California data privacy compromise in peril
Advocates for data privacy rights are planning to take their cause to California voters in November 2020 — a decision with the potential to undo a legislative compromise that granted concessions to financial institutions and other businesses.
Californians for Consumer Privacy filed an initiative with state officials on Wednesday, kicking off a process that requires hundreds of thousands of signatures to get on the statewide ballot.
The proposal would strengthen a 2018 law that is scheduled to take effect on Jan. 1 and will give the state’s 40 million residents greater control over the dissemination of their personal data.
“Unless California voters take action, the hard-fought rights consumers have won could be undermined by big business,” the initiative states.
Among other changes, the proposal would create a new state agency charged with enforcing the data privacy law. It would also create new rights around the use and sale of financial information, according to Californians for Consumer Privacy.
For banks, tech companies and other firms that have been scrambling to prepare for the new California rules, the ballot measure introduces a new element of uncertainty.
“The specter of another ballot initiative is very concerning,” said Nathan Taylor, an attorney at Morrison Foerster who advises financial institutions on how to comply with privacy laws.
The California Consumer Privacy Act, which was passed last year, includes an exemption for personal information collected, sold or disclosed pursuant to the Gramm-Leach-Bliley Act, a 1999 federal law that established privacy rules for banks. That carve-out would remain in place under the ballot initiative that was filed this week.
But even with that exemption, and with the addition of amendments that were passed earlier this month by the state Legislature, banks still face significant exposure to the first-of-its-kind data privacy law.
One amendment would exempt personal information that companies possess about their employees. Another would exempt personal information gathered during the course of business-to-business communications. Gov. Gavin Newsom, a Democrat, has until Oct. 13 to sign the amendments.
Both of those carve-outs would expire in 2021, setting up the likelihood of more negotiations in Sacramento next year about the law’s scope. If the initiative’s backers gather enough signatures to get their proposal on the ballot in November 2020, they figure to have a strengthened bargaining position in those talks.
The 2018 law was the byproduct of a similar process, with Californians for Consumer Privacy gathering enough signatures to get their proposal on the ballot, and then using the possibility of a statewide vote as leverage in talks with lawmakers.
Alternatively, advocates for data privacy could take their initiative to voters next year in a bet that growing concerns about the collection and sale of vast amounts of personal information will carry the day.
The events unfolding in California have implications well beyond its borders. Ben Shorten, who leads Accenture’s privacy practice for financial institutions in North America, suggested that the California regulations could be copied by other states.
He also said that financial institutions are currently discussing how broadly to apply the rights enshrined in California law. The law that takes effect on Jan. 1 will give California residents the right to know when a business sells or discloses their personal information for a business purpose.
Inside some financial institutions, one of the questions that is now being asked, according to Shorten, is: “Do we really want to decline someone who is making a request because they are not a resident of California?”