The new year brings increased protections for businesses and consumers under the California Consumer Privacy Act (CCPA).
The CCPA, which went into effect Jan. 1, is the country’s strongest privacy law. The new law gives consumers several new rights expected to result in more control and transparency regarding how businesses use consumers’ personal data. Among these rights is the ability to know what information a business collects about a consumer and what “business purpose” that information is used for.
The law also poses new challenges for businesses with compliance and risk management when sharing consumers’ data with third party vendors and partners.
Both consumer’s rights and businesses’ risks are informed by the businesses’ purpose for using consumer data. For example, the CCPA allows users to “opt-out” of the sale of their data. However, “business purpose” uses are also less restricted than other uses by the law and can actually shield businesses from liability in certain circumstances.
Therefore, businesses must understand not only what type of data they collect, use and store, but also the purpose of that collection, use or storage. In a nutshell, if data is collected, used or stored for a “business purpose,” this purpose must be disclosed to consumers, but also generally shields the data from deletion requirements and receives other potential protections.
Under the CCPA, “business purpose” does not refer to categories of information so much as uses of information. Business purposes means the PI is being used for operational purposes, or other purposes disclosed to the consumer, where the use is (i) “reasonably necessary and proportionate” to achieve the operational purpose for which it was collected or processed, or (ii) for another operational purpose that is compatible with the context in which it was collected.
Businesses must disclose the “business purpose” for their collection, storage, and use of consumer data upon request and in general in their pre-collection notices to customers. Therefore, as a threshold matter businesses must understand their use of data in order to comply with the basic requirements of the CCPA.
The law provides a list of business purposes that appears exhaustive. These include, in shortened form:
- Auditing related to a current interaction with the consumer;
- Detecting and preventing security incidents;
- Debugging to identify and repair errors;
- Short-term, transient use that is internal and not used to build a consumer profile;
- Performing services such as maintaining accounts, providing customer service, and fulfilling orders;
- Undertaking internal research; and,
- Undertaking activities to verify or maintain quality or safety of a service or device, in some circumstances.
This type of information use is frequently exempted from deletion. Again it is worth emphasizing that “business purpose” does not refer to categories of information, but to uses of information. So therefore while “business purpose” cannot shield entire categories of information in all cases, it does cover information that businesses maintain in order to provide services to customers and to perform internal operational functions.
For example, consider a business covered by the CCPA that maintains customer contact information, transaction data, payment data, and preference data to provide a service to customers and market to them. If that business receives a request for data deletion from a customer who also wishes to maintain receiving services, the business should determine what customer PI it maintains for a business purpose so as to not delete that data. In this case, that will include the information needed to provide the service, which may include contact, transaction and payment data. On the other hand, any PI used to market to the customer would not fall under the business use exception and must be deleted per the customer’s request.
Understanding the business purpose for using customer PI is also crucial for managing relationships with vendors. The CCPA includes a “safe harbor” from liability for a vendor’s use of PI data if the vendor is a “service provider” and certifies that it will not do any of the following: 1) sell the customer’s PI, 2) store or use the customer PI for a purpose outside of the business relationship, or 3) store or use the customer PI for a purpose other than that included in the business agreement. This safe harbor therefore effectively states that uses of data by vendors for something other than a business purpose can lead to liability.
For example, a business hires a marketing company to do an email marketing campaign to its current customers and in doing so shares customer names, email addresses, and purchase history. The business can avoid liability for the marketing vendor’s use (or misuse) of customer PI if it executes a contract addendum with the vendor in which the vendor agrees to never sell the shared data, to only use it for email marketing campaigns at the direction of the business. The “business purpose” of their relationship is to market to customers. Notably, though, the business may still need to delete this customer data and ask its vendor to do the same, at the request of a customer, as “marketing” is not a business purpose for the purposes of a deletion request.
The CCPA is a complicated law with many pitfalls for companies, but understanding why a business uses customer PI is one key to compliance. In particular, understanding what uses qualify as “business purposes” and in what circumstances will help businesses know what to disclose to customers, what information must be deleted upon request, and how to shield those businesses from liability.
Monica Baumann is a Certified Information Privacy Professional (CIPP) and chairs Scali Rasmussen PC’s Regulatory and Licensing Group. Baumann is a litigator and adviser with extensive experience in the automotive industry and in consumer environmental litigation. Learn more about Scali Rasmussen PC at scalirasmussen.com.