On September 26, 2013, the California Secretary of State allowed proponents of a new ballot proposition to collect signatures for the “Personal Privacy Protection Act.” The Act, if approved, would radically change the privacy landscape in California by adding new provisions to the California Constitution. Most importantly, the Act (1) requires all “legal persons” that collect personal information to use “all reasonably available means to protect it from unauthorized disclosure” and (2) creates a presumption that a person is harmed whenever his or her personal information is disclosed without authorization.
The California Constitution already guarantees individuals the right to privacy, and a multitude of state and federal statutes and regulations place limits on the types of personal information that governments and private entities can disclose to others. California, in fact, provides some of the most far-reaching protections for individual privacy in the United States. The Act, however, would go much further, by expanding the definition of confidential personal information, requiring firms to take unspecified steps to protect privacy, and create a presumption of harm when confidential personal information is disclosed.
The impact of these changes cannot be overstated. Showing actual harm has been one of the single greatest hurdles to bringing a claim against a company for unauthorized disclosure of personal information; this Act would eliminate that hurdle. California’s Legislative Analyst’s Office has summed up the impact on California government: “This measure would result in unknown but potentially significant costs to state and local governments . . . Increased costs could result from (1) additional or more expensive lawsuits filed against government agencies, (2) increased workload for state courts, (3) the implementation of increased data security measures, and (4) changes to government information-sharing practices.” The impact on businesses in California would be even greater, as the burden of defending lawsuits where no harm need be proved escalates.
In short, if enacted, this Act promises to further expand an ever-growing exposure that companies have for data breaches and privacy law violations.
The Privacy, Information Management and Data Protection Group at Jeffer Mangels Butler & Mitchell LLP counsels a broad range of companies in their security and technology needs. For more information, contact Michael A. Gold (MGold@jmbm.com) or Robert Braun (RBraun@jmbm.com).
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
Michael A. Gold is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. Contact Mike at MGold@jmbm.com or +1 310.201.3529.