CPPA issues an enforcement advisory on data minimization

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

The CPPA Issues an Enforcement Advisory on Data Minimization

The California Privacy Protection Agency enforcement division published its first “enforcement advisory“, reminding companies of their data minimization obligations, specifically in the context of CCPA requests.

The advisory notes the CPPA’s observations that certain businesses are asking consumers to provide “excessive and unnecessary personal information” in response to consumer requests under CCPA.

It also provides guidance (with hypothetical examples) on how companies should apply data minimization requirements in two specific scenarios: when responding to a request to opt out of sale/sharing; and for verification of a consumer’s identity. In both scenarios, the advisory notes that companies should be asking themselves what is the minimum amount of personal information necessary for the business to honor the request or achieve the purpose.

As one example, the advisory comments that “if Business A sells or shares a consumer’s online activities only in the context of cross-context behavioral advertising, then Business A would not need additional information, such as name or email address, to comply with a consumer request to opt-out of sale or sharing made by way of an opt-out preference signal. By contrast, if Business A sells or shares profiles of consumers that include both online activity and other information (e.g., purchasing history), then Business A might need the consumer to further identify themselves to apply the opt-out to more than just online activity.”

TAKEAWAY

This advisory stresses the importance of bespoke (rather than one-size-fits-all) approaches to CCPA requests. When designing a company’s CCPA opt-out process, for example, the company may need to spend more time looking internally than time looking at what everyone else is doing, as each company’s process may need to differ based on the specific data it collects, processes, sells and shares.

Maryland Sends Comprehensive and Children’s Privacy Bills to Governor

 Just before its April 8 adjournment, the Maryland legislature passed and sent two bills to the Governor: the Maryland Online Data Privacy Act and the Maryland Age Appropriate Design Code Act. If signed by the Governor, both laws will go into effect October 1, 2025. 

TAKEAWAY

The Maryland Online Data Privacy Act contains some significant departures from other state comprehensive privacy laws.

Most notably, the law includes a prohibition on the collection, processing or sharing of sensitive data “except where strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains” and an outright prohibition on the sale of sensitive data. The law also requires that controllers limit collection of all personal data to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains” [emphasis added]. The Maryland Age Appropriate Design Code Act imposes certain obligations and prohibitions on online products that are accessed or reasonably likely to be accessed by children under 18. 

Kentucky Governor Signs Comprehensive Privacy Law

Kentucky HB 15 has been signed by the state’s Governor, making Kentucky the 15th state to enact a comprehensive privacy law. The law will take effect January 1, 2026.

TAKEAWAY

 The Kentucky bill is almost entirely copied from the Virginia Consumer Data Protection Act (with a few minor exceptions, like omission of the word “household” from the definition of a “consumer”). This means that, unlike the last several state comprehensive privacy bills to be enacted (e.g., New Hampshire, New Jersey, Delaware, Texas, and Oregon), Kentucky, like Virginia, will not require recognition of signals from universal opt-out mechanisms, like GPC.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.