California has moved one step closer towards amending its Constitution to create a presumption of harm whenever personal data is shared without a consumer’s express opt-in, a change that would clear a significant hurdle to many privacy breach lawsuits.
On Thursday, California Secretary of State Debra Bowen approved steps necessary to bring the Personal Privacy Protection Act to California voters. The effort to bring this initiative to the ballot, led by former state Sen. Steve Peace (also co-writer and co-producer of 1978’s cult classic “Attack of the Killer Tomatoes”) and retired litigator Michael Thorsnes, will require 807,615 signatures from registered voters by February 24, 2014. (The complete Ballot Initiative Request is available here) If its proponents succeed, voters will face the issue in November 2014, with any approved change to the law taking effect in January 2016.
As reported here, one of the biggest challenges litigants face is proving that the disclosure of personal data – such as credit card numbers, user names, and email addresses, as well as health data – has resulted in any actionable harm. If approved by California voters, the disclosure of “personally identifying information,” – defined as “any information which can be used to distinguish or trace a natural person’s identify, including but not limited to financial and/or health information, which is linked or linkable to a specific natural person” – will be presumed to have caused such harm or injury. Potential plaintiffs, unburdened from having to make the difficult showing of actual injury, will almost certainly unleash a flurry of such litigation in the state. Specifically, the initiative would create presumptions that an individual’s personally identifying information is confidential when collected for a commercial or governmental purpose and that individuals are harmed whenever that personal data is shared without his or her express opt-in to its disclosure (unless that information is publicly available or there is a compelling interest in its disclosure). Such a move would bring California closer to the opt-in approach to data collection and sharing favored in the E.U.
Notably, as a potential ballot initiative, this issue is not subject to review by lawmakers nor to the standard lobbying efforts of industry stakeholders. Instead, this aspect of the future of California privacy law rests firmly in the hands of her voters.