Many businesses are worried about the CCPA/CPRA's broad definition of "selling" personal information. Under the CCPA (CPRA), "selling" personal information includes sharing it for any "valuable consideration" (benefit). A lot of routine business activities could fall under this definition.
However, there's an important exception. The definition of "selling" specifically excludes using or sharing personal information with a service provider for "business purposes."
The "business purposes" exception can allow a business to use and share personal information in a number of beneficial ways, including analytics, research, and marketing. But to avoid violating the CCPA (CPRA), it's crucial to understand the rules around "business purposes."
(Please note that the CCPA was updated, amended and expanded by the CPRA. The changes took effect on January 1, 2023.)
- 1. Why "Business Purposes" are Important
- 1.1. Differences Between Business and Commercial Purposes
- 1.1.1. Jurisdiction
- 1.1.2. The Right to Opt Out
- 1.1.3. The Right to Opt In (for Minors)
- 1.2. Obligations When Sharing Personal Information for a Business Purpose
- 1.2.2. Right to Know
- 2. Defining "Business Purpose"
- 2.1. General Definition of "Business Purpose"
- 2.2. Necessary and Proportionate
- 2.2.1. Necessity
- 2.2.2. Proportionality
- 2.2.3. Example
- 2.3. Contextual Compatibility
- 2.3.1. Example
- 2.4. The Seven Business Purposes
- 2.4.1. 1. Auditing
- 2.4.2. 2. Security
- 2.4.3. 3. Debugging
- 2.4.4. 4. Short-Term, Transient Use
- 2.4.5. 5. Performing services on behalf of the business or service provider
- 2.4.6. 6. Undertaking Internal Research
- 2.4.7. 7. Quality Assurance and Improvement
- 3. Summary
Why "Business Purposes" are Important
The CCPA (CPRA) recognizes two types of purpose for which a business or service provider might collect, use, or share personal information:
- Business purposes
- Commercial purposes
There are stricter rules around sharing personal information for commercial purposes (i.e. selling it) than there are around sharing personal information for business purposes.
Therefore, to avoid burdening your business with unnecessary legal obligations, you must clearly distinguish your purposes for collecting, using, and sharing personal information.
Differences Between Business and Commercial Purposes
There are several important differences between business purposes and commercial purposes.
Before a company falls under the jurisdiction of the CCPA (CPRA), it must meet one or more of the following three thresholds set out in the act:
Note that threshold "B" only applies to a business that buys, receives, sells, or shares personal information for commercial purposes.
A business that shares the personal information of more than 100,000 consumers for business purposes does not meet threshold "B" and would not need to comply with the CCPA (CPRA) (unless it meets either of the other two thresholds).
The Right to Opt Out
A business that shares personal information for commercial purposes (i.e. sells personal information) must allow consumers to opt out of the sale of their personal information. You don't need to allow consumers to opt out of the use or disclosure of their personal information for business purposes.
In other words, if a consumer requests that you do not share their personal information for business purposes, you do not have to comply with this request. If the consumer asks that you do not sell their personal information, you do have to comply.
Additionally, disclosing personal information for business purposes does not require you to create a "Do Not Sell My Personal Information" page.
The Right to Opt In (for Minors)
The CCPA (CPRA) prohibits the sale of the personal information of children under the age of 16 without prior opt-in consent. In the case of children under the age of 13, parental consent is required. This is known as "the right to opt in."
There is no obligation to obtain consent before disclosing children's personal information for business purposes.
Obligations When Sharing Personal Information for a Business Purpose
Although most of the CCPA/CPRA's obligations arise when selling personal information, there are also several obligations when sharing personal information for a business purpose.
- Whether you have disclosed personal information for a business purpose over the past 12 months
- The categories of personal information you have disclosed for a business purpose over the past 12 months
- The categories of third parties to whom you have disclosed personal information for a business purpose over the past 12 months
Right to Know
Under the right to know, consumers can request certain information about your business purposes for collecting and sharing their personal information, including:
- The business purpose(s) for which you collected their personal information
- Which categories of their personal information you have disclosed for a business purpose over the past 12 months
- The categories of third parties to whom you disclosed their personal information for a business purpose
- The business purpose for which you disclosed each category of their personal information
Defining "Business Purpose"
The definition of "business purpose" in the CCPA (CPRA) is very precise. It is important to ensure that your use or disclosure of personal information falls within the CCPA/CPRA's definition. If not, it may qualify as a "sale."
