Purpose Limitation
Definition
The principle that personal data should only be collected for specified, explicit, and legitimate purposes, and should not be further processed in ways that are incompatible with those purposes. Businesses must disclose why they collect data and cannot use it for unrelated purposes without additional consent.
Legal Definition
Under the CPA (C.R.S. 6-1-1308(3)): controllers must specify "the express purposes for which personal data are collected and processed" and not process data for purposes that are not "reasonably necessary to and compatible with the disclosed purposes." Similar provisions exist in most state privacy laws.
State Laws Using This Term
Practical Example
A retailer collects email addresses for order confirmations. Later, the retailer wants to sell those email addresses to a marketing company. This secondary use is incompatible with the original purpose and requires new consent.
Related Terms
Frequently Asked Questions
Can I use data for a different purpose than originally disclosed?
Generally, no. If you want to use data for a purpose that is not reasonably compatible with the original disclosed purpose, you must provide notice and, depending on the state, obtain additional consent from the consumer.