The California Consumer Privacy Act includes multiple references to the idea of a “business purpose” for the use of consumer Personal Information (“PI”). For businesses covered by the CCPA, it is crucial to understand what “business purpose” means generally, what information uses of the business it specifically includes, and what obligations it triggers. In short, this type of information use must be disclosed to consumers, but also is generally shielded from deletion requirements and receives other potential protections.
Under the CCPA, “business purpose” does not refer to categories of information so much as uses of information. Business purposes means the PI is being used for operational purposes, or other purposes disclosed to the consumer, where the use is (i) “reasonably necessary and proportionate” to achieve the operational purpose for which it was collected or processed, or (ii) for another operational purpose that is compatible with the context in which it was collected.
Businesses must disclose the “business purpose” for their collection, storage, and use of consumer data upon request and in general in their pre-collection notices to customers. Therefore, as a threshold matter businesses must understand their use of data in order to comply with the basic requirements of the CCPA.
The law provides a list of businesses purposes that appears to be exhaustive. These include, in shortened form:
- Auditing related to a current interaction with the consumer;
- Detecting and preventing security incidents;
- Debugging to identify and repair errors;
- Short-term, transient use that is internal and not used to build a consumer profile;
- Performing services such as maintaining accounts, providing customer service, and fulfilling orders;
- Undertaking internal research; and
- Undertaking activities to verify or maintain quality or safety of a service or device, in some circumstances.
It is critical to understand what uses of PI are for business purposes first because these uses must be disclosed to consumers upon request. Any business meeting its CCPA obligations therefore must understand what uses it put customer PI to, in order to fulfill this obligation.
Further, this type of information use is frequently exempted from deletion. Again it is worth emphasizing that “business purpose” does not refer to categories of information, but to uses of information. So therefore while “business purpose” cannot shield entire categories of information in all cases, it does cover information that businesses maintain in order to provide services to customers and to perform internal operational functions.
To take an example, consider a business covered by the CCPA that maintains customer contact information, transaction data, payment data, and preference data in order to provide a service customers and market to customers. If that business receives a request for data deletion from a customer who also wishes to maintain receiving services, the business should determine what customer PI it maintains for a business purpose so as to not delete that data. In this case, that will include the information needed to provide the service, which may include contact, transaction and payment data. On the other hand, any PI used to market to the customer would not fall under the business use exception and must be deleted per the customer’s request.
Understanding the business purpose for using customer PI is also crucial for managing relationships with vendors. The CCPA includes a “safe harbor” from liability for a vendor’s use of PI data if the vendor is a “service provider” and certifies that it will not do any of the following: 1) sell the customer PI, 2) store or use the customer PI for a purpose outside of the business relationship, or 3) store or use the customer PI for a purpose other than that included in the business agreement. This safe harbor therefore effectively states that uses of data by vendors for something other than a business purpose can lead to liability.
For example, a business hires a marketing company to do an email marketing campaign to its current customers and in doing so shares customer names, email addresses, and purchase history. The business can avoid liability for the marketing vendor’s use (or misuse) of customer PI if it executes a contract addendum with the vendor in which the vendor agrees to never sell the shared data, to only use it for email marketing campaigns at the direction of the business. The “business purpose” of their relationship is to market to customers. Notably, though, the business may still need to delete this customer data and ask its vendor to do the same, at the request of a customer, as “marketing” is not a business purpose for the purposes of a deletion request.
The CCPA is a complicated law with many pitfalls for companies, but understanding why a business uses customer PI is one key to compliance. In particular, understanding what uses qualify as “business purposes” and in what circumstances will help businesses know what to disclose to customers, what information must be deleted upon request, and how to shield those businesses from liability.