California Privacy Ballot Could Spur Litigation Against Companies

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Sara Merken

A California privacy ballot measure, the first of its kind in the country, would add new compliance burdens for companies and could launch a wave of litigation, privacy attorneys say.

The California Consumer Privacy Act, which supporters say has more than enough signatures to appear on the state’s November ballot, would give consumers the right to ask companies for the categories of information about them that are collected, sold, or disclosed to third parties, and which outsider parties receive the data. Consumers also could ask a company not to sell or disclose their personal information, and companies couldn’t discriminate against individuals who made such requests.

It would create a new enforcement right for consumers. Under the proposal, consumers could sue companies without having to show they actually incurred harm from alleged violations. The measure would also allow for statutory damages for a breach.

Recent high-profile data breaches have left consumers seeking greater control over their personal information, and countries spanning the globe, including Israel and New Zealand, have been enacting or updating privacy laws. The California proposal would start to take effect roughly six months after the European Union’s General Data Protection Regulation kicked in on May 25, providing a broad new set of data privacy rights to citizens of nations in the 28-member bloc.

The California measure would, if enacted, be “the most comprehensive and prescriptive consumer privacy measure of its kind in the U.S. There’s currently nothing quite like it under state or federal law,” W. Reece Hirsch, a San Francisco-based partner who co-heads Morgan, Lewis & Brockius LLP’s privacy and cybersecurity practice, told Bloomberg Law.

The California ballot initiative reflects “a general concern with the way companies are handling personal information,” Hirsch said. Although it would impose different obligations on companies than the European privacy regime, the initiative is “GDPR-like in many aspects, in that it grants consumers broader privacy rights,” he said.

Supporters of the ballot measure said May 3 they submitted 629,000 signatures to qualify the initiative for the November ballot, more than needed. The secretary of state needs to give final sign-off for it to move forward.

If passed, the measure would take effect the day after the Nov. 6 elections. But it would only “apply to personal information collected or sold by a business on or after nine months” from that date, Aug. 7, 2019.

Personal Information Defined

“Companies should start getting their ducks in a row sooner rather than later,” Purvi G. Patel, a partner in Morrison & Foerster’s Los Angeles office, who defends e-commerce and other businesses in privacy and consumer fraud matters, told Bloomberg Law.

“This really could get traction in November,” given the current climate surrounding consumer privacy and consumers’ desire to have more control over their personal information, Patel said.

Companies operating in California should start reviewing what compliance would be required if the initiative passes, Hirsch said.

One consideration is the proposed definition of “personal information,” which is broader than under existing state privacy laws. The ballot measure would include an individual’s name and address, along with “commercial information,” such as their record of purchases and other consumption histories. The privacy definition would also take in biometric data, geolocation information and internet activity trends—including browsing history or interaction with websites. Inferences drawn about consumers from any of that data would fall under the definition of personal information.

With that in mind, companies should consider if they’re currently positioned to gather information necessary for privacy-related requests from clients and customers, Hirsch said.

The measure expands upon existing California privacy laws such as the Shine the Light Law, the California Online Privacy Protection Act (CalOPPA), and the California Data Breach Notification Law.

Companies would be newly required to provide a “clear and conspicuous” link on their websites, titled “Do Not Sell My Personal Information,” that allows a consumer to opt-out of the sale of their information and include a description of consumers’ rights in their online privacy policies. They would also need to make available methods for consumers to submit requests for information, and be able to disclose and deliver the information to a consumer within 45 days of receiving a verifiable request from a consumer.

The plan would apply to entities doing business in California that collect or sell consumers’ personal information and have an annual gross revenue greater than $50 million. It would also apply to businesses that annually sell data from more than 100,000 consumers or devices, or who derive more 50 percent or more of their annual revenue is 50 percent from selling consumers’ information.

New Enforcement Rights

The proposal says a consumer could pursue legal action against a company for violations without having to actually show harm. Under current California law, individuals have to show they were harmed by a data breach.

Also, a data breach would be a violation of the law if the company has not implemented and maintained reasonable security procedures, and a company could be subject to civil penalties for a breach.

Proposed penalties range from between $1,000 and $3,000 per consumer per consumer for each violation. The state attorney general and local prosecutors would be able to enforce the measure.

Courts have struggled for years in the data breach context to determine if someone has suffered harm, David Stauss, head of the privacy and cybersecurity practices in Ballard Spahr LLP’s Denver and Boulder, Colo., offices, told Bloomberg Law. The ballot initiative would grant consumer standing to sue as a matter of law.

Many companies should already be compliant with the existing California laws, but the statutory damages and statutory standing is the “tail wagging the dog,” and seemingly the “true push” of the ballot measure, Stauss said. Companies can start doing gap analyses to understand what would be required of them under the new obligations, he said.

Given the new liability risks, companies should revisit their plans for responding to data breaches, and make sure they are consistent with best practices, Hirsch said.

The privacy ballot measure, if enacted, would “almost certainly lead to a spike in data breach litigation in California,” Hirsch said.

Request Bloomberg Law: Privacy & Data Security