The CCPA/CPRA's definition of "business purpose" consists of two parts:
- A general definition
- A list of seven business purposes
We're going to take an in-depth look at both parts of the definition.
General Definition of "Business Purpose"
Here's the general definition of "business purpose" as it appears at Section 1798.140 (d) of the CCPA (CPRA):
So, a "business purpose" is the use of personal information for either:
- The operational purposes of a business or service provider, or
- Other purposes, as long as the consumer is notified
Using personal information in this way must be reasonably necessary and proportionate to achieve either:
- The operational purpose for which the personal information was collected or processed, or
- Another operational purpose that is compatible with the context in which the personal information was collected
Necessary and Proportionate
Using personal information for a business purpose must be "reasonably necessary and proportionate" for achieving an operational purpose of your business.
The CCPA (CPRA) doesn't define "reasonably necessary and proportionate." So how will you know whether using a consumer's personal information is reasonably necessary and proportionate?
The term "necessary and proportionate" is not common in US law. This term derives from the EU law that inspired the CCPA (CPRA), the General Data Protection Regulation (GDPR). It's hard to tell whether the California courts will interpret "necessity" and "proportionality" in the same way as the EU courts, but it's a good starting point.
When assessing whether it is "reasonably necessary" to use a consumer's personal information to achieve a given objective, consider whether you could achieve the same objective without using personal information.
If you can't, or if it would require a disproportionate effort to do so, then your use of personal information might be "reasonably necessary."
If it is necessary to use personal information to achieve your objective, you must assess whether your proposed use of a consumer's personal information is "proportionate."
In assessing proportionality, consider whether you could achieve your objective:
- Using a smaller quantity of personal information
- Using a less sensitive type of personal information
- By retaining the personal information for a shorter period
Say you collect IP addresses from visitors to your website to defend against Distributed Denial of Service (DDoS) attacks. Under the CCPA (CPRA), an IP address is considered personal information, and detecting security incidents is recognized as a business purpose.
Consider the following questions to determine whether this use of personal information is reasonably necessary and proportionate:
- Is it necessary to use IP addresses? Can you detect security incidents in another way without using personal information?
- Do you need to collect the entire IP address? Can you log the first two or three octets only?
- How long do you need to store the IP addresses?
A "business purpose" can be:
- The original operational purpose for which you collected a consumer's personal information, or
- Another operational purpose, so long as it's "compatible with the context in which the personal information was collected."
So, say you have a set of personal information, and you intend to use it for a new purpose other than that for which you originally collected it. How do you know your proposed new use of this personal information is compatible with the context in which you collected it?
The CCPA (CPRA) doesn't explain which contexts are compatible with one another. But again, this concept exists in the GDPR, so we can get an idea of how the CCPA/CPRA's authors may have intended this phrase to be interpreted.
The most relevant part of the GDPR is Recital 50, which explains the concept of "further processing." If you want to use personal information for a new purpose other than the purpose for which you collected it, consider these factors:
- Whether the new and original purposes are linked
- The context of your relationship with the consumer
- What the consumer might reasonably expect you to do with their personal information
- The nature of the personal information (whether it is sensitive information)
Say you collect a consumer's personal information for the purpose of performing a service. For example, you collect the consumer's email address for the purposes of processing an order.
At the point of collection, you give the customer notice that you may send them marketing emails in the future, and you provide instructions for them to opt out of receiving such emails.
It is likely that your new purpose (sending marketing emails) is compatible with the context in which you collected the consumer's personal information (processing an order), given:
- You have an existing business relationship with the consumer
- The marketing material is likely to be relevant to the context in which you collected their personal information (e.g. an offer of similar products)
- There is a low risk to the consumer's privacy
- You have provided notice of the new purpose
The Seven Business Purposes
The CCPA (CPRA) lists specific business purposes. The wording of this section of the act implies that the list is exhaustive, i.e. that there are no business purposes other than these seven.
