California only passed a groundbreaking data protection law two years ago. Now the state's voters have the opportunity to expand their protection.
The latest proposal, known as the California Privacy Rights Act, would create a government agency as a data protection officer and offer consumers more rights. This would also create a range of compliance work for banks and other companies, especially for technology companies that rely heavily on users' personal information.
The financial services industry would maintain limited exceptions that were included in the previous law.
The measure was approved this week for nationwide voting in November after its supporters received more than 623,000 signatures.
"We have come a long way in the two years since the groundbreaking California data protection law was passed," said Alastair Mactaggart, the leading supporter of both measures, in a press release. "But in times of unprecedented uncertainty, we need to make sure that laws keep pace with the changing way companies and other companies use our data."
Californians for Consumer Privacy, the group founded by Mactaggart, received enough signatures in 2018 to include a comprehensive data protection proposal in the nationwide vote. Instead, the group approved a legislative last-minute compromise that entered into force in January this year.
This year it seems more likely that Mactaggart's group will fight in the ballot box. Surveys show strong public support for privacy protection. While the electoral initiative is likely to be rejected by industry groups, it remains to be seen how much money large technology companies in Silicon Valley will be willing to invest in an opposition campaign.
Banks and credit unions in California have already invested a lot of time and money to comply with the 2018 law. Financial lawyers said the latest measure, if it becomes law, will require more investment.
"It's a pretty significant overhaul," said Nate Taylor, a lawyer in the privacy and data security practice at Morrison & Foerster. "Very little remains unchanged."
The proposal would create a guard dog called the California Privacy Protection Agency, led by a five-member board, and empowered to enforce the law.
New safeguards for California's nearly 40 million residents include the right to correct inaccurate personal information and the right to reject advertisers with precise geolocation information.
"I think this initiative gives consumers greater rights," said Amanda Lawrence, lawyer at Buckley LLP.
The banks would maintain an existing exemption for personal data that is collected, sold, or disclosed under the Gramm-Leach-Bliley Act, a federal law of 1999. An exception for personal data collected as part of business-to-business communication would be temporarily extended. The majority of the election initiative would take effect on January 1, 2023.
The proposal would bring the country's largest state closer to the European Union's data protection requirements, said Davis Polk & Wardwell lawyers. In a written analysis, Davis Polk's lawyers described the narrower gap between these two regimes as a blessing, but not a panacea, for companies that already comply with EU regulations.
Under California law, citizens have the right to receive copies of their personal information from certain companies and to have their information erased. The two-year-old law, according to an analysis by the law firm Baker Hostetler from 2019, served as a model for legislative proposals on data protection in around 15 other countries.
Efforts to pass a federal data protection law have long been held back by disagreements that industry groups oppose to data protection advocates and government regulators. An important sticking point is whether national standards should serve as a ceiling or floor for state regulation.