Which action demonstrates proper need-to-know access for CPPA personnel?

The action reflects the principle of least privilege in practice: payroll data is highly sensitive, so only those who genuinely need it to perform their job should have access. Limiting access to personnel with a legitimate business need reduces the risk of accidental or intentional disclosure, strengthens accountability, and supports privacy protections under CPPA. This approach directly enforces proper access control, ensuring sensitive information is not exposed to those who don’t require it for their duties. In contrast, allowing any logged-in user to access payroll data, granting vendors simple-password access, or making access unconstrained by role or need would dramatically increase the chance of data leaks and noncompliance.