Purposes for processing under CCPA

“The literal rule should be used first, but if it results in absurdity, the grammatical and ordinary sense of the words may be modified, so as to avoid absurdity and inconsistency, but no further.” (In Grey v Pealson (1857), quote by Lord Wensleygale)

Last updated: Nov. 2019

Note: This article is based on my personal interpretation of CCPA based on the arguments laid out below. We are currently awaiting rules from the California Attorney General that may or may not align with my interpretation. As soon as guidance is available from the AG the article will be updated.

Key points:

An organization may process data under CCPA for

(a) its business or commercial purposes; or

(b) at the request of the consumer (consumer purposes).

Business and commercial purposes are mutually exclusive. Only disclosures for commercial purposes can constitute a sell.

CCPA expressly identifies two purposes under which organizations may process personal information: Business purposes and commercial purposes. (See, Cal. Civ. Code Sec. 1798.140 (d)&(f)). In addition CCPA implicitly recognizes another purpose: consumer purposes.

This article makes the case that business purposes and commercial purposes should be interpreted as mutually exclusive under CCPA. Since organizations need only disclose the business or commercial purposes for collecting or selling information a different interpretation would imply that CCPA allows businesses to hide purposes from consumers. Allowing organizations to hide purposes from consumers would be inconsistent with the intent of the legislator to “provide a high level transparency.” (see, AB 375 Sec. 2 (h)).

More specifically:

• Perhaps the most clear provision that supports our interpretation is the definition of “research.” In order for an activity to qualify as research under CCPA, it has to simultaneously “be “[c]ompatible with the business purpose for which the personal information was collected” and not entail any use for “commercial purpose” (See Cal. Civ. Code Sec. 1798.140 (s)(1)&(8)). If the definition of commercial purposes were to be broadly interpreted to virtually swallow the definition of business purpose, then under such expansive interpretation, no activity could qualify as research.
• In addition, in the context of the right of access and the right to be informed, businesses are required to disclose only the “business or commercial” purposes for collecting or selling the information, which tends to imply that the purpose for every disclosure has to be analyzed and deemed either business or commercial in nature, but not both (see Cal. Civ. Code Sec. 1798.110(a)(3)&©(3).
• Finally, the Act ties the role of service providers to disclosures for business purposes but not for “commercial purposes”, which again seems to indicate these two concepts should be interpreted as mutually exclusive.
• The interpretation is further consistent with the fact that the legislator created three distinct thresholds under the definition of business pursuant to Cal. Civ. Code Sec. 1798.140.(1): One based on gross revenue (intended to cover organizations of a certain size regardless of practices); one based on number of personal information records sold/bought or shared/received for commercial purposes (intended to capture medium and small organizations that engage in practices over which the consumer should have control); and one based on the percentage of income derived from sales of personal information (intended to capture all data brokers). An expansive interpretation of the concept of “commercial purposes” to include “business purposes” in the context of number of records threshold de-facto renders the other two thresholds meaningless, as virtually any organization these days shares more than 50,000 personal information records in any given year.

CCPA implicitly identifies a third purpose for processing: situations where the disclosures are triggered intentionally by the consumer (“consumer purposes”). See, for example, Cal. Civ. Code Sec. 1798.140 (t)(2)(A)&(B)). The lack of a requirement for businesses to either proactively disclose or provide upon request information about disclosures of information done for consumers purposes does not diminish the level of transparency. Bringing to the attention of the consumer that he or she has intentionally triggered a disclosure through the privacy policy or as part of the right of access is not necessary because the consumer is already aware. In most if not all situations, disclosures done for consumers purposes are simultaneously done either for business or commercial purposes.

BUSINESS PURPOSES UNDER CCPA:

CCPA provides a test to identify when processing is done for business purposes embedded in the definition of business purposes. Under CCPA, business purpose means “the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected.” (See, Cal. Civ. Code Sec. 1798.140(d))

Under the proposed interpretation, the above statutory language creates a three prong test:

(1) Valid objective test: Under this test, an objective would be deemed valid if it is:

• Either an operational requirement for the business or the service provider or it is otherwise “notified”, AND
• identical to the operational objective for which the information was collected or processed or otherwise operational and compatible with the context of the collection.

(2) Necessity test: Under this text, the processing must be “reasonably necessary” in order to achieve the valid purpose.

(3) Proportionality test: Under this text, the processing will be deemed valid if it is “proportionate.” “Proportionate” implies to adjust something as to make it harmonious with something else. In our opinion, given that the stated purpose of CCPA is to advance the constitutional right of privacy of Californians, in order to ensure the process is proportionate an organization should consider how it impacts the consumer’s right to privacy. Following this reasoning, an organization should identify what are the privacy interest of the consumer that could be impacted by the processing and whether those interests override the interest advanced by the processing.

Questions that would be relevant to perform the valid objective test would include:

• Why does the organization wants to process the personal information? What is it trying to achieve?
• Who benefits from the processing? In what way? How important are those benefits?
• What would the impact to the organization if it couldn’t process?
• Would the use of the data be unethical or unlawful in any way?

Questions that would be relevant to perform the necessity test would include:

• Does the processing actually help to further the specific purpose identified in the purpose test?
• Is there another less intrusive way to achieve the same result?

Questions that would be relevant to perform the proportionality test would include:

• What is the nature of the relationship between the organization processing the data and the individual?
• Is any of the data particularly sensitive or private? Is children’s data involved or the data of other vulnerable consumers involved?
• Would consumers expect this type of processing?
• If the organization were to explain the processing to a reasonable consumer, would the consumer object or find the processing intrusive?
• What is the possible impact on the individual? Can the organization adopt safeguard to minimize it?

CCPA defines ‘business purposes” to mean:

d) “Business purpose” means the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected.

See Cal. Civ. Code Sec. 1798.140 (d)

CCPA provides the following examples of activities that constitute business purposes:

(1) Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.

(2) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.

(3) Debugging to identify and repair errors that impair existing intended functionality.

(4) Short-term, transient use, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.

(5) Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.

(6) Undertaking internal research for technological development and demonstration.

(7) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

(See, Cal. Civ. Code Sec. 1798.140 (d)(1)-(7).)

It has been argued that the list of examples for “business purposes” is exhaustive and not just a list of possible examples because the statutory language that precedes the list is “Business purposes are.” However, a comprehensive interpretation of all of the language in CCPA leads to the opposite conclusion.

• First of all, if the list were exclusive, then the definition that precedes it would be unnecessary and meaningless.
• Also, CCPA specifically recognizes situations where data may be used for business purposes beyond the list of examples provided. For example, CCPA expressly recognizes that a business may use personal information in order to comply with “federal, state, or local laws” and states that such situations are not restricted by the obligations imposed on the business by the Act (See, Cal. Civ. Code 1798.145(a)(1)). This would be the case where an on-line marketplace is legally required to disclose to tax authorities the income derived by sellers using its platform. Such disclosure is neither done at the request of the consumer (therefore not done for consumer purposes) nor done to further the organization’s commercial interest (since the disclosure does not advance the business own economic interest). By exclusion, it must be done for the business’ purposes. The closest possible match in the list of examples of business purposes would be uses for security under Cal. Civ. Code Sec. 1798.140 (d)(2) but, since disclosing earnings to a tax authority is not related to an activity that is malicious, deceptive, fraudulent or illegal; the sharing in the example is not security related.

All of the examples of business purposes provided by the Act would be deemed business purposes following the test proposed above. However, where the objective is valid and the processing is both reasonably necessary and proportional, many activities beyond the examples providers can be considered done for “business purposes.” In fact, a wide range of activities could be done for business purposes, including both processing that serves the business and/or service provider own operational needs and purposes that are otherwise “notified” to the consumers. However, processing for business purposes requires taking on the responsibility for ensuring consumers’ rights and interests are fully considered and protected, as the organization would have to prove that the processing is both necessary and proportionate.

COMMERCIAL PURPOSES UNDER CCPA:

The CCPA defines ‘commercial purposes” to mean:

“Commercial purposes” means to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.

See Cal. Civ. Code Sec. 1798.140 (f)CCPA does not expressly provide a test for commercial purposes nor does it need one. Since business and commercial purposes are mutually exclusive the test provided to identify what are business purposes also identifies what are commercial purposes.

However, CCPA provides an important clarification under Cal. Civ. Code Sec. 1798.140 (f) “‘Commercial Purposes’ do not include the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.” In other words, disclosures constitute non-commercial speech never can be deemed done for “commercial purposes.” This interpretation aligns with CCPA’s general reference at the beginning of the same paragraph that processing that advances the “person’s commercial or economic interest” is commercial in nature and with the examples provided such as inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or affecting, directly or indirectly, a commercial transaction. (See, Cal. Civ. Code Sec. 1798.140 (f)).

