Episode 30 — Limit Secondary Uses, Targeting, and Profiling Responsibly
In this episode, we step into a part of privacy engineering that often feels less technical but is deeply shaped by technical choices: what happens when data collected for one purpose gets used for another. That shift is called secondary use, and it becomes especially sensitive when the secondary use involves targeting people or building profiles about them. Beginners sometimes assume the biggest privacy risks come from hackers, but a lot of privacy harm comes from ordinary systems doing more than people expected, even if the system is working exactly as designed. When a company collects data to provide a service and then uses that same data to influence behavior, personalize persuasion, or infer traits, people often feel manipulated rather than helped. This is not only about legality; it is about trust, power, and predictability. Limiting secondary uses responsibly means designing boundaries so data does not quietly drift into profiling, and so targeting is constrained to what can be defended as fair, proportional, and aligned with what people reasonably understood.
Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.
A good place to start is defining secondary use in simple terms. Primary use is the reason data was collected in the first place, such as creating an account, delivering a purchase, or showing content a user requested. Secondary use is anything beyond that original reason, such as advertising, cross-selling, analytics beyond service improvement, training models for unrelated products, or sharing with partners for their own benefit. Secondary use is not always wrong, but it is always higher risk because it stretches the relationship between the person and the service. The person may not expect it, and they may not have a meaningful way to refuse it without losing access to the core service. From a privacy engineering perspective, the burden is on the organization to justify why the secondary use is appropriate and how it is limited. If you cannot explain it clearly, you are likely drifting into overreach.
Targeting is one of the most common secondary uses, and it deserves careful framing. Targeting means selecting what someone sees or receives based on information about them, like showing specific offers, messages, or content to certain groups. Some targeting can be benign, like showing a reminder relevant to a feature the person just used, but targeting becomes risky when it is based on sensitive characteristics, when it is hard to understand, or when it is designed to exploit vulnerabilities. Profiling is the broader activity of building a model of a person, often combining many signals over time to infer preferences, traits, or likely behaviors. Profiling is powerful because it can operate without the person explicitly telling you anything; it can be derived from patterns. The privacy risk grows when profiling is used to shape what options a person sees, what prices they are offered, or what opportunities they are given. Responsible limitation is about controlling both the inputs and the influence of these systems.
One core privacy principle that helps here is contextual integrity, which is a fancy phrase for a simple idea: data should behave according to the context in which it was shared. If someone provides an address for shipping, using that address to infer affluence for targeting changes the context. If someone contacts support about a problem, using the support transcript to predict churn and target retention messages changes the context. These shifts can feel like betrayal because the person’s action had a clear purpose, and the system repurposed it for influence. Responsible privacy engineering tries to preserve context by setting strict boundaries on cross-context reuse. This is one reason data segregation and minimization matter so much; they are not just technical hygiene, they are the mechanisms that keep context from collapsing. If your system makes cross-context joins effortless, secondary use will expand because it is easy.
Another foundational idea is purpose limitation, but applied dynamically. Purpose limitation is not only about writing down a purpose; it is about enforcing it when new opportunities arise. Secondary uses often appear after data is collected, when teams discover new patterns or new business opportunities. Without boundaries, the path of least resistance is to reuse existing data, because it is cheaper than collecting new data with new explanations and choices. A responsible approach requires a deliberate decision process for secondary uses, including a clear statement of benefit, a clear explanation of impact, and a clear plan for minimization and control. Technically, this often means creating data products that are purpose-bound rather than building one giant pool where any team can reuse anything. If the system is designed for reuse without friction, purpose limitation becomes a slogan instead of a control.
Profiling risk increases sharply when you combine many small signals into a single model, because small signals feel harmless but their combination can be deeply revealing. A person’s browsing patterns, purchase history, device behavior, and timing can imply health concerns, relationship status, financial distress, or other sensitive realities. Even if your system does not explicitly label these traits, targeting can effectively act on them by selecting messages that are tuned to inferred vulnerability. That is why responsible limitation includes deciding which signals should never be used for targeting and which inferences are out of bounds. It also includes limiting the sensitivity of segmentation, avoiding categories that track sensitive traits or create discriminatory outcomes. The ethical weakness often lies not in any one input but in the model’s overall power to predict and influence. Privacy engineering aims to reduce that power when it is not clearly justified.
