Brave has written to the Attorney General of California to highlight a critical omission in the CCPA regulations proposed last week.
Brave’s letter highlights the importance of purpose specification, a concept at the heart of the 1973 United States Fair Information Practice Principles, and commends the Attorney General for articulating purpose specification in his proposed CCPA regulations. However, the regulations fail to define the scope of an individual purpose. This is a critical flaw. Brave argues that it should be rectified in order to protect Californians’ privacy rights.
The Honorable Xavier Becerra
ATTN: Privacy Regulations Coordinator
300 South Spring Street, First Floor
Los Angeles, CA 90013
15 October 2019
Comments on proposed regulations
Dear Mr Becerra,
I write to commend you on your proposed regulations, and to raise two matters.
First, our previous letter, of 8 March 2019, raised concerns about four possible loopholes in the Act. These concerns are not fully allayed. I enclose our previous letter herewith for your attention.
Second, we are glad to see that your proposed regulations include purpose specification and believe a definition of the scope of a purpose should be included to aid enforcement.
Need to define the scope of a “purpose”
We are glad to observe that purpose specification, which has been a key component of the Fair Information Practice Principles since 1973, is articulated in your proposed regulations:
“A business shall not use a consumer’s personal information for any purpose other than those disclosed in the notice at collection. If the business intends to use a consumer’s personal information for a purpose that was not previously disclosed to the consumer in the notice at collection, the business shall directly notify the consumer of this new use and obtain explicit consent from the consumer to use it for this new purpose.”
This has the potential to profoundly improve Californians’ privacy.
However, there is no definition of a “purpose” or its scope in the regulations. This may render the concept of a purpose meaningless.
For example, many separate purposes that should be disclosed clearly will instead be conflated into a vaguely worded catch-all purpose that has no meaning. A business can undermine the consumer’s privacy rights by framing their purposes in open-ended language at the time of collection, thereby side stepping the requirement you propose in §999.305 (a)(3) for a consumer’s explicit consent before their personal information is used for additional purposes.
European regulators have grappled with this question, and determined that a purpose must be “sufficiently unambiguous and clearly expressed.” This ensures that “individuals will know what to expect: the way data are processed will be predictable” and prevents “unanticipated uses” of the information.
We commend you for your work on these regulations so far. From our perspective as a business headquartered in California, they are clear and proportionate, and improve Californians’ privacy protections.
Dr Johnny Ryan FRHistS
Chief Policy & Industry Relations Officer
 §999.305 (a)(3).
 It does not appear to refer to what the Act defines as “business purposes” in §1798.140 (d) or “commercial purposes” in §1798.140 (f).
 “Opinion 03/2013 on purpose limitation”, Article 29 Working Party, 2 April 2013, p. 12.
 “Guidelines on consent under Regulation 2016/679”, Article 29 Working Party, 28 November 2017, p. 12.