In a provision that has not yet received much attention, the California Consumer Privacy Act imposed the fair information principle of “purpose limitation” on businesses subject to the law. As we explain below, this provision and the way the California Attorney General’s Office has sought to implement it may have important consequences for businesses when evaluating whether the personal information they have collected from consumers can be used for purposes not specifically contemplated at the time of collection.
Background
In its simplest form, under the purpose limitation principle, personal information collected for one purpose may not later be used for a different purpose. It, therefore, establishes boundaries around the ways that data controllers may use personal information. If a data controller wishes to alter these boundaries and use data for purposes not reasonably expected by the data subject at the time of collection, it must go back to the data subjects and, at a minimum, inform them of the new purposes.
As this principle has been applied and interpreted since it was introduced in the early 1970s, data controllers are afforded some wiggle room to use personal information for purposes they did not explicitly specify at the time of collection. In European data protection law, this wiggle room is expressed as purpose “compatibility.” Article 5.1.b of the EU General Data Protection Regulation, for example, allows personal information to be processed for new purposes that are “not considered to be incompatible” with the original purpose of the collection.
The U.S. Federal Trade Commission has historically enforced the purpose limitation principle through its authority to bring enforcement actions against "unfair or deceptive acts or practices" under Section 5 of the FTC Act. In a 2004 enforcement action against Gateway Learning, for example, the FTC claimed that after making a representation in its privacy policy that it would not sell, rent or loan any personal information without consent, the company acted deceptively when it subsequently changed this policy to allow such disclosures, without sufficiently informing consumers. And in a 2014 case against Goldenshores Technologies, the FTC treated as deceptive the failure of a flashlight application to sufficiently disclose that, when users ran the app, it would transmit their devices' precise geolocation information to third parties.
Purpose limitation in the CCPA and attorney general rulemaking
Although it did not appear in the original 2018 ballot initiative, the final CCPA that was signed into law June 28, 2018, contained the following purpose limitation provision in Section 1798.100(b):
"A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to … the purposes for which the categories of personal information shall be used. A business shall not … use personal information collected for additional purposes without providing the consumer with notice consistent with this section."
The attorney general proposed clarifying guidance on how to implement this requirement in Section 999.305 of the rules it proposed Oct. 11, 2019. Subdvision (a)(3) of this rule explained that:
"A business shall not use a consumer’s personal information for any purpose other than those disclosed in the notice at collection. If the business intends to use a consumer’s personal information for a purpose that was not previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose."
A number of commenters took issue with the attorney general’s proposal. They argued that requiring a consumer’s opt-in consent for every new purpose discouraged businesses from using customer data in innovative ways and would result in “notice fatigue.” One commenter, the State Privacy and Security Coalition, suggested that the attorney general look to other privacy regimes for guidance. It observed that “well established privacy frameworks, including the FTC framework and (GDPR), permit additional uses of personal information that are consistent with the original purposes for collection and notice provided.” Arguably, the attorney general's proposal also was inconsistent with the principle adopted by the FTC in Gateway Learning, which only required express, affirmative consent for new uses made of previously collected information.
The attorney general apparently thought this criticism had merit because in the first modification it released Feb. 10, 2020, it narrowed the scope of the explicit consent requirement to purposes “materially different” from those disclosed in the original notice. In the final statement of reasons it released a few months later, the attorney general explained the change was intended to align the regulation with “privacy best practices.” The best practice the attorney general cited as its model was the “materiality” standard the FTC had articulated in its influential 2012 report, “Protecting Consumer Privacy in an Era of Rapid Change.” In the 2012 report, the FTC recommended that companies “obtain affirmative express consent prior to making certain material retroactive changes to their privacy practices,” effectively the principle the FTC adopted after the Gateway Learning case.
But this was not the end of the saga.
After the final review of the attorney general's draft regulations by the California Office of Administrative Law, it was struck in its entirety. In an addendum to its Final Statement of Reasons published July 29, 2020, the attorney general noted only: "The OAG may resubmit this section after further review and possible revision." One of the reasons Office of Administrative Law reviews draft regulations is to make sure they are consistent with the statute, so it is possible that it questioned whether Regulation 999.305(a)(5) fully aligned with the scope of the statutory requirement in 1798.100(b).
Even if that is the case, it is clear the attorney general views additional notice and consent as relevant to its enforcement of the CCPA, and it may take this position informally in enforcement. And even if not specifically required under the CCPA, the attorney general can take the position that this type of consent rule is required under its standard consumer protection jurisdiction, for example, under California's Unfair Competition Law, which, in a manner similar to the FTC Act, broadly prohibits fraudulent and harmful business practices.
What does this mean for businesses?
Although we still don’t have a final answer on California’s regulations, the rulemaking record to date provides valuable guidance to businesses about how they decide whether a new use of already-collected consumer information is “material” and when they should seek to obtain new consumer consent.
Both the CCPA and FTC’s 2012 report provide a fair amount of guidance on the types of new purposes the agencies are likely to view as less problematic. Called “business purposes” in the CCPA or “internal operations” purposes in the 2012 report, these new uses involve activities consumers generally might expect to occur in the context of their relationship with the businesses, including security enhancements, internal auditing, technological upgrades and first-party marketing.
Borrowing from the GDPR’s formulation, the CCPA explains that a business purpose may be an “operational purpose that is compatible with the context in which the personal information was collected.” That is not to say there is carte blanche to engage in these types of internal business purposes. Businesses still should undertake a review of existing disclosures to consumers and assess whether, based on those disclosures, consumers would reasonably believe that the business is or is not engaging in those activities.
Material differences, on the other hand, are new purposes that will likely take consumers by surprise and use their data in a significantly different, new context.
The FTC 2012 report provides the example of a car dealership’s relationship with a customer who has recently purchased a car. The customer will reasonably expect the dealership to use the customer’s information to send service reminders or special offers on parts. Sharing the customer’s information with a third-party data broker, however, would not be a reasonably expected purpose and would require new consent from the customer.
Similarly, the attorney general provides the example of a customer who has allowed a company to use their information to market relevant products to them. If the business wanted to start using the information for psychological experiments, however, new consent would be required. “When businesses change practices midstream,” the attorney general comments, “the consumer should have the opportunity to decide whether to agree to the new purpose.”
At the end of the day, when assessing a new data use case, businesses would be well advised to undertake a purpose compatibility assessment. This assessment should assess the link between the original purposes specified at the time of the collection and the new purpose and what consumers' perception is likely to be, the impact of the new purpose on consumers, and the steps the business is taking or can take to minimize the privacy impact on the consumer, including whether to provide a new notice or obtain new consent.
Photo by Rezaul Karim on Unsplash