“Secondary Uses” of Personal Data Should Still be Your Primary Concern: Consent Requirements under US State Privacy Laws

Since March of 2023, the number of comprehensive U.S. privacy laws has doubled. Many of these new laws contain an opt-in consent requirement that might affect your company’s operations—especially the use of personal data for product development, data science and marketing. The laws require consent for what we’ll call a company’s “secondary use” of personal data—although the concept is often unclear or ill-defined. A secondary use of personal data generally refers to data processing that isn’t tied to the purposes or context for which a company originally collected the personal data.

As a part of complying with the myriad of new US privacy laws, companies must consider whether obtaining opt-in consent for the “secondary uses” of personal data is required. The likelihood of needing to obtain opt-in consent is strongest if your company is using personal data for any purpose that may not have been: 1) originally described to the consumer (especially if you’re not collecting the information directly from the consumer); 2) reasonably expected by the data subject; or 3) is otherwise inconsistent with the original purpose. For more detailed information about the requirements, see our Legal Alert.
Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their