California has a unique ballot initiative process that allows voters to directly pass legislation, and it appears that proponents of an initiative that could impact digital advertising and apply European Union (EU)-inspired consumer privacy protections – including opt-out consent to broad categories of data use and sharing – have obtained enough signatures to place the measure on the November ballot.

that about 625,000 signatures in support of the initiative were filed with the California Secretary of State. A total of 365,880 valid signatures are needed to qualify the initiative, 58.5 percent of those submitted, suggesting that the measure is all but certain to make the ballot this fall. Given the size of California’s population and economy, California privacy and other consumer protection legislation has in the past had national impact. In the wake of growing public concerns over the improper use of online user information and data breaches, such as those illustrated by the Cambridge Analytica scandal and Russian election meddling, the ballot initiative could well garner sufficient support for passage.

California May Change the US Privacy Landscape

Indeed, at first blush, an overview of the proposal might sound appealing to consumers. The California Attorney General’s Title and Summary for a California ballot initiative titled “The Consumer Right to Privacy Act of 2018” (the Initiative):

ESTABLISHES NEW CONSUMER PRIVACY RIGHTS: EXPANDS LIABILITY FOR CONSUMER DATA BREACHES. INITIATIVE STATUTE. Gives consumers right to learn categories of personal information that businesses collect, sell, or disclose about them, and to whom information is sold or disclosed. Gives consumers the right to prevent businesses from selling or disclosing their personal information. Prohibits businesses from discriminating against consumers who exercise these rights. Allows consumers to sue businesses for security breaches of consumer data, even if consumers cannot prove injury. Allows for enforcement by consumers, whistleblowers, or public agencies. Imposes civil penalties. Applies to online and brick-and-mortar businesses …

The Initiative would regulate “personal information,” broadly defined to include IP addresses, cookie or pixel tag IDs, device IDs, and other unique identifiers, as well as more traditional types of personal information, and “inferences drawn” from that data. Unlike a federal consumer privacy bill recently introduced and discussed below, the Initiative is an opt-out scheme rather than an opt-in scheme. In some ways, then, it has similarities to the current US interest-based advertising self-regulatory opt-out program. However, the Initiative would prohibit conditioning service on consent, something neither the EU’s General Data Protection Regulation (GDPR) nor the current US self-regulatory program does.