One internet search of the CCPA¹ or the CPA² reveals a plethora of articles outlining standard data protection requirements under those laws, from privacy notice requirements to new mandatory contractual provisions. But the privacy media has largely overlooked new data minimization requirements with potentially massive operational consequences. So, what is this hidden landmine in the California and Colorado laws?

Both laws require explicit, opt-in consent from the consumer to use personal data in a “secondary” way.

In this article, we explain what constitutes a “primary” versus “secondary” use of data under each law, how to determine when consent is needed, and how to reduce the risk of a regulator accusing your company of engaging in “secondary” purposes without consent.

Secondary Use under the CCPA

Neither the CCPA nor its implementing regulations explicitly use the term “secondary use.” However, Section 7002(a) of the regulation mandates that any time information is used in a manner that is inconsistent with what the “average consumer” would expect, the business must obtain explicit consent for that use.

The average consumer standard is not easy to decipher. Even disclosing a use in your privacy notice doesn’t absolve a use from being “secondary.” We advise companies to consider at least two factors consider (among others) when determining if data is being used in a manner the average consumer would expect.

First, consider how familiar consumers are with your industry and its practices generally. Consumers might be more familiar with data usage practices in those industries with which they interact more frequently. For example, an average consumer might be more familiar with how social media or cable TV providers use their data compared with an industry that does not directly interface with consumers (e.g., data brokering, although under the consumer expectation legal standard data brokers may be grateful for how they have been portrayed by federal and state regulators and the media for a while now). The more familiar consumers are with your industry and its practices, the safer you can feel knowing that certain uses of personal data will not require explicit consent.

Second, companies can shape a consumer’s expectation with conspicuous disclosures outside of a long privacy notice. The AG notes that “marketing materials” may shape a reasonable consumer’s expectation. Even if a consumer is familiar with your product or services, it is nonetheless crucial to publicly describe your products and services in an accurate and transparent manner.

Opt-in consent for secondary uses is inconsistent with the CCPA for the reasons described below, and companies should consider challenging the requirement:

• First, the regulations turn the CCPA from an opt-out to an opt-in regime. A consumers’ right to opt out of personal data sales is at the core of the CCPA’s structure (e.g., that right is the focus of multiple mandatory disclosures, including a website link separate from the privacy notice). Moreover, California created a data broker registry requiring companies (who have no direct relationship with consumers) to publicly register with the California Attorney General. That registry publicizes the data broker’s opt out of sale mechanism. Requiring opt-in consent for uses of which consumers have no knowledge or expectations obviates the need for such a registry.
• Second, the regulations tell that disclosing personal data to even service providers may be a “secondary” use if the consumer is not aware of or directly interacting with the service provider. That undermines the CCPA in two ways. Consumers don’t knowingly engage with many service providers, despite those service providers forming a part of almost any web-based offering (e.g., website hosting providers). To account for that lack of privity, the CCPA requires “businesses” to flow consumer rights requests down to service providers and limit service providers’ use of personal data.Also, the CCPA has a separate exception to the CCPA’s opt-out rights for disclosures pursuant to the consumer’s intentional interaction (thereby facilitating such sharing).

Companies or industry groups should consider challenging such regulations as potentially ultra vires as well as undermining the statute’s structure.

Secondary Use under the CPA

Colorado’s law is more straightforward and easier to follow. Under Rule 6.08 of the regulations implementing the CPA, a “secondary use” of personal information is any use that is different than the processing purposes disclosed to consumers at or before the time of collection.

A company wanting to avoid the “secondary use” designation should therefore expansively draft its privacy notice to disclose all contemplated processing purposes. The Colorado rules’ requirement to collect consumer consent after making material changes to a privacy notice underscores that requirement.

Conclusion

Designating a processing purpose as “primary” or “secondary” is crucial in ensuring that your company has the appropriate consent mechanisms in place. A primary purpose does not need explicit consent. A secondary purpose does. Taking the time to conduct this review will help ensure that you are processing data in a compliant way and need not build opt-in consents. At the same time, it might signal a mature privacy compliance structure to regulators.

Footnotes

¹ California Consumer Privacy Act of 2018.
² Colorado Privacy Act.