Referendum on data privacy coming to California in November
It was just two years ago that California passed a groundbreaking data privacy law. Now the state’s voters have a chance to expand its protections.
The latest proposal, known as the California Privacy Rights Act, would create a state agency to serve as a privacy watchdog and would offer more rights to consumers. It would also create a raft of compliance work for banks and other companies, especially tech firms that rely heavily on users’ personal data.
The financial services industry would retain limited exemptions that were included in the earlier law.
The measure was approved last week for the statewide ballot in November after its backers obtained more than 623,000 signatures.
“We’ve come a long way in the two years since passing the landmark California Consumer Privacy Act,” Alastair Mactaggart, the lead backer of both measures, said in a press release. “But during these times of unprecedented uncertainty, we need to ensure that the laws keep pace with the ever-changing ways corporations and other entities are using our data.”
Californians for Consumer Privacy, the group that Mactaggart founded, obtained enough signatures in 2018 to put a sweeping data privacy proposal onto the statewide ballot. Instead, the group agreed to a last-minute compromise, passed by the state legislature, that took effect in January of this year.
This year, Mactaggart’s group appears more likely to carry the fight to the ballot box. Polls show strong public support for data privacy protections. While the ballot initiative will likely be opposed by industry groups, it remains to be seen how much money big tech companies in Silicon Valley will be willing to put into an opposition campaign.
Banks and credit unions that operate in California have already invested considerable time and money to comply with the 2018 law. Financial industry lawyers said that the latest measure, if it becomes law, will require more investments.
“It’s a pretty significant overhaul,” said Nate Taylor, a lawyer in the privacy and data security practice at Morrison & Foerster. “Very little is left unchanged.”
The proposal would create a watchdog, called the California Privacy Protection Agency, that would be governed by a five-member board and have the authority to enforce the law.
New protections for California’s nearly 40 million residents would include the right to correct inaccurate personal information and the right to opt out of advertiser use of precise geolocation data.
“I do think this initiative provides greater rights to consumers,” said Amanda Lawrence, a lawyer at Buckley LLP.
Banks would maintain an existing exemption for personal information collected, sold or disclosed pursuant to the Gramm-Leach-Bliley Act, a 1999 federal law. An exemption for personal data gathered during the course of business-to-business communications would get a temporary extension. The bulk of the ballot initiative would take effect on Jan. 1, 2023.
The proposal would bring the nation’s largest state into closer alignent with the European Union's data privacy requirements, according to lawyers at Davis Polk & Wardwell. In a written analysis, the Davis Polk lawyers called the smaller gap between those two regimes a boon, but not a panacea, for firms that already comply with EU rules.
Under California’s existing law, state residents have the right to obtain copies of their personal information from specific companies, as well as the right to demand the deletion of their data. The two-year-old law has served as the model for legislative proposals on data privacy in roughly 15 other states, according to a 2019 analysis by the law firm Baker Hostetler.
Efforts to pass a federal data privacy law have long been stymied by disagreements that pit industry groups against privacy advocates and state regulators. One key sticking point is whether national standards should serve as a ceiling or a floor for state regulation.