A practical way to limit secondary use is to make targeting operate on coarse, low-risk categories rather than on detailed individual profiles. For example, rather than targeting based on a long-term behavioral dossier, a system might target based on a short-term context like the page someone is currently viewing, or based on a simple preference they explicitly chose. This reduces the feeling of being watched, because the system is responding to the moment rather than tracking the person over time. It also reduces the chance of sensitive inference, because short-term context carries fewer clues about deep personal life. Another method is to use on-device or local processing for personalization, so the raw signals do not leave the user’s environment and are not stored centrally. Even without discussing implementation specifics, the principle is clear: personalization that does not require central profiling is usually easier to defend. The more your targeting depends on centralized, long-lived profiles, the harder it is to argue that it is proportional.
Secondary use also becomes risky when it is hidden, because hidden use removes the person’s ability to make an informed choice. Transparency alone is not enough if choices are not meaningful, but lack of transparency is almost always a problem. Responsible limitation means you can explain what kinds of targeting occur, what data categories are used, and what the impact is. It also means the person has some control, such as opting out of certain kinds of targeting or limiting the use of certain data types. From a privacy engineering viewpoint, control should not be a maze of confusing settings; it should be aligned with real data flows so changes actually matter. If a person disables targeted advertising but the system continues to build profiles for internal use, the experience still feels deceptive. A defensible approach aligns the user-facing choices with the backend reality.
Another major dimension is secondary use for model training, which has become common as organizations want to use historical data to train predictive systems. Training can be a secondary use because the data was collected to provide a service, not necessarily to build models for other purposes. Responsible limitation here includes defining what training is for, what data is included, and what controls prevent models from carrying forward sensitive information. It also includes thinking about whether training should happen on aggregated data, pseudonymized data, or data with stronger protections like differential privacy, depending on the risk. A key beginner lesson is that once a model is trained, it can become a durable artifact that influences people for a long time, even after the original data is deleted. That means retention and deletion policies must consider models and derived features, not just raw records. If you ignore model artifacts, secondary use can outlive the lifecycle controls you thought you had.
There is also a fairness and discrimination angle that privacy engineers must take seriously when limiting targeting and profiling. Even if you never use explicit sensitive attributes, profiling can act as a proxy through correlated signals like location, device type, or browsing behavior. That can produce uneven outcomes, such as offering different opportunities to different groups or making some people more vulnerable to manipulation. Responsible limitation includes reviewing whether targeting practices create harmful disparities and whether certain segments are being treated unfairly. It also includes avoiding targeting that exploits urgency, fear, shame, or social pressure, especially when the system can infer vulnerability. This is where privacy and ethics overlap, because the harm is not only about exposure of data but about the use of data to steer behavior. A defensible privacy posture recognizes that influence itself can be a privacy harm when it is built on hidden profiling.
A common misconception is that secondary use is acceptable as long as the data stays inside the organization. Internal use can still be harmful if it leads to unfair decisions, manipulative messaging, or chilling effects where people change behavior because they feel monitored. Another misconception is that targeting is just personalization, as if any customization is automatically helpful. Some personalization is genuinely helpful, but targeting can also be a form of control, especially when it is designed to maximize engagement or sales regardless of user wellbeing. A third misconception is that if you obtained consent once, you can expand uses indefinitely. Consent, when it exists, is often narrow and poorly understood, and expanding uses without renewed clarity is a recipe for backlash. Responsible limitation means you do not treat initial collection as a blank check for all future ideas.
From an engineering perspective, limiting secondary uses requires structural constraints, not just policy statements. Data should be tagged or classified by purpose and sensitivity so systems can enforce restrictions on reuse. Workloads should be segregated so marketing systems do not automatically ingest support data, and analytics systems do not automatically ingest content data. Access should be limited so only approved teams can run certain analyses, and high-risk profiling should require review and auditing. Outputs should be constrained so targeting systems receive only what they need to select messages, not full behavioral histories. Retention should be tighter for data used in profiling, because long retention enables deep influence. When these controls exist, secondary uses become deliberate projects rather than quiet drift, and that is the heart of responsibility.
Limiting secondary uses, targeting, and profiling responsibly is about keeping the relationship between a person and a service honest and predictable. You start by defining the primary purpose clearly and treating any new use as a high-risk change that demands justification and minimization. You avoid building universal profiles by default, and you choose coarse, context-based personalization when possible instead of long-lived behavioral dossiers. You align transparency and user control with real data flows, and you treat model training and derived artifacts as part of the lifecycle. You also take fairness seriously, because profiling can harm people even when data never leaks. When these boundaries are designed into systems, you can still learn, improve, and communicate with users, but you do it in a way that respects human expectations and stands up when someone asks not just what you collected, but why you used it the way you did.
