keep me ahead of my competitors.
This is bad for businesses in a couple of ways. For one, it’s a lazy way to think about personal consumer data. Although that data is often necessary for us to do our work, trying to keep every piece that crosses our path is unrealistic. Further, it increases risk. Whether through an inadvertent act or the efforts of a bad actor, if there is some sort of data breach, having more data than necessary simply increases the potential harm to consumers and as a result the danger to the company.
This second consideration is known as data redundancy, and while it can be desirable when it’s part of a conscious plan (again, as in the case of data kept for disaster recovery purposes), redundancy can also be a drag on a company, not least because while storage is often cheap, it’s never free. Furthermore, if data proliferates, it grows increasingly likely that the business will lose track of where data is housed. This can potentially expose data to hackers, if lack of knowledge about data’s location leads to lack of protection, and in can certainly lead to litigation headaches if forgotten stores of data lead to the need for data review and possibly production.
A final point is to note the increasing “legalization” of business functions like data storage. In the early years of digital storage, the primary concerns were probably cost, efficiency, and ease of access to data. In the current environment, compliance with law is gaining increasing prominence. This means that in addition to carefully managing your data, you’ll also want to keep a record that showcases your careful management. If the CPPA or a similar agency is ever examining your business, evidence of the factors that went into your data retention plan will be extremely useful. If you can point out that your business was aware of the law and the risks inherent in its methods of data retention, and that it took time to consider those issues, you will have done yourself a favor. These deliberations can be memorialized in a memorandum or policy document. Such an approach has the added benefit of forcing you to think about these things, and so an annual review of these documents may be something that actually turns out to be profitable for the business. It is possible that the discussion of retention issues will lead to a realization that there are savings to be had in making data storage more efficient.
A similar conversation with your vendors would not be out of place, especially if these vendors store consumer information for you. Assessing how these vendors are performing when it comes to data storage and minimization will help you better understand where your data is. And given that they are swimming in the same waters as everyone else, it is very possible that they will have devoted some thought to the topic and may have suggestions for how you can retain necessary consumer information while minimizing risk.
The regulatory agenda in California is likely to be influential for regulators across the U.S. It is worth some time to consider the issues related to data minimization, and to prepare your business to answer the questions that may be asked on the topic.
This blog is not meant to be a comprehensive listing of compliance challenges the industry faces, nor a source of legal advice. Instead, we address trends in vehicle loan and lease compliance and illuminate some of the issues on the minds – or in our view, should be on the minds – of industry players.