With enhanced information security becoming increasingly more urgent, privacy protection efforts are ramping up for many industries. One of the more recent measures to address data privacy has come from the latest California Consumer Privacy Act (CCPA) Proposition 24, also known as the California Privacy Rights Act of 2020 (CPRA). 

Under the CPRA, more stringent and targeted privacy enhancements are now required, including new compliance obligations for businesses and new principles involving data minimization and retention obligations.

What is data minimization?

Data minimization refers to more conservative data sharing requirements. As part of the CPRA, all data collection, use, and sharing of personal information must be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.” 

Additionally, companies cannot use personal data for any other purpose other than what was agreed upon by the customer. If a company wishes to use customers’ data for any other use, companies must notify customers.

Where did the principle of data minimization originate?

Data minimization originated with the European Union’s General Data Protection Regulation (GDPR). Under the requirement, companies may only retain data that is necessary to fulfill a designated purpose. While GDPR requirements don’t extend to the United States, the CCPA is the closest American equivalent.

Does GDPR cover CCPA?

The GDPR has similar requirements to the CCPA, but with some key differences. 

First, there’s a difference in regulation under each designation: The GDPR governs all data controllers and data processors established in the EU. The privacy law also governs companies outside the EU who have contact with data owned by EU citizens. 

The CCPA, however, only applies to for-profit organizations that do business in the state of California or with Californians that meet one of the following requirements: 

  • Gross revenue earnings over $25 million
  • Processes, receives, or transfers personal data from over 50,000 Californians each year
  • Half of annual revenue comes from selling personal information

There are also differences in who is protected: Under the GDPR, all identifiable people with personal data are protected. The CCPA applies explicitly to consumers, including California residents and Californians who temporarily reside outside of the state.  

Does CCPA require a data protection officer?

While the GDPR requires that companies establish a data protection officer to oversee compliance, CCPA doesn’t have that requirement. However, it is recommended to create such a role within your company to help maintain compliance.

What data is covered by CCPA?

The CCPA has a broader scope than the GDPR regarding what type of data is protected. Under CCPA, entire households are covered, including all devices and applications within personal devices.

The CCPA protects all consumer data, which entails personal information that identifies, describes, relates to, or can be associated with a specific person, household, or device. GDPR doesn’t have quite such a broad scope and protects only personal data connected to an identifiable person.

According to the CCPA, personal information is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The following are some of the various categories of personal information:

Identifiers

This includes a person’s name, alias, postal address, IP address, email address, account name, social security number, driver’s license number, or passport number.

Customer records information

This can include name, signature, social security number, any physical characteristics, address, or telephone number. Any employment or education history, bank account numbers, medical information, or health insurance details are also included in this category.

Protected classification information

Race, gender, ethnicity, and age are all protected information.

Commercial information

All records of personal property and products/services purchased are all protected. Any consuming history or tendencies also falls under this category.

Biometrics

Hair color, eye color, fingerprints, height, etc. are all deemed personal information and therefore protected under the law. 

Other protected personal information includes internet or other electronic network activity, geolocation data, audio and electronic information, and private education information. 

If your company deals with private data that falls under the laws of the CCPA, you must enact data minimization to maintain compliance.