Under CCPA, only disclosures for commercial purposes (i.e. commercial speech) can be restricted as sales. Disclosure for business purposes are never a sale (the reasoning for this assertion is provided in the section below)

• The complex web of CCPA proactive obligations to disclose and provide access to information presume that a sale is something other than a disclosure for business purposes. Perhaps the most clear indication is the fact that CCPA requires business to provide consumers with two separate lists: one identifying personal information sold and one identifying personal information disclosed for business purposes (see Cal. Civ. Code Sec. 1798.130(a)(4)(B)&©, and Cal. Civ. Code Sec. 1798.115 ©(1)&(2)). If those lists were to contain overlapping information, the disclosures would be confusing and not be transparent to the customer. In addition, several provisions of CCPA make references to sells and disclosures for business purpose in either or terms (for example, under Cal. Civ. Code Sec. 1798.115 (b), a business that “sells personal information about a consumer, or that discloses consumer personal information for business purposes” has an obligation to provide access upon request to certain information).
• Allowing consumers to opt-out (opt-in for minors under 16) of transfers for business purposes (even where arguably there is consideration) would be inconsistent with the reason for which the right to opt-out/in was created. The stated goal of CCPA is to satisfy consumer’s desire “for privacy controls and transparency in data practices” by enabling them to “exercise control over their personal information” so that they can be “certain that there are safeguards against misuse of their personal information.” (See, AB 375 Sec. 2 (g)&(h)). The right to opt-out (opt-in for minors under 16) is the CCPA’s mechanism for consumers to exercise control. The control is meant to avoid “misuse.” A disclosure for business purposes is not misuse of personal information as it can only take place where: (i) there is a valid purpose (operational or otherwise notified and identical or compatible with the purpose for which the information was obtained), (ii) the disclosure is reasonably necessary to achieve such purpose, and (iii) interest of the consumer have been considered (i.e. is proportional).
• A different interpretation of the concept of sale would result inconsistencies as there would be situations where full compliance with CCPA is impossible. Because disclosures for business purposes must be “reasonably necessary” to achieve an operational purposes, if consumers were allowed to opt-out the ability of the business to provide its services to the consumer would likely be be compromised. For example, where a retailer shares address information with an courrier in order to mail products to the customer, if the customer was to opt-out the product could not be shipped. In those cases, honoring a request to opt-out would result in the business not being able to offer the services to the customer which would, in turn, run counter to CCPA as it could be deemed a discrimination by the business under Cal. Civ. Code Sec. 1798.125(a). Therefore, even where the business does not have a contract with the courier that complies with Cal. Civ. Code Sec. 1798.140(t)(2)© (the service provider safe harbor), the data transfer should not be deemed a sale provided that the business can prove that it is sharing data for business purposes.

The fact that a disclosure is non restricted by CCPA because the consumer has opted-in does not alter the purpose for which it is done, which would be still commercial in nature. For example, where an organization obtains opt-in consent (either from the minor or from the parents as appropriate considering the age) to transfer the data of a minor to a third party for consideration such transfer is excluded from the definition of sale under Cal. Civ. Code Sec. 1798.140 (t)(2)(A) yet it is done for commercial purposes.

It is important to note that the concept of commercial purposes under CCPA aligns to the constitutional doctrine of commercial speech, a form of protected communication under the First Amendment that does not receive as much free speech protection as other forms of noncommercial speech, such as political speech. Because only disclosures for commercial purposes can constitute a sale, CCPA does restrict data sharing that constitutes non-commercial speech, including political speech and journalism.

CONSUMER PURPOSES UNDER CCPA:

CCPA implicitly identifies a third purpose for processing: situations where the disclosures are triggered intentionally by the consumer (“consumer purposes”).

See, for example, Cal. Civ. Code Sec. 1798.140 (t)(2)(A)&(B)).

Three important limitations to bear in mind when considering if an organization is processing for consumer purposes are:

1. Organizations seeking to take advantage of CCPA’s safe harbor for disclosures prompted by the consumer to not be deemed a sale must meet a high standard. Specifically, the consumer must act intentionally (hovering over, muting, pausing, or closing a given piece of content do not qualify), the recipient has to be a third party, and the data must be used downstream in compliance with CCPA. (See, Cal. Civ. Code Sec. 1798.140 (t)(2)(A))
2. A consumer may only authorize processing related to his or her personal information (and not the information of others). The only exception to this general rule would be parents authorizing on behalf of their minor children under 13 or representatives authorizing on behalf of the individuals they represent.
3. A consumer authorization for a specific transfer does not necessarily extend to downstream processing that is inconsistent with CCPA.The applicability of some of the provisions of California Consumers Privacy Act (CCPA) is dependent on the purposes for which the data is held or shared to some extent.