Hypothetical:
A retail company has launched an application that will supplement existing services and provide new ways to engage with its customers. The application is designed to provide weekly updates of new products, as well as push notifications to pre-identified customers when there is a product launch that the customer finds interesting. After successful launch, the company finds that the data collected by the application can be processed to derive significantly more information about customers than anticipated. Now the company wants to use that data to do more for its customers, including more personalized and customized information.
Key Considerations:
- Will the new processing actually involve personal information? Most privacy laws apply only to, or only restrict the use of, personal information (sometimes termed personally identifiable information or personal data). However, personal information has a broad range of definitions under applicable laws and regulations. In some cases, anonymized or aggregated information may fall outside the ambit of data protection laws. Accordingly, it is critical to identify the types of information needed for this new processing – and particularly whether the data is de-identified or aggregated – to assess any potential restrictions on its use.
- What does your privacy policy say? Any new forms of processing should be checked against your current privacy policies and the representations your company has made to customers and app users. If your newly contemplated processing activities fall outside the uses your company previously disclosed to customers, you may be obligated to inform them of these changes, and may be limited to using only data collected after you updated your privacy policy for the newly disclosed uses. According to Federal Trade Commission guidance, companies are expected to provide consumers the ability to affirmatively opt-in before using information that has already been collected in a manner different than initially disclosed.
- Are there any limits imposed by applicable privacy laws? Using consumers’ personal information is typically governed by applicable privacy laws, some of which are more restrictive than others. For example, the EU’s General Data Protection Regulation (“GDPR”) requires companies to justify their processing of personal information under one of six lawful bases, and document and disclose the analysis underlying that justification, before engaging in a particular processing activity. And under the new California Consumer Privacy Act, coming into effect in January 2020, a wide swath of activities will be considered a “sale” and subject to an opt-out requirement. Companies will need to take appropriate steps depending on the applicable law’s requirements.
- What exactly does this new processing entail? Privacy laws and regulations not only apply to particular types of information, but to various uses of that information as well. For instance, processing customer information for email marketing purposes could fall under the purview of the Controlling the Assault of Non-Solicited Pornography And Marketing (“CAN-SPAM”) Act. And the FTC has issued guidance on online advertising practices. The company would need to ensure that any proposed activities do not fall within the purview of these kinds of laws and guidance, or at least ensure that the activities conform with any applicable requirements.