A potentially revolutionary ballot initiative that could adversely affect businesses collecting personal information about consumers, and potentially increase their exposure to civil privacy and data breach litigation, was recently filed with the California AG’s office. The California Personal Privacy Initiative (the Privacy Initiative) seeks to amend the state’s constitution to substantially broaden the scope of personally identifiable information (PII), deem all information provided by a consumer to any private entity or the government confidential by default, and establish a presumption of harm whenever PII has been disclosed without authorization. As discussed below, each of these proposed amendments represents a significant change in U.S. privacy laws and, if passed, will likely force businesses doing business in California to materially change their data sharing policies and convert to an opt-in approach to data sharing.
Each of these proposed changes is summarized below.
1. Expanded Definition of PII: Under the Privacy Initiative, personal information would be broadly defined to encompass any information “which can be used to distinguish or trace a natural person's identity… whether taken alone, or when combined with other personal or identifying information which is linked or linkable to a specific natural person.” The initiative would also establish a presumption of confidentiality for all PII that an individual supplies to any entity for a commercial or governmental purpose. A very limited exemption is provided for disclosure if there is a “countervailing compelling interest (such as public safety or protected non-commercial free speech) and there is no reasonable alternative for accomplishing such compelling interest” other than disclosure.
This expanded definition of PII would create substantial uncertainty for businesses because PII could be deemed to include otherwise untraceable data that could be linked to an individual only when combined with data that is outside the control of the business. Examples of this might include a user’s Internet Protocol address, username and the device that he or she uses. Moreover, because the proposed amendment is to be “broadly construed,” it might even restrict the collection of this type of data and prevent the disclosure of information that is commonly shared in outsourcing and routine service provider functions.
2. Authorization: The Privacy Initiative renders all data provided by an individual to an entity confidential by default. In other words, any entities wishing to process PII would have to first secure the express authorization of the consumer. Although “authorization” is not defined in the initiative, it presumably creates an opt-in requirement. Currently, with limited exceptions, the U.S. operates on an opt-out basis, meaning that information may be used by a business unless a consumer expressly opts out.
3. Presumption of Harm: Perhaps the most controversial aspect of the Privacy Initiative is the presumption that a person has been harmed if his or her information has been disclosed without authorization. This aspect of the initiative will likely trigger a groundswell of civil privacy litigation for garden variety disclosures of information. To date, plaintiffs have had a tough time surviving motions to dismiss in privacy breach cases because harm is difficult for victims to prove. Under the Privacy Initiative, plaintiffs would no longer have to prove that they suffered harm: instead, the defendant would have to prove that plaintiff suffered no harm.