It’s not surprising that proponents of the so-called “California Consumer Privacy Act” would want to draw attention to the latest controversies around internet privacy.
Not surprising – but dishonest.
The initiative has nothing to do with the situation in the headlines. The ballot measure would not have prevented it and doesn’t even contemplate the scenario. The simple fact is that the data was never sold, so the connection to the proposed initiative is simply specious.
To be sure, tech users have legitimate concerns about privacy, and technology and government leaders are responding by examining a range of consumer protection options. But the ballot measure goes way too far and does more harm than good.
The internet is a seamless and global network. That’s the point. Yet ballot measure proponents seek to create a California-only regulatory scheme. It makes no sense, and is even a little creepy, to attempt to wall off the California internet for custom rules and treatment.
The details of the initiative are a mess.
To comply with this initiative, businesses that provide services in California and meet certain broad criteria would be required to prominently post a link on their websites in California stating, “Do Not Sell My Personal Information.” This must then link to a stand-alone webpage where consumers can opt-out of any sharing or selling of their personal information by the business to any third party.
This may seem convenient, but in practice it will cut consumers off from services that we today take for granted. For example, airlines wouldn’t be able to offer custom deals for rental cars when we make flight reservations. “Free” apps that depend on your location information, like traffic mapping, would simply not be available in California since their business model would be upended.
Because tech businesses would be prohibited from denying or reducing services, or charging more for a service based on whether the user permitted data sharing, many internet services we have come to depend on simply may be unavailable in California.
Even though the measure is being financed by a single individual without a business background in technology, the real beneficiaries will be trial lawyers.
The initiative would allow attorneys and consumers to sue businesses for security breaches of consumers’ data or for other violations of the measure even if consumers cannot prove they have suffered any loss or been injured in any other way. Importantly, the initiative would reverse a 2004 law enacted by the voters requiring that plaintiffs must suffer an actual injury before suing under the unfair competition law. Under this Initiative, any violations are deemed to have injured the plaintiff, which eliminates the biggest hurdle from suing under this law.
As if the legal liabilities aren’t onerous enough, the compliance costs to businesses may discourage them from serving the California market.
The ballot measure creates a labor-intensive paperwork nightmare. It requires businesses to provide notice and disclosure to any consumer who requests it within 45 days – requiring an army of compliance personnel to execute those tasks. Businesses would have to provide categories of personal information collected on the consumer, and sold or shared, along with the identity of the third parties with whom it is shared. Businesses must also provide up-front notice if it sells or shares personal information and how the consumer can opt out.
What proponents don’t mention is that companies can keep all the data that is collected, even if it cannot be used for marketing or consumer services.
Consumers’ internet privacy issues aren’t going away – especially given the reverberating power of social media on this issue. The most sensible approach should provide the right balance between legitimate protection of privacy and availability of internet services demanded by consumers. These issues can best be reconciled by the public’s representatives in Congress, not at the whim of an initiative entrepreneur.