Skip to main content
Back to Blog

Purpose Limitation Under GDPR: How to Enforce It and Prevent Purpose Creep

Your data engineering team built a customer analytics pipeline to measure product feature adoption. The marketing team discovered the pipeline. They started using the behavioral segmentation outputs to power retargeting campaigns. The product team started using individual-level session data to build churn prediction models. The sales team started using the engagement scores to prioritize outreach. None of these uses were disclosed to customers when the data was collected. None were covered by the privacy notice describing the analytics pipeline's purpose. All four teams were acting on a reasonable assumption: the data exists, it is useful, and nobody said they could not use it.

Secure Privacy Logo

Secure Privacy Team

Privacy Experts

·16 min read
Share: