Secondary use and opt-in consent regulations passed in California and Colorado without much fuss from privacy professionals. But, they can have significant operational impacts on organizations that choose to use personal data in a manner or purpose that was not adequately revealed at the time of collection. California and Colorado now have requirements for explicit opt-in consent for “secondary use” of personal data.
Secondary Use Under California Law
California regulations dictate that if personal data is used in a way that does not comport with what the “average consumer” would understand from the notice at collection, or that is a new or different use from that described in the initial notice, explicit opt-in consent for that use must be obtained. While not employing the term “secondary use,” the regulations address just that: a use secondary to or different and unexpected from the originally disclosed use.
The California Regulations
The California Regulations (“Regulations”) have provisions that more generally address data minimization principles. For instance, California Code of Regulations, Title 11, Section 7002 (“Regulations”), subpart (d) sets forth principles addressing the need for the “the collection, use, retention, and/or sharing of a consumer’s personal information to achieve [a stated] purpose [being] reasonably necessary and proportionate . . . to achieve any purpose for which the business obtains the consumer’s consent . . . ”
Within that context, the collection and processing of personal data must comport with the consumer’s reasonable expectations at the time of first notice, and any material deviation from the consumer’s reasonable expectations must be met with a new notice at the time of collection or processing, as well as with consumers’ explicit opt-in consent.
The requirements are succinctly stated: “[a] business shall not collect categories of personal information other than those disclosed in its notice at collection . . . If the business intends to collect additional categories of personal information or intends to use the personal information for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected, the business shall provide a new notice at collection.”
An escape clause or a “reasonableness” inquiry trap
The Regulations do provide a limited escape clause: additional notice and opt-in consent is not required if “[a]nother disclosed purpose . . . [is] compatible with the context in which the personal information was collected” and the purpose of the collection and processing is consistent with the consumer’s reasonable expectations.
In this context, “reasonable expectations” is defined by examples of what might be and what would not be reasonably expected. Two such examples follow:
- [I]f the consumer is intentionally interacting with the business on its website to purchase a good or service, the consumer likely expects that the purpose for collecting or processing the personal information is to provide that good or service. By contrast, for example, the consumer of a business’s mobile flashlight application would not expect the business to collect the consumer’s geolocation information to provide the flashlight service.
- [I]f the consumer is providing their personal information directly to the business while using the business’s product or service, the consumer likely expects that the business will use the personal information to provide that product or service. However, the consumer may not expect that the business will use that same personal information for a different product or service offered by the business or the business’s subsidiary.
The first example contains scenarios on the extreme ends of the reasonableness scale and provides little to guide a true evaluation; the second suggests that a consumer would not expect to receive advertisements or notices concerning new products or services, even if related to the product or service that was originally purchased. If a consumer buys an electronic product, wouldn’t they reasonably expect to be contacted by a related service provider for an extended warranty product? Apparently, the answer to that question is not unless the use of that information was disclosed at the time of collection.
The challenge under California law
The challenge for each company faced with a potential “secondary use” of consumers’ personal data is whether they adequately disclose all potential and actual uses of personal information at the time of first collection. And the follow-up challenge if they fail to do so, is whether the company is willing to be a test case for how elastic the reasonableness evaluation might be under California law.
Secondary Use Under Colorado Law
Colorado addresses secondary use differently than California. Rather than focusing wholly on a consumer’s reasonable expectations regarding the use of personal information, Colorado focuses on the reasonableness of collection, use, and processing activities as originally disclosed.
The Colorado Rule
Unlike California’s less-than-direct treatment of “secondary use,” Section 6.08 of the implementing regulations of the Colorado Privacy Act (“CPA”) addresses “secondary use” head-on. While “secondary use” is not included in the definitions section, it’s applied in Rule 6.08, titled “Secondary Use.” That Rule provides that the “secondary use” of personal information is that which differs from the purpose of the processing as disclosed to consumers at the time of collection. Specific opt-in consent is required only if the additional use is not reasonably necessary to the processing activities as originally disclosed.
Seven reasonableness factors
The Colorado Rule provides seven different data points to consider in determining the reasonable necessity of the processing activities, as follows:
- The reasonable expectations of the consumer concerning the processing activities;
- The “link” between the original purpose and the purpose of the further Processing activity;
- The relationship between the controller and consumer and the context of collection;
- “The type, nature, and amount of personal data subject to the new processing purpose;”
- The impact, including type and degree, to the consumer of the new processing purpose;
- The identity of the organization conducting the new processing activity or purpose; and
- Any additional safeguards put in place with regard to the processing, such as encryption or pseudonymization.
The seven data points provide escape routes, but the terms are subjective and prone to different and inconsistent interpretations. In short, while not appearing as onerous—or being as lengthy—as the California Regulations, the Colorado Rule suffers from some of the same implicit flaws and difficulties in interpretation as the California law.
California and Colorado laws lack guidance regarding “reasonableness”
In both states, secondary use depends, at least in part, on understanding and defining the reasonable expectations of the consumer. Consumers differ in knowledge about and concern for data privacy, so how then are reasonable expectations to be evaluated? Would they be evaluated according to the “average” consumer, and how will the average consumer of online products and services differ, if at all, from the average consumer of products and services purchased in person in brick-and-mortar stores? If not according to the “average” consumer, could any bright lines be drawn around reasonableness?
While California provides guidance in what may be extreme examples of reasonableness, Colorado offers no such guidance. While California Regulations suffer from guidance on reasonableness that is too broad, Colorado offers no guidance.
Colorado, like California, presents a compliance challenge
In sum, just like the California Regulations, the Colorado Rule places companies at a crossroads: either prepare to litigate issues of reasonableness, sufficiency of notice at collection and how much of a change in processing activity triggers new notice, or take the safest path of obtaining opt-in consent whenever there is any change to collection, processing, and use of personal information, along with providing updated notices at collection whenever such changes occur.
Key Takeaways for California and Colorado Laws
Given the new regulations in California and Colorado, organizations must be more mindful than ever regarding privacy practices and communications with consumers and more vigilant about changes in processing activities that could potentially trigger the opt-in consent requirements.
- Notice at collection of personal data should be drafted to be forward-looking, disclosing current and foreseeable future use and processing activities involving personal data to avoid a secondary use label in the first place.
- If collection, use, and processing of personal data changes beyond the scope of that disclosed at the time of collection, obtain opt-in consent for existing customers and update the notice at collection to adequately address the new collection, use, and processing activities.
- When it comes to privacy notices, err on the side of over-inclusion of intended use and processing activities and the identification of processors, unless you want to be the test case for litigating concepts of reasonableness in the context of these new laws.
How modCounsel can help
modCounsel has a team of privacy lawyers who regularly counsel clients on the impact of global privacy laws and regulations, such as the new California and Colorado opt-in requirements, on their operations, including marketing practices as well as product and service development and delivery.
More generally, modCounsel’s services include: creating and updating privacy policies and cookie notices to reflect changes in laws and practices; operationalizing DSARs; product counseling; development of data maps, ROPAs, PIAs, and DPIAs; and implementing privacy tools with the help of our Legal Operations team. If you have questions about our services or how we can help you, please contact us today.