On September 26, 2013, the California Secretary of State allowed proponents of a new ballot proposition to collect signatures for the “Personal Privacy Protection Act.” The Act, if approved, would radically change the privacy landscape in California by adding new provisions to the California Constitution. Most importantly, the Act (1) requires all “legal persons” that collect personal information to use “all reasonably available means to protect it from unauthorized disclosure” and (2) creates a presumption that a person is harmed whenever his or her personal information is disclosed without authorization.
The California Constitution already guarantees individuals the right to privacy, and a multitude of state and federal statutes and regulations place limits on the types of personal information that governments and private entities can disclose to others. California, in fact, provides some of the most far-reaching protections for individual privacy in the United States. The Act, however, would go much further, by expanding the definition of confidential personal information, requiring firms to take unspecified steps to protect privacy, and create a presumption of harm when confidential personal information is disclosed.
The impact of these changes cannot be overstated. Showing actual harm has been one of the single greatest hurdles to bringing a claim against a company for unauthorized disclosure of personal information; this Act would eliminate that hurdle. California’s Legislative Analyst’s Office has summed up the impact on California government: “This measure would result in unknown but potentially significant costs to state and local governments . . . Increased costs could result from (1) additional or more expensive lawsuits filed against government agencies, (2) increased workload for state courts, (3) the implementation of increased data security measures, and (4) changes to government information-sharing practices.” The impact on businesses in California would be even greater, as the burden of defending lawsuits where no harm need be proved escalates.
In short, if enacted, this Act promises to further expand an ever-growing exposure that companies have for data breaches and privacy law violations.