California Ballot Initiative Seeks to Align the State with GDPR—and Other States May Follow
Alistair Mactaggart, who proposed the 2018 ballot initiative that prompted the California legislature to pass the California Consumer Privacy Act (CCPA), has proposed a new ballot initiative that, if passed, could bring California closer to the European standard of privacy. As in the past, other states may well follow California’s lead.
The ballot initiative, announced on September 23rd, seeks to amend the CCPA with five new provisions. Two of them closely resemble General Data Protection Regulation (GDPR) standards. The first would establish an independent Privacy Protection Agency, in effect removing CCPA enforcement from the Office of the Attorney General. Within the European Union, each Member State has such an agency, called a Supervisory Authority, that has the power to investigate claims of GDPR violation and levy fines. Several authorities have already done so, including the Information Commissioner’s Office of the United Kingdom, which fined British Airways £183 million in connection with its 2018 data breach, and the CNIL of France, which levied a fine of €50 million against Google for failures of transparency with regard to data privacy.
The second significant provision would require organizations that use algorithms that impact employment, housing and credit decisions to provide explanations of the algorithms’ logic and reasoning. This closely resembles a similar provision in Article 22 of the GDPR.
California is unique in permitting a statute like CCPA to be amended by acts of the Legislature and by ballot initiative. The thrust of the amendments differs greatly between these two methods. The ballot initiative seeks to expend privacy protections under CCPA, while the legislative amendments seek to narrow them. Five amendments were passed by the legislature before it adjourned on September 13th and are awaiting signature by Governor Gavin Newsom. Some may consider them common-sense, practical adjustments, such as the amendment that removes employee information from the protections accorded to consumer data (AB25), and the amendment that removes notice, access and deletion rights from certain business-to-business communications or transactions (AB 1335).
While these amendments, if signed by the Governor, may grant more certainty for businesses who access Californians’ data (and most businesses with a website will certainly do so and thereby be subject to CCPA), the ballot initiative with its potential for privacy rights expansion may make planning more difficult. Add to this mix the fact that, in the absence of federal legislation, over twenty states introduced privacy and/or cybersecurity bills in the last session. Some bills, like the Washington Privacy Act and the New Mexico Consumer Privacy Act, also closely hew to more expansive GDPR standards. Several states, such as Colorado, Ohio, Illinois, Vermont and, most recently, New York, have already enacted stringent privacy and/or cybersecurity statutes.
To make practical sense of all this and increase growth by gaining trust of business customers and consumers, organizations that market nationally (as do most that have a website) and internationally, should seek advice as to how to prepare information management processes that meet the common themes of these provisions. They will only get stricter, and consumers will only be more vigilant in confirming an organization’s commitment to privacy.
If you have questions or require assistance in implementing information management processes, please contact Kenneth N. Rashbaum.