top of page

California Privacy Agency Warns Businesses Against Excessive Data Collection Practices

The California Privacy Protection Agency (CPPA) has issued a stern warning to businesses, urging them to refrain from requesting excessive information from consumers who exercise their privacy rights, particularly those opting out of data collection. In its inaugural enforcement advisory released on Tuesday, the agency emphasized the importance of businesses limiting their collection, use, retention, sharing, and sale of personal information from California residents and employees strictly to what is necessary.


California Privacy Agency Warns Businesses Against Excessive Data Collection Practices


According to the CPPA, enforcement advisories serve as a means to encourage compliance with the California Consumer Privacy Act (CCPA), a legislation enforced by the agency itself, which also drafts regulations pursuant to the California Privacy Rights Act. Under CCPA, consumers are granted the right to opt out of having their personal data collected, shared, or sold by businesses, as well as to regulate the use and disclosure of their sensitive personal information.


The advisory underscores the requirement for businesses to respect reasonable requests made by California residents and employees concerning their data. While companies are mandated to verify the identity of the requester before taking action, the CPPA stressed that any additional information solicited from the individual should be kept to a minimum, primarily for fraud prevention purposes.


Highlighting observations from its Enforcement Division, the CPPA expressed concern that certain businesses are demanding excessive and unnecessary personal information from consumers in response to CCPA requests. The agency emphasized the importance of adhering to the data minimization principle mandated by the law, especially when processing opt-out requests.



When verifying the identity of a requester, companies are urged to evaluate whether further information collection is truly necessary, particularly if basic identifiers like name and email are already on file. Gathering additional information beyond what is essential, such as precise geolocation data, could potentially compromise the security of other sensitive information, cautioned the CPPA.


Included within the advisory were examples illustrating appropriate and inappropriate requests by businesses for additional information from individuals who have submitted requests under the law. Michael Macko, the agency’s Deputy Director of Enforcement, affirmed in a press release that while enforcement advisories are intended to foster voluntary compliance, the agency stands prepared to take stronger measures when necessary. "We intend for our enforcement advisories to promote voluntary compliance but sometimes stronger medicine will be in order,” Macko stated. “We won’t hesitate to act when necessary.”



bottom of page