An aggressive consumer privacy proposal has gained enough signatures to be placed on the California ballot for a referendum in November. If enacted, it would effectively create a new set of standards for consumer privacy throughout the U.S., because most companies would likely adopt the California standards nationwide rather than treating California residents differently from other Americans.
The Consumer Right to Privacy Act of 2018 (specifically v.2, No. 17-0039, which I'll call the "Proposal") was filed October 12, 2017, and has gained almost twice the number of signatures necessary to be included in the November ballot (which is usually an indication that professional petition firms have been engaged). The qualification deadline is June 28, and it appears that nothing stands in the way of this Proposal making its way onto the ballot. The named sponsor of the Proposal is the lobbying/law firm of Remcho, Johnasen & Purcell, LLP out of Oakland California. However, it is said that Alastair A. Mactaggart, a wealthy San Francisco-based real estate investor and executive, is funding this project. He seems to be a first-time political activist who has not been so heavily involved in ballot initiatives in the past.
In a Nutshell
The over-simplified-but-concise explanation is that the Proposal:
- Would give a consumer the right to demand an accounting of all disclosures made by a business of information about the consumer.
- Would make it illegal to “sell” or "disclose" for a business purpose information about a consumer once a consumer opts out.
- Would prohibit a business from conditioning any offering or service on a consumer's opt-out decision.
- Would require very specific disclosures on all business websites.
- Would be enforced primarily by class action litigation rather than a state entity.
- Would not require that any consumer actually suffer any harm (strict liability).
- Would result in penalties of $1,000 per person per occurrence, and up to $3,000 if the government concludes the violation was knowing.
- Would deem a data security breach to be a violation of law by the breached company if the company's security procedures were not reasonable (judged, of course, with the benefit of hindsight).
In More Detail
The Proposal confers on a consumer the right to know what categories of personal information are being collected by a business.
The Proposal gives a consumer the right, at any time, to direct a business that sells personal information about the consumer not to sell the consumer's personal information (the so-called “Opt-Out”). A business must give consumers a notice of this Opt-Out right and must honor Opt Outs after receiving them (presumably immediately). A consumer can authorize another person to Opt Out on his or her behalf, but the Proposal does not specify what form that authorization should take (e.g., a power of attorney).
A business cannot “discriminate against” a consumer because the consumer requested information or opted out, including by: (a) denying goods or services to the consumer; (b) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; ( c) providing a different level or quality of goods or services to the consumer; or ( d) suggesting that the consumer will receive a different price or rate for goods or services, or a different level or quality of goods or services, if the consumer exercises the consumer's rights. (It is worth noting that this provision goes further than even the GDPR)
A business must designate at least two methods for consumers to submit requests for information, including a toll-free telephone number, and if the business maintains a website, a website address.
Requests for information must be honored within 45 days, with no delay allowed for verifying the request. The look-back period is 12 months, and the consumer controls how the report is delivered. Only one demand may be made each 12 months.
Opt-out requests must be honored for at least 12 months, and then it appears that the Proposal would require an affirmative consent from the consumer in order for a business to begin sharing information again. [This provision is somewhat unclear.]
There is a training provision in the Proposal that requires “all individuals responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with [the Proposal]” to be aware of how to handle those inquiries.
A business that suffers a security breach involving consumers' personal information may be held liable if the business has failed to implement and maintain "reasonable security procedures and practices."
The Proposal includes a private right of action, and the consumer need not show that he or she suffered a loss of money or property as a result of the violation in order to bring an action. Statutory damages are set at one thousand dollars ($1,000) or actual damages, whichever is greater, for each violation, but a knowing and willful violation can result in damages of three thousand dollars ($3,000), or actual damages, whichever is greater, for each violation. An intentional violation can result in a civil penalty. Civil penalties of up to $7,500 for each violation are authorized for intentional violations. A civil enforcement action can be brought by the California Attorney General, by any district attorney, any city attorney of a city having a population in excess of 750,000, by any city attorney, or any full-time city prosecutor, in any court of competent jurisdiction.
The devil is in the details, and at least some of the Proposal's terms are defined in ways that could be easily misunderstood:
The categories of personal information covered by the Proposal are:
(1) Identifiers such as a real name, alias, postal address, unique identifier, internet protocol address, electronic mail address, account name, social security number, driver's license number, passport number, or other similar identifiers;
(2) All categories of personal information enumerated in Civil Code 1798.80 et. seq, with specific reference to the category of information that has been collected (any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.)
(3) All categories of personal information relating to characteristics of protected classifications under California or federal law, with specific reference to the category of information that has been collected, such as race, ethnicity, or gender;
(4) Commercial information, including records of property, products or services provided, obtained, or considered, or other purchasing or consuming histories or tendencies;
(5) Biometric data;
(6) Internet or other electronic network activity information, including browsing history, search history, and information regarding a consumer's interaction with a website, application, or advertisement;
(7) Geolocation data;
(8) Audio, electronic, visual, thermal, olfactory, or similar information;
(9) Psychometric information;
(10) Professional or employment-related information;
(11) Inferences drawn from. any of the information identified above; and
(12) Any information pertaining to minor children of a consumer.
"Personal information" does not include information that is publicly available or that is de-identified.
The terms "sell," "selling," "sale," or "sold," includes sharing orally, in writing, or by electronic or other means, a consumer's personal information with a third party, whether for valuable consideration or for no consideration, for the third party's commercial purposes.
"Third party" means any person who is not (i) the “business” that collects personal information from consumers or (ii) to whom the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract tightly restricts further resale, use or retention beyond the scope of the business purpose and includes a “certification” that the recipient understands the restrictions.
The term "business" means any organization that is for-profit, has annual revenue of at least $50MM, or 100,000 or more consumers annually, or derives at least half of its revenue from selling consumer information. A business includes entities controlled by another (including by 50% or more voting equity), or businesses that share a common brand or trademark.
Opponents are already pointing out some downsides to the Proposal: For example, there’s no safety exception. Some businesses might not be able to send recall notices to consumers who have opted out. A car dealer might not be able to share consumer information with a car manufacturer for purposes of compiling recall notice lists.
There is also a fear that without a requirement to demonstrate any actual harm, frivolous litigation will run amok and drive up insurance costs and other costs of doing business.
There is also the argument that California should not be attempting to regulate the “world wide web.” Some fear that businesses will begin to exclude California customers or will cease services in order to avoid the burdens of the Proposal.
You can read the proposal in its entirety here and judge for yourself.
I intend to follow this Proposal closely, and will likely post more about developments here and on LinkedIn and Twitter.