Sponsors Drop California Ballot Initiative Intended to Transform Privacy Class Actions
Recent reports have circulated regarding a California ballot initiative that, if successful, might have marked the second time California would have caused a national shift in privacy law. Just 10 years ago, California enacted the first breach notification law and unwittingly transformed the landscape of American privacy and data security law. To date, 45 other states, multiple federal agencies, and even local governments have followed suit. The recent ballot initiative, known as the California Personal Privacy Initiative, would have provided California voters an opportunity to have an equally dramatic impact on privacy and data security class action lawsuits by removing the harm barriers that cause most of those actions to fail.
The Sacramento Bee now reports that the proponents of the initiative have decided to drop it, citing an analysis by California’s Legislative Analyst’s Office. The analysis reportedly warned that the measure could have adverse consequences for the state of California, including significant litigation risk, increased court workload, costs to improve data security, and costs to change information-sharing practices. The measure’s proponents felt that they would not be able to successfully defend the measure to the public in the face of that analysis.
Although the Legislative Analyst’s Office focused on negative impacts for the state, a similar analysis would apply when viewing the initiative’s significant and burdensome impact on business interests. In the event that the ballot initiative or similar measures are reconsidered in California or elsewhere, we describe below how the ballot measure could have transformed the current state of privacy and data security class action lawsuits.
The initiative proposed to amend the California Constitution in order to:
- Create a presumption that “personally identifying information” collected for a commercial or governmental purpose is confidential
- Require the person collecting such information to use all reasonably available means to protect it from unauthorized disclosure
- Create a presumption of harm to a person whenever her confidential personally identifying information has been disclosed without her authorization.
Notwithstanding the presumption of harm, the amendment would have permitted the disclosure of confidential personally identifying information without authorization “if there is a countervailing compelling interest to do so (such as public safety or protected non-commercial free speech) and there is no reasonable alternative for accomplishing such compelling interest.”
Turning first to the impact on litigation, plaintiffs have largely been unsuccessful in privacy and data security litigation because they have failed to show harm resulting from an alleged unlawful privacy practice or security breach. The obligation to show harm arises at two stages when a case is litigated in federal court: first, the plaintiff must establish that he has suffered an “injury in fact” in order to meet the requirements for Article III standing, and second, the plaintiff must satisfy the harm requirement that applies to the relevant cause of action (e.g., negligence). If the case is litigated in state court, the standing requirement does not apply, but most, if not all, privacy and data security breach class actions have been litigated in federal court.
The ballot initiative was intended to create a presumption of harm that could allow more lawsuits to satisfy the injury-in-fact standard and the harm requirement for the underlying cause of action. Without that barrier, business would be stripped of the most effective means of prevailing on a motion to dismiss for certain causes of action. And in some scenarios, business would be forced to rely on untested or tenuous defenses, making companies more likely to settle, rather than fight, previously unsustainable causes of action.
Other components of the initiative would have exacerbated the increased volume of litigation, including the presumption that personally identifying information collected for a commercial purpose is confidential and the requirement that organizations use reasonable measures to prevent unauthorized disclosure of that information. Plaintiffs’ claims are sometimes based on an allegation that promises made in the defendant’s privacy notice are deceptive. Currently, companies can help shield themselves against these claims by making only conservative representations about privacy and security. The ballot initiative would have created a general duty to adopt reasonable privacy and security measures, raising the prospect that plaintiffs could more successfully pursue negligence-style claims, which companies cannot deter solely by adopting conservative privacy notices.
The initiative also employed a very broad definition of personally identifying information: “any information which can be used to distinguish or trace a natural person’s identity, including but not limited to financial and/or health information, which is linked or linkable to a specific natural person.” (The definition does not cover publicly available information lawfully made available to the public from government records.) This expansive definition would force organizations to apply stricter security to types of information that might not otherwise receive those protections. Furthermore, data such as names, email addresses, and device identifiers are routinely shared by businesses without consent. If this initiative were successful, the increased threat of litigation would likely have “incentivized” businesses to default to an opt-in standard for disclosures of information and heighten security applicable to such data.
Now that the ballot initiative appears to have been abandoned, businesses do not face the immediate risk of the above-described impacts. The approach was novel and potentially compelling to voters, as well as to legislators and regulators favorably inclined toward consumer protectionism who largely view privacy as a bipartisan issue. As a result, businesses should monitor for similar proposals designed to ease the path of privacy litigants, which could take the form of bills or ballot measures.