We're going to take a look at each of the business purposes. Bear in mind that the CCPA (CPRA) describes "using" personal information for a business purpose. However, most obligations arise when you disclose (share) personal information for a business purpose.
Personal information may be disclosed for auditing purposes if the auditing is "related to a current interaction with the consumer and concurrent transactions."
The CCPA (CPRA) provides a non-exhaustive list of three examples of auditing:
- Counting ad impressions to unique visitors
- Verifying positioning and quality of ad impressions
- Auditing compliance with the CCPA (CPRA) and other standards
This implies that disclosing personal information to a third-party analytics or auditing service should not constitute "selling" personal information.
Personal information may be disclosed for the following security-related activities:
- Detecting security incidents
- Protecting against malicious, deceptive, or fraudulent activity
- Prosecuting persons responsible for malicious, deceptive, or fraudulent activity
This business purpose may be relevant if you need to share personal information with companies that provide cybersecurity services, such as penetration testing.
Disclosing personal information for debugging is permissible in order "to identify and repair errors that impair existing intended functionality."
The presence of the term "existing intended functionality" implies that you cannot use personal information for improving your services or testing new services under this business purpose.
4. Short-Term, Transient Use
Personal information may be disclosed for "short-term, transient use" as long as it is not:
- Disclosed to a further third party
- Used to build a profile about the consumer
- Used to alter an individual's experience outside of the current transaction
The CCPA (CPRA) provides one example of short-term, transient use: "the customization of ads shown as part of the same interaction."
This implies that disclosing personal information for the purposes of personalizing ads across multiple interactions or websites (i.e. using third-party tracking cookies) could constitute the "sale" of personal information.
5. Performing services on behalf of the business or service provider
A business may disclose personal information to a service provider to perform services on its behalf. A service provider may also disclose personal information to subcontractors that also act as service providers.
The CCPA (CPRA) provides examples of "services":
- Maintaining or servicing accounts
- Providing customer service
- Processing or fulfilling orders and transactions
- Verifying customer information
- Processing payments
- Providing financing
- Providing advertising or marketing services
- Providing analytic services
- Providing similar services on behalf of the business or service provider
Note that disclosing personal information for these activities is only valid as a "business purpose" if the relationship between the business and the service provider (or the service provider and its subcontractor) meets the CCPA's requirements.
Under the CCPA (CPRA), a "service provider":
- Receives personal information from a business and processes it on behalf of the business
Is subject to a contract that prohibits the retention, use, or disclosure of the personal information for any purposes other than:
- Those specified in the contract, or
- Those permitted under the CCPA (CPRA)
It's crucial that you engage service providers under a contract that meets these specifications. If you disclose personal information outside of a business/service provider arrangement then this disclosure may qualify as a "sale."
6. Undertaking Internal Research
You may use personal information to undertake "internal research for technological development or demonstration." However, bear in mind that there are strict rules around using personal information for research purposes.
The CCPA (CPRA) provides a specific definition of "research." Businesses must pseudonymize and de-identify personal information before they use it for research purposes, and ensure that it cannot be reidentified.
7. Quality Assurance and Improvement
Here's business purpose number 7:
Let's break that down.
This business purpose relates to a service or device that is owned by, manufactured by, manufactured for, or controlled by your business.
You may use personal information for the following purposes in respect of such a service or device:
- Verifying or maintaining its quality or safety
- Improving, upgrading, or enhancing it
The CCPA regulates how businesses share personal information for financial or other benefits. But businesses need to share personal information in beneficial ways for their core operational purposes.
To avoid being caught out by the CCPA/CPRA's broad definition of "sale," you should ensure your sharing of personal information falls within the CCPA/CPRA's "business purposes."
Under the CCPA (CPRA), you may disclose personal information where it is reasonably necessary and proportionate for your operational purposes. The CCPA (CPRA) provides seven such purposes:
- Short-term, transient use
- Performing services on behalf of a business or service provider
- Undertaking internal research
- Quality assurance and improvement