Attack of the Killer Initiative? Opt-In Privacy Regime in the Pipeline for a California Ballot Initiative

Former California State Senator Steve Peace (director of the film Attack of the Killer Tomatoes) and trial lawyer Michael Thorsnes have filed a potentially revolutionary draft ballot initiative with the California Attorney General’s Office.

If approved by voters, it would amend the California Constitution to establish a broad opt-in privacy regime with narrow exceptions. If supporters are able to collect the requisite number of signatures, the Initiative would face a vote in November 2014, and, if approved in that election, it would take effect less than two months later, bringing to California a very different set of privacy rules than apply anywhere in the United States.

After the Attorney General’s Office reviews this Initiative and decides, among other things, whether it requires a fiscal note (which appears likely), the Initiative proponents will have 150 days to gather 807,615 petition signatures to place the initiative on the November 2014 ballot. This signature process is burdensome and expensive, and many proposed initiatives fail to clear its hurdle.

The Initiative would severely restrict both business and government disclosures of a broad range of “personally identifiable information.” It would establish a presumption of confidentiality applying to all such information that an individual supplies to any entity for a commercial or governmental purpose.

This restriction would have particular bite because the Initiative would define “personally identifiable information” sweepingly to cover any information “which can be used to distinguish or trace a natural person's identity . . . whether taken alone, or when combined with other personal or identifying information which is linked or linkable to a specific natural person.” This definition seems broad enough to reach information that, although not linkable on its own to an individual, if combined with other information could be linked to an individual. Because the definition does not indicate that this other information needs to be in the possession of the recipient of the information, there is a risk that it may be interpreted as reaching potential combination with other information that is not even under the control of the recipient.1

This broad range of “personally identifiable information” could be disclosed only in narrow circumstances: (1) with the “authorization” of the individual, or (2) if “there is a countervailing compelling interest to do so (such as public safety or protected non-commercial free speech) and no reasonable alternative for accomplishing such compelling interest” other than disclosure. “Authorization” is not defined, but likely would mean some form of consent by the individual, probably including authorization through a pre-checked box in a terms of use agreement, for example. The exception for “compelling countervailing interests” is drafted narrowly, as there would need to be “no reasonable alternative” for accomplishing the interest. It is far narrower than exceptions for disclosures found in existing privacy statutes or in the 2012 White House and FTC Staff privacy reports.

This framework would create major obstacles to business and government operations. For example, in today’s information economy, personal information is commonly disclosed for a routine service provider or outsourcing functions. This could no longer occur without authorization of the person who supplied the data. The result would be a major increase in costs to both business and government operations in California, unless the entity that holds data can go back to the individual supplying it and obtain authorization for the disclosures.

The initiative would establish a presumption of “harm” for any disclosure by a commercial or governmental entity that does not meet these narrow criteria. This would mean that the plaintiff’s bar could sue violators. Given the breadth of the definition of “personally identifiable information” (which appears to reach IP addresses and device identifiers, for example), this presumption of harm could trigger extensive litigation over garden-variety disclosures of personal information, IP address and device identifiers that occur routinely today.

The “Interpretation” section of the Initiative states that the Initiative “must be broadly construed.” At the same time, apparently recognizing the risk of preemption and constitutional challenges if the Initiative is approved, it contains a command that courts must interpret the Initiative “so as to be consistent with all federal and state laws, rules, and regulations.” Given the wide array of federal and state laws and regulations bearing on disclosures of varieties of personally identifiable information, this appears to be an impossible task.

Anticipating a potential conflicting initiative on the ballot, the Initiative purports to take precedence over any other initiative on the same subject approved by voters at the same time as to which the Initiative receives more votes and to render that other initiative “null and void,” while taking effect to the extent permitted by law if it receives fewer votes.

If approved, the Initiative would take effect on January 2015, requiring a huge shift in business practices in less than two months, unless enjoined by the courts or preempted by Congress. In fact, there is a substantial likelihood that voter approval of the Initiative could prompt Congress to pass federal privacy legislation so as to preempt it. Passage in 2003 of a sweeping California opt-in spam law, which created significant class action risk, prompted Congress to act quickly to pass the CAN-SPAM Act of 2003 in order to preempt that California law. If the Initiative clears the many hurdles in front of it, history could well repeat itself.

Review a copy of the proposed initiative.

For more information about this Initiative and its impact on your business, please contact Jim Halpert.


1 This is the very broadest interpretation of personal information in EUmember states, and has been embraced, for example, by the CNIL, the French Data Protection Regulator. It covers any information that could potentially be linked back to an individual, if combined with other data somewhere, even if this is unlikely to occur.

This information is intended as a general overview and discussion of the subjects dealt with. The information provided here was accurate as of the day it was posted; however, the law may have changed since that date. This information is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation. DLA Piper is not responsible for any actions taken or not taken on the basis of this information. Please refer to the full terms and conditions on our website.

Copyright © 2013 DLA Piper. All rights reserved.

For more information about LexisNexis products and solutions, connect with us through our corporate site