Why “Secondary Uses” of Data Should be your Primary Concern: New Consent Requirements under California’s CCPA and Colorado’s CPA
One internet search of the CCPA1 or the CPA2 reveals a plethora of articles outlining standard data protection requirements under those laws, from privacy notice requirements to new mandatory contractual provisions. But the privacy media has largely overlooked new data minimization requirements with potentially massive operational consequences. So, what is this hidden landmine in the California and Colorado laws?
Both laws require explicit, opt-in consent from the consumer to use personal data in a “secondary” way.
In this article, we explain what constitutes a “primary” versus “secondary” use of data under each law, how to determine when consent is needed, and how to reduce the risk of a regulator accusing your company of engaging in “secondary” purposes without consent.
Secondary Use under the CCPA
Neither the CCPA nor its implementing regulations explicitly use the term “secondary use.” However, Section 7002(a) of the regulation mandates that any time information is used in a manner that is inconsistent with what the “average consumer” would expect, the business must obtain explicit consent for that use.
The average consumer standard is not easy to decipher. Even disclosing a use in your privacy notice doesn’t absolve a use from being “secondary.” We advise companies to consider at least two factors (among others) when determining if data is being used in a manner the average consumer would expect.
First, consider how familiar consumers are with your industry and its practices generally. Consumers might be more familiar with data usage practices in those industries with which they interact more frequently. For example, an average consumer might be more familiar with how social media or cable TV providers use their data compared with an industry that does not directly interface with consumers (e.g., data brokering, although under the consumer expectation legal standard data brokers may be grateful for how they have been portrayed by federal and state regulators and the media for a while now). The more familiar consumers are with your industry and its practices, the safer you can feel knowing that certain uses of personal data will not require explicit consent.
Second, companies can shape a consumer’s expectation with conspicuous disclosures outside of a long privacy notice. The AG notes that “marketing materials” may shape a reasonable consumer’s expectation. Even if a consumer is familiar with your product or services, it is nonetheless crucial to publicly describe your products and services in an accurate and transparent manner.
Opt-in consent for secondary uses is inconsistent with the CCPA for the reasons described below, and companies should consider challenging the requirement:
- First, the regulations turn the CCPA from an opt-out to an opt-in regime. A consumers’ right to opt out of personal data sales is at the core of the CCPA’s structure (e.g., that right is the focus of multiple mandatory disclosures, including a website link separate from the privacy notice). Moreover, California created a data broker registry requiring companies (who have no direct relationship with consumers) to publicly register with the California Attorney General. That registry publicizes the data broker’s opt out of sale mechanism. Requiring opt-in consent for uses of which consumers have no knowledge or expectations obviates the need for such a registry.
- Second, the regulations tell that disclosing personal data to even service providers may be a “secondary” use if the consumer is not aware of or directly interacting with the service provider. That undermines the CCPA in two ways. Consumers don’t knowingly engage with many service providers, despite those service providers forming a part of almost any web-based offering (e.g., website hosting providers). To account for that lack of privity, the CCPA requires “businesses” to flow consumer rights requests down to service providers and limit service providers’ use of personal data.Also, the CCPA has a separate exception to the CCPA’s opt-out rights for disclosures pursuant to the consumer’s intentional interaction (thereby facilitating such sharing).
Companies or industry groups should consider challenging such regulations as potentially ultra vires as well as undermining the statute’s structure.
Secondary Use under the CPA
Colorado’s law is more straightforward and easier to follow. Under Rule 6.08 of the regulations implementing the CPA, a “secondary use” of personal information is any use that is different than the processing purposes disclosed to consumers at or before the time of collection.
A company wanting to avoid the “secondary use” designation should therefore expansively draft its privacy notice to disclose all contemplated processing purposes. The Colorado rules’ requirement to collect consumer consent after making material changes to a privacy notice underscores that requirement.
Conclusion
Designating a processing purpose as “primary” or “secondary” is crucial in ensuring that your company has the appropriate consent mechanisms in place. A primary purpose does not need explicit consent. A secondary purpose does. Taking the time to conduct this review will help ensure that you are processing data in a compliant way and need not build opt-in consents. At the same time, it might signal a mature privacy compliance structure to regulators.
Footnotes
Disclaimer
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.