The applicability of some of the provisions of California Consumers Privacy Act (CCPA) is dependent on the purposes for which the data is collected or shared. In addition, as you go about creating a thorough inventory of your data and the data flow (“data mapping”) you will need to identify the personal information you collect, use, share, retain and destroy. However, under CCPA you will also have to disclose to the public whether the purpose for obtaining and sharing that data is for business or commercial use. Therefore, understanding the difference between those two categories is important.
CCPA defines ‘business’ and ‘commercial’ purposes explicitly so let’s start there.
- “Business purpose” means the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected.
- “Commercial purposes” means to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.“Commercial Purposes” do not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.”
CCPA provides examples of activities that constitute a business purpose but does not expand on commercial purposes. The expected Attorney General guidelines could expand on this list by providing other examples distinguishing business and commercial purposes but for the time being CCPA provides the following list of business purposes:
Business Purpose Examples:
- Auditing. Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
- Security. Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
- Debugging. Debugging to identify and repair errors that impair existing intended functionality.
- Short term use. Short-term, transient use, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
- Services. Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
- Research. Undertaking internal research for technological development and demonstration.
- Quality/Safety. Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
Takeaway: For the purposes of data mapping, and the requisite notice that will be required in privacy policies, you will need to know the business or commercial purpose for which any personal information is collected and shared so your data mapping should take this into consideration.