Just 10 years ago, California enacted the first breach notification law and unwittingly transformed the landscape of American privacy and data security law. To date, 45 other states, multiple federal agencies, and even local governments have followed suit. California residents may soon find themselves voting on a ballot initiative that could have an equally dramatic effect on this area of law.
The ballot initiative, known as the California Personal Privacy Initiative, is designed to remove barriers to privacy and data security lawsuits and also would promote stronger data security and an “opt-in” standard for the disclosure of personal information. Specifically, the initiative would amend the California Constitution to:
-
Create a presumption that “personally identifying information” collected for a commercial or governmental purpose is confidential
-
Require the person collecting such information to use all reasonably available means to protect it from unauthorized disclosure
-
Create a presumption of harm to a person whenever her confidential personally identifying information has been disclosed without her authorization.
Notwithstanding the presumption of harm, the amendment would permit the disclosure of confidential personally identifying information without authorization “if there is a countervailing compelling interest to do so (such as public safety or protected non-commercial free speech) and there is no reasonable alternative for accomplishing such compelling interest.”
Turning first to the impact on litigation, plaintiffs have largely been unsuccessful in privacy and data security litigation because they have failed to show harm resulting from an alleged unlawful privacy practice or security breach. The obligation to show harm arises at two stages when a case is litigated in federal court: first, the plaintiff must establish that he has suffered an “injury in fact” in order to meet the requirements for Article III standing, and second, the plaintiff must satisfy the harm requirement that applies to the relevant cause of action (e.g., negligence). If the case is litigated in state court, the standing requirement does not apply, but most, if not all, privacy and data security breach class actions have been litigated in federal court.
The ballot initiative would create a presumption of harm that could allow more lawsuits to satisfy the injury-in-fact standard (step one, above) and the harm requirement for the underlying cause of action (step two, above). Without that barrier, business would be stripped of the most effective means of prevailing on a motion to dismiss for certain causes of action. And in some scenarios, business would be forced to rely on untested or tenuous defenses, making companies more likely to settle, rather than fight, previously unsustainable causes of action.
Other components of the initiative would exacerbate the uptick in litigation, including the presumption that personally identifying information collected for a commercial purpose is confidential and the requirement that organizations use reasonable measures to prevent unauthorized disclosure of that information. Plaintiffs’ claims are sometimes based on an allegation that promises made in the defendant’s privacy notice regarding security measures are deceptive. Currently, companies can protect themselves against these claims by making only conservative representations about privacy and security. But the ballot initiative could create a general duty to adopt reasonable privacy and security measures, raising the prospect that plaintiffs could more successfully pursue negligence-style claims, which companies cannot deter solely by adopting conservative privacy notices.
The initiative also employs a very broad definition of personally identifying information: “any information which can be used to distinguish or trace a natural person’s identity, including but not limited to financial and/or health information, which is linked or linkable to a specific natural person.” (The definition does not cover publicly available information lawfully made available to the public from government records.) This expansive definition would force organizations to apply stricter security to types of information that might not otherwise receive those protections. Furthermore, the definition is particularly problematic when considered in conjunction with the presumption of harm discussed above because identifiable data such as names, email addresses, and device identifiers are routinely shared by businesses without consent. If this initiative succeeds, the increased threat of litigation will incentivize businesses to default to an opt-in standard for disclosures of information.
There is, however, at least one reason to believe that the initiative may not be as detrimental to business interests as some are predicting. Showing a nominal harm for the underlying cause of action does not necessarily equate to an award of damages so, even if the ballot initiative is successful, there would in some cases remain a practical limitation on the plaintiff’s ability to recoup money damages. Where statutory damages are available, or where a plaintiff can show some actual monetary harm, money awards would be possible. But in cases where statutory damages are not available and a plaintiff must show actual monetary harm to procure a monetary award, the ballot initiative may not save such claims. For example, the damages award flowing from a negligence claim is generally based on the actual damages incurred by a plaintiff. Therefore, even if the plaintiff could state a cause of action for the purpose of defeating a motion to dismiss, the plaintiff may not be entitled to anything more than a nominal damages award if the plaintiff cannot demonstrate monetary damage such as the cost of credit monitoring, identity theft insurance, or perhaps even therapy bills. On the other hand, courts could interpret the amendment as requiring recognition of a new type of harm, similar to emotional distress, that is compensable through money damages—even without a showing of some concrete financial harm to the plaintiff.
The ballot initiative’s proponents must obtain 807,615 signatures before Californians would have the opportunity to vote on it. If the signatures are collected, then the initiative will appear on the ballot without further opportunity to seek amendments to address business concerns. If the initiative appears on the ballot, it would require only a simple majority vote to pass. Interested organizations should work to ensure that public debate over the initiative includes a discussion of the heavy burden on business that could result from the initiative.