In March of this year, we wrote about “secondary use” consent requirements under the CCPA and Colorado’s CPA. Since that post, the number of U.S. state privacy laws has roughly doubled. Determining consent requirements under so many similar but slightly divergent laws can be an overwhelming undertaking. Distinguishing between primary and secondary uses of personal data is important because a primary use of personal data does not generally require a data subject’s explicit consent (absent additional factors like the use of sensitive information). A secondary use, conversely, requires consent (unless an exception to the law applies, like processing for legal compliance). To help with compliance, we created the chart below that details secondary use consent requirements by state. We conclude with our tips on how best to ensure proper consent is obtained.
Striving for Compliance
True to form, California takes a unique approach. As you can tell from the chart above, there are essentially two approaches to consent for secondary use: The California approach and the Connecticut approach (while Colorado’s statute uses different wording than Connecticut’s, practically speaking, the approach to compliance remains the same).
To use data secondarily in California requires a more nuanced analysis of whether consent is required than in states that follow the Connecticut approach. The “reasonable expectations” standard is undefined. Therefore, we recommend considering how familiar consumers are with your industry and its practices generally. Under other statutes, a reasonable consumer’s expectations are not determined by the ideas of a few consumers, but instead by whether “a significant portion of the general consuming public” holds such a belief.1 The more familiar a consumer is with your industry and its data use practices, the more likely it is that using data in line with those industry practices will not require consent. We also recommend shaping consumers’ expectations through conspicuous disclosures. This includes through your privacy notice, just-in-time notices, and other notification mechanisms that make data use practices more visible and therefore, more likely to be what an average consumer should expect.
The CCPA regulations lay out some of the factors that the California Attorney General (AG) will consider when determining a consumer’s reasonable expectations. These include:
- The relationship between the consumer and the business.
- The type, nature, and amount of personal information that the business seeks to collect or process.
- The source of the personal information and method of collection.
- The specificity, explicitness, prominence, and clarity of disclosures to consumers.
- The degree to which the involvement of service provider, contractors, third parties, or other entities involved in the collecting or processing of the personal information is apparent to the consumer.
To use data secondarily in other states requires companies to consider whether such a use was anticipated in the notice provided to consumers. If not, a company would likely need to launch an in-product consent or similar interface to capture data subjects’ permission for the secondary use. That analysis raises several tricky operational issues.
- Separate Notices, but One Database. Different privacy notices (i.e., different versions of the same enterprise-wide notices or separate product-specific notices) might have been disclosed to consumers. Most companies don’t store data separately based on the privacy notice under which the company collected the personal data. Secondary use concerns therefore arise if any of the privacy notices under which the data was collected don’t adequately describe a desired processing activity. A company should collect opt-in consent, therefore, if any of the applicable privacy notices—not just the current notice—inadequately describe a new processing activity.
- Processing Role and Customer Backlash. Moreover, new uses of personal data might change a vendor’s role from a processor to a controller, which might trigger notice and consent requirements—with respect to both customers and consumers. Those notice and consent requirements might introduce substantial business risk of concerned customers. Product teams should consider the business risk of making any contractual changes or seeking customer consent. Some customers may rely on a company’s processor status for the company’s own legal compliance. We’ve also seen commercial push back against changes to terms to allow for AI model training. Deciding to seek customer and consumer consent for new uses of data is therefore a business as much as a privacy-compliance choice.
Of course, the “reasonably necessary” and “compatible with the disclosed purposes” language of the state statutes do give companies a bit of leeway in how much they need to disclose up front, the safest approach is to disclose the use case from the outset.
Footnotes
1 Moore v. Trader Joe's Company, No. 19-16618 (9th Cir. July 15, 2021).