(C) A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.
This seems to be a logical impossibility; how can a user consent to something they were not notified of? Either the section does not apply or the user did not consent. As soon as notice occurs, the consent is no longer covered under this section, or the use of the data remains illegal as it is not compatible with the purpose it was collected for. Under this section of law, there does not seem to be the possibility of opting into incompatible purposes.
Under what scenario might someone populate '01' in this field of the usnat string? It doesn't appear to ever be legal by my reading. The law says data shall not be used in this manner, regardless of consent.
Under the referenced California legislation:
(C) A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.However, field PersonalDataConsents of the usnat string seems to imply a user can consent to purposes they were not notified of or that are incompatible with the collection. https://github.com/InteractiveAdvertisingBureau/Global-Privacy-Platform/blob/259d5d4d05c23b2a5d49abf936a2f732be128e1a/Sections/US-National/IAB%20Privacy%E2%80%99s%20National%20Privacy%20Technical%20Specification.md?plain=1#L274
This seems to be a logical impossibility; how can a user consent to something they were not notified of? Either the section does not apply or the user did not consent. As soon as notice occurs, the consent is no longer covered under this section, or the use of the data remains illegal as it is not compatible with the purpose it was collected for. Under this section of law, there does not seem to be the possibility of opting into incompatible purposes.
Under what scenario might someone populate '01' in this field of the usnat string? It doesn't appear to ever be legal by my reading. The law says data
shallnot be used in this manner, regardless of consent.