On September 26, 2013, the California Secretary of State allowed proponents of a new ballot proposition to collect signatures for the “Personal Privacy Protection Act.” The Act, if approved, would radically change the privacy landscape in California by adding new provisions to the California Constitution. Most importantly, the Act (1) requires all “legal persons” that collect personal information to use “all reasonably available means to protect it from unauthorized disclosure” and (2) creates a presumption that a person is harmed whenever his or her personal information is disclosed without authorization.
The California Constitution already guarantees individuals the right to privacy, and a multitude of state and federal statutes and regulations place limits on the types of personal information that governments and private entities can disclose to others. California, in fact, provides some of the most far-reaching protections for individual privacy in the United States. The Act, however, would go much further, by expanding the definition of confidential personal information, requiring firms to take unspecified steps to protect privacy, and create a presumption of harm when confidential personal information is disclosed.
The impact of these changes cannot be overstated. Showing actual harm has been one of the single greatest hurdles to bringing a claim against a company for unauthorized disclosure of personal information; this Act would eliminate that hurdle. California’s Legislative Analyst’s Office has summed up the impact on California government: “This measure would result in unknown but potentially significant costs to state and local governments . . . Increased costs could result from (1) additional or more expensive lawsuits filed against government agencies, (2) increased workload for state courts, (3) the implementation of increased data security measures, and (4) changes to government information-sharing practices.” The impact on businesses in California would be even greater, as the burden of defending lawsuits where no harm need be proved escalates.
In short, if enacted, this Act promises to further expand an ever-growing exposure that companies have for data breaches and privacy law violations.
The Privacy, Information Management and Data Protection Group at Jeffer Mangels Butler & Mitchell LLP counsels a broad range of companies in their security and technology needs. For more information, contact Michael A. Gold (MGold@jmbm.com) or Robert Braun (RBraun@jmbm.com).
Michael A. Gold is co-chair of the Firm’s Privacy, Information Management and Data Protection Group. He is also a founder and co-chair of the Firm’s Discovery Technology Group™, one of the first such practice groups in a major law firm. Michael counsels clients in a wide variety of matters, including the development of computer-based information retention systems, forensic investigations of computer systems, computer and internet privacy matters and breach issues and e-discovery. He is a co-author of the Bloomberg BNA Portfolio “Records Retention for Enterprise Knowledge Management,” published in 2007 and updated in 2012. Michael has been designated a “Top Rated Lawyer in Technology Law” (Martindale Hubbell, 2013).
Robert E. Braun’s practice, spanning more than 30 years, focuses on corporate, finance, and securities law with an emphasis on emerging technologies, hospitality and business transactions. Bob represents clients in a variety of matters, including mergers, acquisitions, financing, franchising, licensing, joint ventures and strategic alliances, and other corporate transactions. Bob’s practice emphasizes new and emerging technologies, information technology, privacy and security, software development and licensing, and electronic commerce transactions. Bob is also a frequent lecturer as an expert in technology and hospitality issues, and was the only attorney in the 2012 listing of SuperLawyers to be recognized for Information Technology.