Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Sara Merken
A California privacy ballot measure, the first of its kind in the country, would add new compliance burdens for companies and could launch a wave of litigation, privacy attorneys say.
The California Consumer Privacy Act, which supporters say has more than enough signatures to appear on the state’s November ballot, would give consumers the right to ask companies for the categories of information about them that are collected, sold, or disclosed to third parties, and which outsider parties receive the data. Consumers also could ask a company not to sell or disclose their personal information, and companies couldn’t discriminate against individuals who made such requests.
It would create a new enforcement right for consumers. Under the proposal, consumers could sue companies without having to show they actually incurred harm from alleged violations. The measure would also allow for statutory damages for a breach.
Recent high-profile data breaches have left consumers seeking greater control over their personal information, and countries spanning the globe, including Israel and New Zealand, have been enacting or updating privacy laws. The California proposal would start to take effect roughly six months after the European Union’s General Data Protection Regulation kicked in on May 25, providing a broad new set of data privacy rights to citizens of nations in the 28-member bloc.
The California measure would, if enacted, be “the most comprehensive and prescriptive consumer privacy measure of its kind in the U.S. There’s currently nothing quite like it under state or federal law,” W. Reece Hirsch, a San Francisco-based partner who co-heads Morgan, Lewis & Brockius LLP’s privacy and cybersecurity practice, told Bloomberg Law.
The California ballot initiative reflects “a general concern with the way companies are handling personal information,” Hirsch said. Although it would impose different obligations on companies than the European privacy regime, the initiative is “GDPR-like in many aspects, in that it grants consumers broader privacy rights,” he said.
Supporters of the ballot measure said May 3 they submitted 629,000 signatures to qualify the initiative for the November ballot, more than needed. The secretary of state needs to give final sign-off for it to move forward.
If passed, the measure would take effect the day after the Nov. 6 elections. But it would only “apply to personal information collected or sold by a business on or after nine months” from that date, Aug. 7, 2019.
“Companies should start getting their ducks in a row sooner rather than later,” Purvi G. Patel, a partner in Morrison & Foerster’s Los Angeles office, who defends e-commerce and other businesses in privacy and consumer fraud matters, told Bloomberg Law.
“This really could get traction in November,” given the current climate surrounding consumer privacy and consumers’ desire to have more control over their personal information, Patel said.
Companies operating in California should start reviewing what compliance would be required if the initiative passes, Hirsch said.
One consideration is the proposed definition of “personal information,” which is broader than under existing state privacy laws. The ballot measure would include an individual’s name and address, along with “commercial information,” such as their record of purchases and other consumption histories. The privacy definition would also take in biometric data, geolocation information and internet activity trends—including browsing history or interaction with websites. Inferences drawn about consumers from any of that data would fall under the definition of personal information.
With that in mind, companies should consider if they’re currently positioned to gather information necessary for privacy-related requests from clients and customers, Hirsch said.
The measure expands upon existing California privacy laws such as the Shine the Light Law, the California Online Privacy Protection Act (CalOPPA), and the California Data Breach Notification Law.
Companies would be newly required to provide a “clear and conspicuous” link on their websites, titled “Do Not Sell My Personal Information,” that allows a consumer to opt-out of the sale of their information and include a description of consumers’ rights in their online privacy policies. They would also need to make available methods for consumers to submit requests for information, and be able to disclose and deliver the information to a consumer within 45 days of receiving a verifiable request from a consumer.
The plan would apply to entities doing business in California that collect or sell consumers’ personal information and have an annual gross revenue greater than $50 million. It would also apply to businesses that annually sell data from more than 100,000 consumers or devices, or who derive more 50 percent or more of their annual revenue is 50 percent from selling consumers’ information.
The proposal says a consumer could pursue legal action against a company for violations without having to actually show harm. Under current California law, individuals have to show they were harmed by a data breach.
Also, a data breach would be a violation of the law if the company has not implemented and maintained reasonable security procedures, and a company could be subject to civil penalties for a breach.
Proposed penalties range from between $1,000 and $3,000 per consumer per consumer for each violation. The state attorney general and local prosecutors would be able to enforce the measure.
Courts have struggled for years in the data breach context to determine if someone has suffered harm, David Stauss, head of the privacy and cybersecurity practices in Ballard Spahr LLP’s Denver and Boulder, Colo., offices, told Bloomberg Law. The ballot initiative would grant consumer standing to sue as a matter of law.
Many companies should already be compliant with the existing California laws, but the statutory damages and statutory standing is the “tail wagging the dog,” and seemingly the “true push” of the ballot measure, Stauss said. Companies can start doing gap analyses to understand what would be required of them under the new obligations, he said.
Given the new liability risks, companies should revisit their plans for responding to data breaches, and make sure they are consistent with best practices, Hirsch said.
The privacy ballot measure, if enacted, would “almost certainly lead to a spike in data breach litigation in California,” Hirsch said.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)