California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
Commercial use of personal data has exploded in recent years, with large tech firms in particular processing staggering amounts of data. In response, data privacy laws like the CCPA have started imposing data minimization rules that restrict the collection and use of personal information.
The California Privacy Protection Agency (CPPA, in case you needed another acronym to remember) released an updated set of regulations to provide clarity on this and many other issues.
For some context on how many “other issues” were clarified in these regulations, it is worth mentioning that they were over 65 pages long. This will be the first of a series pulling out the highlights to keep you informed.
Note: Examples in italics are taken directly from the regulations.
Under the CCPA, all processing of personal information must be reasonably necessary and proportionate to achieve one of the following:
The CPPA’s regulations go on at some length explaining this rule, providing many answers and signaling that the agency considers this to be an important area of compliance.
Because many might disagree on what “necessary and proportionate” means, the CCPA regulations have identified three factors to consider:
Any purpose for which personal information is collected or processed must be consistent with consumers’ reasonable expectations.
Determining what “reasonable expectations” are is context-specific and based on a couple factors:
Example: If a mobile flashlight application is collecting consumers’ geolocation data in order to share it with advertisers, this likely does not meet consumers’ reasonable expectations.
This applies to “further processing,” i.e., when a business uses personal information for purposes beyond why it was originally collected.
When determining whether such processing is compatible with the original context in which it was collected, businesses should consider the strength of the link between the processing purpose and the consumer’s reasonable expectations.
Examples: A strong link exists when a consumer provides their personal information in connection with receiving a service and their information is also used to fix errors that impair that service. A weak link exists when a person provides photographs to be stored in a cloud server and those photos are used to research and develop an unrelated facial recognition software.
If your business determines that a processing activity does not meet these requirements, it may still be allowed if you first collect the consumer’s consent.
Consent under the CCPA must be informed, unambiguous, and affirmatively given (meaning no pre-checked boxes). It is important to note, however, that even with consent, collection and use of personal information must be reasonably necessary and proportionate to achieve a disclosed purpose.
Here’s an example: A business collects customers’ email addresses for the purpose of sending them an electronic receipt, but also shares that data along with information about their purchases with a social media site in order to serve targeted ads to them on that site.
This use of their personal information does not meet consumers’ reasonable expectations and is not compatible with the original context for collecting the data (i.e., sending them a receipt). However, the business can still use the data in this way if it gets consent when collecting the email addresses.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.