The California Office of the Attorney General received on July 19 a ballot initiative request, the “California Personal Privacy Initiative.” Under California Law, every California elector has the right to submit a ballot initiative. The two proponents of the initiative are Steve Peace, a former California State Senator, and Michael Thorsnes, an attorney.
The initiative proposes to add an article XXXVI, Right to Privacy in Personally Identifying Information, to the California Constitution:
SECTION 1. Whenever a natural person supplies personally identifying information to a legal person that is engaged in collecting such information for a commercial or governmental purpose, the personally identifying information shall be presumed to be confidential.
SEC. 2. Harm to a natural person shall be presumed whenever his or her confidential personally identifying information has been disclosed without his or her authorization.
SEC. 3. Confidential personally identifying information may be disclosed without authorization if there is a countervailing compelling interest to do so (such as public safety or protected non-commercial free speech) and no reasonable alternative for accomplishing such compelling interest.
Section 1: PII Collection
Under the language of this section, personally identifying information (PII) provided by a data subject to either a private entity or to the government would be presumed to be confidential. In other words, PII would be confidential by default and entities wanting to process PII would have to first secure the consent of the data subject. The initiative, if enacted, would make opt in the only legal option for choice and consent in California.
The initiative defines PII broadly as “any information which can be used to distinguish or trace a natural person’s identity, including but not limited to financial and/or health information, whether taken alone, or when combined with other personal or identifying information which is linked or linkable to a specific natural person.” Under that definition, even information rendered anonymous but which could be re-identified would be protected.
Section 2: Harm
Harm would be presumed if the PII has been disclosed without the data subject’s authorization, and that would be very protective of consumers’ interests, as proving harm is notoriously difficult for victims of data breaches or improper data collection. However, in Krottner v. Starbucks, the 9th Circuit found in 2010 that plaintiff faced a credible threat of harm and thus met the injury-in-fact requirement for standing under Article III because of the theft of a laptop containing unencrypted personal data.
But in a recent California case, Yunker v. Pandora Media, the plaintiff had argued that Pandora’s alleged conduct had diminished the value of his PII, decreased the memory space on his mobile device, that disclosure of his PII had put him at risk of future harm, and that Pandora had invaded his constitutional right to privacy when allegedly disseminating his PII to third parties.
The Northern District Court of California found that the facts were not sufficient to prove decreasing memory space and diminished value of PII, and that the mere possibility of future harm was insufficient to establish standing. However, the court found that plaintiff had standing with respect to Pandora’s alleged violations of the constitutional right to privacy.
Under the initiative, plaintiff would no longer have to prove he suffered harm: the defendant would have to prove plaintiff suffered no harm.
Section 3: Countervailing Compelling Interest
The right to the privacy in one’s PII would not be absolute and would have to bend to countervailing interests. For instance, law enforcement would nevertheless have access to PII in order to protect public safety. Would the threat to public safety have to be immediate, or would a general mission of protecting safety be enough to override privacy interests? In the wake of the PRISM scandal, this question is particularly salient.
Another countervailing interest cited by the initiative is non-commercial free speech. One remembers that the Supreme Court held in 2010 in IMS Health, Inc. v. Sorrell that a Vermont prescription privacy law barring disclosure of prescription data for marketing purposes was unconstitutional as it violated the free speech rights of data brokers. Under a new article XXXVI, commercial free speech would not be considered a compelling interest, and thus data brokers would not be able to invoke a free speech defense.
What’s next? Under California law, Election Code § 9001, the Attorney General must now prepare a circulating title and a summary of the initiative within 15 days of the receipt. An initiative petition must then be presented to the Secretary of State and be certified by local election officials to have been signed by a specified number of qualified registered voters.
But the broad scope of the initiative may be its nemesis, as it may trigger intense lobbying against it. Even if enacted, companies may chose to block access to many of their services or products unless the data subject provides a general and broad opt in consent, to the detriment of a more granular consent.