What is the difference between a business purpose and a commercial purpose under the CCPA and why is it important?
In short, the difference is one of what realm of things might be done with the data, and it is important because it might greatly change the obligations of a business.
Let's first take a look at the definitions of business and commercial purposes.
'Business purpose' means the use of personal information for the business's or a service provider's operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected. Business purposes are:
(1) Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
(2) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
(3) Debugging to identify and repair errors that impair existing intended functionality.
(4) Short-term, transient use, provided that the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer's experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
(5) Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
(6) Undertaking internal research for technological development and demonstration.
(7) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business. CCPA, Section 1798.140 (d)
'Commercial purposes' means to advance a person's commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction. 'Commercial purposes' do not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism. CCPA, Section 1798.140 (f)
Different Obligations for Commercial Purpose
Classifying data with business purposes and not commercial purposes, can have a big impact in several areas.
One way of defining a business that falls within the jurisdiction of the CCPA is one that, among other things, "annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices." CCPA, Section 1798 (c). Note that this provision does not count consumers, households or devices where the data is sold or shared for business purposes. To the extent data is not sold or shared for commercial purposes, the CCPA might not apply at all.
Requests to Know
Under proposed regulation changes, in some narrow cases (data is not searchable or in a reasonably accessible format, and is held for legal or compliance purposes), a business would not be required to search for PI at all in reference to a consumer request if certain conditions were met, including that the business does not sell the PI or use it for any commercial purpose. Proposed ' 999.313 (c), 3, c.
Requests to Delete
In some cases, deleting data might be delayed until next used for a commercial purpose. "If a business stores any PI on archived or backup systems, it may delay compliance with the consumer's request to delete, with respect to data stored on the archived or backup system, until ' next accessed or used for ' commercial purpose." Proposed ' 999.313 (d) 3.
Service Providers and Third Parties
Service providers and third parties are obliged not to disclose PI for commercial purposes other than providing the services specified in their contract with a business. CCPA, Section 1798 (w), (v). There is no similar business purpose restriction.
Commercial Purpose Check
Do you have commercial purpose data? If you have a data map, open it up and take a look at each high-level portion of data (the highest levels on the map). It could be at the database level, for example. For each item, was the data collected to accomplish any of the commercial purposes under the CCPA? :
Commercial Purpose under CCPA Induce consumer to buy Induce consumer to rent Induce consumer to lease Induce consumer to join Induce consumer to subscribe Induce consumer to provide Induce consumer to exchange products Induce consumer to exchange goods Induce consumer to exchange property Induce consumer to exchange information Induce consumer to exchange services Enabling, directly or indirectly a commercial transaction Effecting, directly or indirectly a commercial transaction
Go through the entire data map at a high level and answer this same question. To the extent data turns out to be non-commercial in nature, the obligations might change. It could mean that the CCPA does not apply at all. Or it could mean that, while the CCPA applies, business can work with service providers or third parties without the restriction on business purpose use.