The Honorable Xavier Becerra

Attorney General
ATTN: Privacy Regulations Coordinator
300 South Spring Street, First Floor
Los Angeles, CA 90013

15 October 2019

Comments on proposed regulations

Dear Mr Becerra,

I represent Brave, a rapidly growing Internet browser based in San Francisco. Brave
is at the cutting edge of the online industry. Its CEO, Brendan Eich, is the inventor of
JavaScript, and co-founded Mozilla/Firefox. Brave is headquartered in San Francisco
and innovates in areas such as private online advertising, machine learning,
blockchain, and security.

I write to commend you on your proposed regulations, and to raise two matters.

First, our previous letter, of 8 March 2019, raised concerns about four possible
loopholes in the Act. These concerns are not fully allayed. I enclose our previous
letter herewith for your attention.

Second, we are glad to see that your proposed regulations include purpose
specification and believe a definition of the scope of a purpose should be included to
aid enforcement.

Need to define the scope of a “purpose”

We are glad to observe that purpose specification, which has been a key component
of the Fair Information Practice Principles since 1973, is articulated in your proposed
regulations:

“A business shall not use a consumer’s personal information for any purpose other than those
disclosed in the notice at collection. If the business intends to use a consumer’s personal
information for a purpose that was not previously disclosed to the consumer in the notice at
collection, the business shall directly notify the consumer of this new use and obtain explicit
1
consent from the consumer to use it for this new purpose.”

1
​§999.305 (a)(3).

San Francisco​ 512 Second St., Floor 2, San Francisco, CA 94107

This has the potential to profoundly improve Californians’ privacy.

However, there is no definition of a “purpose” or its scope in the regulations.2 This

may render the concept of a purpose meaningless.

For example, many separate purposes that should be disclosed clearly will instead
be conflated into a vaguely worded catch-all purpose that has no meaning. A ​
business can undermine the consumer’s privacy rights by framing their purposes in
open-ended language at the time of collection, thereby side stepping the r​ equirement
you propose in §​ 999.305 (a)(3) for a consumer’s explicit consent before their personal
information is used for additional purposes.

European regulators have grappled with this question, and determined that a
3
purpose must be “sufficiently unambiguous and clearly expressed.” This ensures
that “individuals will know what to expect: the way data are processed will be
4
predictable” and prevents “unanticipated uses” of the information.

We commend you for your work on these regulations so far. F

​ rom our
perspective as a business headquartered in California, they are clear and
proportionate, and improve Californians’ privacy protections.

We will be happy to help you in any way that we can.

Sincerely,

Dr Johnny Ryan FRHistS

Chief Policy & Industry Relations Officer

2
It does not appear to refer to what the Act defines as “business purposes” in §1798.140 (d) or “commercial purposes” in
§1798.140 (f).
3
“Opinion 03/2013 on purpose limitation”, Article 29 Working Party, 2 April 2013, p. 12.
4
“Guidelines on consent under Regulation 2016/679”, Article 29 Working Party, 28 November 2017, p. 12.

San Francisco​ 512 Second St., Floor 2, San Francisco, CA 94107