The California Privacy Protection Agency (CPPA) warned businesses to stop asking for excessive information from consumers who have requested to opt out of having their data collected or who are otherwise exercising their privacy rights.

Businesses shouldn’t collect, use, keep, share, or sell any more personal information from California residents or employees than is necessary, the CPPA said in its first enforcement advisory, issued Tuesday.

Enforcement advisories are designed to encourage companies to comply with the California Consumer Privacy Act (CCPA). The CPPA enforces the law and writes its new rules called for under the California Privacy Rights Act.

The CCPA allows consumers to opt out of having their personal data collected, shared, or sold by businesses and limit how their sensitive personal information is used and disclosed. Businesses are required to honor reasonable requests by California residents and employees about their data.

Businesses must first verify a requesting person’s identity before acting on a request, but the additional information sought from that person should be the minimal amount necessary to carry out fraud prevention, the CPPA said.

The agency’s Enforcement Division has observed that “certain businesses are asking consumers to provide excessive and unnecessary personal information in response to requests that consumers make under the CCPA,” according to the advisory.

Businesses instead should apply the law’s general data minimization principle any time they collect, use, retain, and share consumers’ personal information, including when processing opt-out requests.

When trying to verify the identity of a requester, a company should ask if collecting any more information from the person is necessary and if it already has a name and email for the individual on file.

Gathering more information from someone than is needed, such as collecting their precise geolocation data, might risk revealing other sensitive information, the CPPA said.

The advisory included examples of appropriate and inappropriate requests by businesses for additional information from someone who has made a request under the law.

“We intend for our enforcement advisories to promote voluntary compliance but sometimes stronger medicine will be in order,” said Michael Macko, the agency’s deputy director of enforcement, in a press release. “We won’t hesitate to act when necessary.”