On September 26, 2013, the California Secretary of State set the stage for the enactment of yet another “consumer protection” statute in California, authorizing the commencement of signature-collection efforts for the California Personal Privacy Initiative (“CPPI”). The CPPI seeks to be a panacea for data privacy concerns in the modern age. If enough signatures are collected (807,615), and voters approve the initiative on their November 2014 ballots, the CPPI will become law “upon January 1 of the year following the election at which the voters approved this measure,” exposing countless companies to new consumer class action litigation risks. Cal. Personal Privacy Initiative § 8.
The CPPI declares “[a] natural person’s right to control and protect his or her personally identifying information is fundamental to his or her ability to pursue and obtain privacy[,]” Cal. Personal Privacy Initiative, § 2, and proposes adding the following language to the California Constitution:
ARTICLE [XXXVI] RIGHT TO PRIVACY IN PERSONALLY IDENTIFYING INFORMATION
SECTION 1. Whenever a natural person supplies personally identifying information to a legal person that is engaged in collecting such information for a commercial or governmental purpose, the personally identifying information shall be presumed confidential.
SEC. 2. Harm to a natural person shall be presumed whenever his or her confidential personally identifying information has been disclosed without his or her authorization.
SEC. 3. Confidential personally identifying information may be disclosed without authorization if there is a countervailing compelling interest to do so (such as public safety or protected non-commercial free speech) and no reasonable alternative for accomplishing such compelling interest.
SEC. 4. For the purposes of this article:
(a) “legal person” means any natural person or association, organization or other entity, including, but not limited to, any partnership, corporation, limited liability company, governmental body or subdivision thereof or other agency or body.
(b) “personally identifying information” means any information which can be used to distinguish or trace a natural person’s identity, including but not limited to financial and/or health information, whether taken alone, or when combined with other personal or identifying information which is linked or linkable to a specific natural person.
The CPPI’s proposed presumptions – that personally identifying information, including financial and/or health information, provided to any business collecting the information for a commercial or governmental purpose is confidential, and that people are harmed whenever that information is disclosed – would dramatically alter state privacy laws and potentially the consumer litigation landscape. California would shift to an opt-in state, where companies would have to solicit consumers’ explicit consent, rather than requiring consumers to opt out, before sending them promotional materials or sharing their personally identifying information with other companies. Secondly, consumer plaintiffs would no longer have to overcome a burden of establishing that disclosure of their personal identifying information caused them palpable harm.
Whether such a sweeping change would withstand federal preemption in the face of potentially conflicting laws – such as the federal financial services privacy regime (known as Gramm-Leach-Bliley) – itself would raise thorny questions and, inevitably, messy litigation.
The broad definition assigned to “personally identifying information” by the CPPI – i.e., “information which can be used to distinguish or trace a natural person’s identity” – taken in concert with the CPPI’s mandate that its words “be broadly construed,” also expands corporate liability exposure. A broad construction of this definition could result in a court declaring that the collection and processing of a person’s email address, user name or “handle” for a particular website, IP address or mobile device identifier, is illegal and subject to penalty. Not only would this force companies to shift the way they operate, a potentially costly endeavor, it might suffocate fledgling internet-based companies whose revenue stream depends on collecting user information for third party advertisers.
While in some respects it is premature to speculate about the consequences of CPPI since the Initiative’s proponents are only in the signature-gathering stage, it is never too early for companies to be vigilant of potential changes in the law. Because enactment of the CPPI could result in an uptick in consumer litigation and force companies to incur significant costs redesigning their business operations, and because California is a renowned hot bed for consumer class actions, this is one initiative that companies cannot afford to ignore.