Professional Documents
Culture Documents
Brave Writes To The Attorney General of California Regarding The Scope of A Purpose
Brave Writes To The Attorney General of California Regarding The Scope of A Purpose
Attorney General
ATTN: Privacy Regulations Coordinator
300 South Spring Street, First Floor
Los Angeles, CA 90013
15 October 2019
Dear Mr Becerra,
I represent Brave, a rapidly growing Internet browser based in San Francisco. Brave
is at the cutting edge of the online industry. Its CEO, Brendan Eich, is the inventor of
JavaScript, and co-founded Mozilla/Firefox. Brave is headquartered in San Francisco
and innovates in areas such as private online advertising, machine learning,
blockchain, and security.
I write to commend you on your proposed regulations, and to raise two matters.
First, our previous letter, of 8 March 2019, raised concerns about four possible
loopholes in the Act. These concerns are not fully allayed. I enclose our previous
letter herewith for your attention.
Second, we are glad to see that your proposed regulations include purpose
specification and believe a definition of the scope of a purpose should be included to
aid enforcement.
We are glad to observe that purpose specification, which has been a key component
of the Fair Information Practice Principles since 1973, is articulated in your proposed
regulations:
“A business shall not use a consumer’s personal information for any purpose other than those
disclosed in the notice at collection. If the business intends to use a consumer’s personal
information for a purpose that was not previously disclosed to the consumer in the notice at
collection, the business shall directly notify the consumer of this new use and obtain explicit
1
consent from the consumer to use it for this new purpose.”
1
§999.305 (a)(3).
For example, many separate purposes that should be disclosed clearly will instead
be conflated into a vaguely worded catch-all purpose that has no meaning. A
business can undermine the consumer’s privacy rights by framing their purposes in
open-ended language at the time of collection, thereby side stepping the r equirement
you propose in § 999.305 (a)(3) for a consumer’s explicit consent before their personal
information is used for additional purposes.
European regulators have grappled with this question, and determined that a
3
purpose must be “sufficiently unambiguous and clearly expressed.” This ensures
that “individuals will know what to expect: the way data are processed will be
4
predictable” and prevents “unanticipated uses” of the information.
Sincerely,
2
It does not appear to refer to what the Act defines as “business purposes” in §1798.140 (d) or “commercial purposes” in
§1798.140 (f).
3
“Opinion 03/2013 on purpose limitation”, Article 29 Working Party, 2 April 2013, p. 12.
4
“Guidelines on consent under Regulation 2016/679”, Article 29 Working Party, 28 November 2017, p. 12.