On November 6, 2018, voters in San Francisco will decide whether to enact the city’s “Privacy First Policy” that aims to protect the personal information of residents and visitors from abuse by companies doing business in San Francisco. The policy establishes a set of privacy principles to guide the city’s government when considering the adoption of privacy policies, laws, and regulations, and when determining whether to issue permits, licenses, or other entitlements to the its contractors and third parties. If the policy is passed, businesses in San Francisco would be required to disclose their data collection policies and obtain input from communities impacted when drafting those policies.
According to the city supervisor, the policy is motivated primarily by the city’s sense of “responsibility to set ground rules that protect the best interest of the general public” as “the information technology sector shap[es] much of our city’s identity.” The policy rides the coattails of the California Consumer Privacy Act passed in June 2018, which empowers consumers with various rights such as the right to know what information is being collected about them and whether it is being sold and the right to opt out of the sale of their personal information.
On July 24, 2018, San Francisco city supervisors unanimously approved placing the policy initiative on the November ballot. The initiative cites 11 principles for the city to abide by in adopting privacy laws and regulations:
- Engage with and inform those likely to be affected by the collection, storage, sharing, or use of their Personal Information prior to authorizing and prior to any change regarding the collection, storage, sharing, or use of their Personal Information.
- Ensure that Personal Information collected, stored, shared, or used is done so pursuant to a lawful and authorized purpose.
- Allow individuals to access Personal Information about themselves that has been collected, and provide access and tools to correct any inaccurate Personal Information.
- Solicit informed consent to the collection, storage, sharing, or use of Personal Information, and provide alternative and equal access to goods and services for those who deny or revoke consent.
- Discourage the collection, storage, sharing, or use of Personal Information, including potentially sensitive demographic information, unless necessary to accomplish a lawful, authorized purpose.
- De-identify data sets collected for research and other analytical purposes by removing the ability to connect personal characteristics with specific individuals and implementing technical safeguards to prevent re-identification of information.
- Adopt and make public or cause to be made public policies and practices to respond to requests or demands for Personal Information from governmental entities.
- Allow individuals to move and organize in the city without being tracked or located in a manner that subjects them to unconsented collection of their personal information.
- Evaluate, anticipate, and mitigate actual or potential bias or inaccuracy in the collection, storage, sharing, or use of personal information.
- Retain personal information for only as long as necessary to accomplish a lawful and authorized purpose.
- Secure personal information against unauthorized or unlawful processing or disclosure; unwarranted access, manipulation, or misuse; and accidental loss, destruction, or damage.
Here, Personal Information is defined as “any information that identifies, relates to, describes, or is capable of being associated with, a particular individual,” and includes, but is not limited to, an individual’s name, signature, social security number, physical characteristics or description, address, geolocation data, IP address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, genetic and biometric data, or health insurance information. The initiative would preclude the City and County of San Francisco from issuing permits and entering into contracts with any business that does not comply with the policy.
San Francisco is the second major city following Chicago that has taken expansive action to protect residents from the misuse and misappropriation of their personal data by corporations for profit. The Chicago City Council is currently considering a new privacy ordinance entitled “Chicago Personal Data Collection and Protection Ordinance” to regulate online businesses that collect sensitive personal information from Chicago residents for commercial purposes. The ordinance would require businesses to: (1) obtain opt-in consent from Chicago residents before using, disclosing, selling, or permitting access to their personal information, (2) notify Chicago residents and the city in the event of a data breach, (3) register with the city if considered a “data broker” (defined as a “commercial entity that collects, assembles, and possesses Personal Information concerning Consumers who are not customers or employees of that entity in order to sell, trade, or otherwise share the information”), (4) notify purchasers of mobile devices about the location feature, and (5) obtain affirmative express consent before collecting, using, storing, or disclosing geolocation data from mobile applications.
Compared to San Francisco’s policy, the Chicago ordinance appears to narrowly target online transactions focusing on information collected from or about an individual customer or user of an online service or website, including name and billing information, government-issued identification, geolocation information, and usage information such as browsing history, origin and destination IPs, and device identification.
It appears that the stricter privacy extensions of the European Union’s General Data Protection Regulation (GDPR) have inspired various aspects of these local initiatives. For instance, the San Francisco policy requires the city government to consider whether companies have an authorized purpose to justify data processing and whether they have obtained informed consent to process personal information. However, there are other aspects in which the local initiatives go beyond the GDPR. The Chicago ordinance, for example, requires opt-in consent to use and share personal information, whereas under the GDPR opt-in consent is only one of the six bases an organization may rely on to process data.
If San Francisco voters approve the initiative, San Francisco lawmakers will negotiate a data collection ordinance by May 31, 2019, that would apply to any entity that contracts, leases, or signs permit with the city government. City officials have not released policy details of what a future privacy ordinance might look like, including potential fines or other penalties. In the event the Privacy First Policy does pass in November, it will likely set the precedent for other cities in enacting their own privacy policies and ordinances.