While a lot of ink has been spilled on the California Consumer Privacy Act (“CCPA”) over the last 18 months, one of the things which has become quite apparent to those of us who view privacy through a lens which considers both EU and US perspectives is that the CCPA is actually not an EU-style law. Except for the right to delete data, all the consumer rights in the CCPA actually existed (albeit in a much less aggressive form) for many categories of information under prior California law. When one considers the number of carve-outs to the deletion right, the CCPA actually looks a lot like what is the more traditional approach to privacy that is prevalent under US jurisprudence.
However, there are concepts which exist in EU law which have not been present in US law. Specifically, the dual concepts of collection limitation and purpose limitation. The EU General Data Protection Regulation calls out the idea that a business cannot collect personal data unless it is “adequate, relevant, and necessary” for the purposes of processing that were disclosed at the time of collection. See GDPR, Article 5(c). Similarly, the data can’t be processed for a purpose that is “inconsistent” with a “specified, explicit, and legitimate purpose”. See GDPR Article 5(b). These two limitations on processing do not generally exist in US law. In fact, the absence of these two concepts is, in no small part, part of the reason the US has such an explosion of innovation in the data and technology economy.
However, as of March 6th, Washington State Senate Bill 6281 has passed both houses of the legislature. There have been several amendments to the bill from when it was originally proposed. What is important to note about these amendments are what was NOT taken out. Since its introduction, SB 6281 has included the dual limitations of data minimization and purpose specification as affirmative obligations on the business. Fortunately, this bill died in conference committee as the Senate and House couldn’t agree as to whether or not there should be a private right of action.
It doesn’t stop with Washington State. Illinois has also introduced a bill which contains these dual concepts of purpose specification and data minimization.
The CCPA does not have these kinds of affirmative processing limitations. Under California law, the only limitation on the processing of data is whether or not you have specified the category of data collected and the purposes for such processing. There isn’t a limitation around only collecting what is “necessary” for such a purpose. Nor does the CCPA include an affirmative obligation to avoid a “secondary use” of data.
In contrast to the CCPA, the Washington Bill (and others like it) includes a specific processing limitation on controllers. Section 8 of SB 6281 imposes these restrictions on businesses regardless of the consumer’s opinion or consent. Specifically, SB 6281 §8 states:
- A controller’s collection of personal data must be limited to what is reasonably necessary in relation to the specified and express purposes for which such data are processed, as disclosed to the consumer. SB 6281 §8(c)(2).
- A controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified and express purposes for which such data are processed, as disclosed to the consumer. SB 6281 §8(c)(3).
With regard to secondary use, there is an option to allow the consumer to consent to such use, but such consent must be obtained prior to the secondary use. The way that SB 6281 words the act of consent is proactive. This means that it is reasonable to interpret the bill to require affirmative consent for any secondary use. Traditionally, under US law, inferred consent was permissible. This is the basis for most consent events under US law (with some notable exceptions – the most prevalent being the FCRA). However, under SB 6281 (emphasis added):
“Except as provided in this chapter, a controller may not process personal data for purposes that are not reasonably necessary to, or compatible with, the specified and express purposes for which such personal data are processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent. SB 6281 §8(c)(4).”
These are potentially groundbreaking changes to the way US law views commercial use of personal data. For those of us who are familiar with the GDPR, we have seen these concepts before. The fundamental jurisprudence of Civil Law aligns with this approach (i.e. you can only do what the Code permits you to do). However, this is opposite of the way Common Law approaches the purpose of law (i.e. you can do whatever you want unless the law prohibits it).
To this end, it will be important for businesses that have any desire to take advantage of the data that they possess to stay engaged in the developments in Washington State (and other states who are looking at this issue of privacy). These developments might just upend the fundamental way the US views data and the ability to use data in a commercial context. The EU may be coming, but it isn’t via Sacramento.