The Initiative
On July 24, 2018, San Francisco city supervisors unanimously approved placing the policy initiative on the November ballot. The initiative cites the following 11 principles for the city to abide by in adopting privacy laws and regulations:
1. Engage with and inform those likely to be affected by the collection, storage, sharing, or use of their Personal Information prior to authorizing and prior to any change regarding the collection, storage, sharing, or use of their Personal Information.
2. Ensure that Personal Information collected, stored, shared, or used is done so pursuant to a lawful and authorized purpose.
3. Allow individuals to access Personal Information about themselves that has been collected, and provide access and tools to correct any inaccurate Personal Information.
4. Solicit informed consent to the collection, storage, sharing, or use of Personal Information, and provide alternative and equal access to goods and services for those who deny or revoke consent.
5. Discourage the collection, storage, sharing, or use of Personal Information, including potentially sensitive demographic information, unless necessary to accomplish a lawful, authorized purpose.
6. De-identify data sets collected for research and other analytical purposes by removing the ability to connect personal characteristics with specific individuals and implementing technical safeguards to prevent re-identification of information.
7. Adopt and make public or cause to be made public policies and practices to respond to requests or demands for Personal Information from governmental entities.
8. Allow individuals to move and organize in the city without being tracked or located in a manner that subjects them to unconsented collection of their personal information.
9. Evaluate, anticipate, and mitigate actual or potential bias or inaccuracy in the collection, storage, sharing, or use of personal information.
10. Retain personal information for only as long as necessary to accomplish a lawful and authorized purpose.
11. Secure personal information against unauthorized or unlawful processing or disclosure; unwarranted access, manipulation, or misuse; and accidental loss, destruction, or damage.
Here, personal information is defined as “any information that identifies, relates to, describes, or is capable of being associated with, a particular individual,” and includes, but is not limited to, an individual’s name, signature, Social Security number, physical characteristics or description, address, geolocation data, internet protocol address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, genetic and biometric data, or health insurance information. The initiative would preclude the city and county of San Francisco from issuing permits and entering into contracts with any business that does not comply with the policy.
Growing Trends
San Francisco is the second major city following Chicago that has taken expansive action to protect residents from the misuse and misappropriation of their personal data by corporations for profit. The Chicago City Council is currently considering a new privacy ordinance titled “Chicago Personal Data Collection and Protection Ordinance” to regulate online businesses that collect sensitive personal information from Chicago residents for commercial purposes.
The Chicago ordinance would require businesses to: (1) obtain opt-in consent from Chicago residents before using, disclosing, selling, or permitting access to their personal information, (2) notify Chicago residents and the city in the event of a data breach, (3) register with the city if considered a “data broker” (defined as a “commercial entity that collects, assembles, and possesses Personal Information concerning Consumers who are not customers or employees of that entity in order to sell, trade, or otherwise share the information”), (4) notify purchasers of mobile devices about the location feature, and (5) obtain affirmative express consent before collecting, using, storing, or disclosing geolocation data from mobile applications.
The San Francisco policy and Chicago ordinance are seen as positive legislative responses to public uproar following the high-profile Cambridge Analytica scandal where the personal information from tens of millions of individuals were allegedly used in consultant work connected to the 2016 Trump campaign. It appears that the stricter privacy extensions of the European Union’s General Data Protection Regulation inspired various aspects of these local initiatives. For instance, the San Francisco policy requires the city government to consider whether companies have an authorized purpose to justify data processing and whether they have obtained informed consent to process personal information. However, there are other aspects in which the local initiatives go beyond the GDPR. The Chicago ordinance, for example, requires opt-in consent to use and share personal information, whereas under the GDPR opt-in consent is only one of the six bases an organization may rely on to process data.
Despite the similarity in motive, there are notable differences between the San Francisco policy and the Chicago ordinance. Procedurally, the Chicago ordinance is one step ahead of San Francisco policy in terms of becoming enforceable law. The Chicago ordinance is draft legislation currently under consideration by the Chicago City Council and legislators will vote on its passage. Conversely, San Francisco voters’ approval of the Privacy First Policy would not immediately make it enforceable law. Rather, the policy establishes guidance for the city to consider in implementing privacy laws and regulations in the future.
Substantively, the two legislations differ in at least three major ways.
First, they aim at different targets. The San Francisco policy provides guidelines that the city itself shall adhere to (1) in the city’s own practices for the collection, storage, sharing, and use of personal information, (2) when entering into contracts, grants, or leases with third parties, and (3) when issuing permits, licenses, or other entitlements. The Chicago ordinance, on the other hand, appears to narrowly focus on online service operators, data brokers and mobile device detailers.
Second, they differ in granularity. The policy proposes a set of high-level privacy principles while the ordinance imposes specific requirements. For example, on the principle of notice, the policy includes a broader requirement to inform California consumers of the prospective data processing activities, whereas the ordinance narrowly requires notice to purchasers of mobile devices about the location feature, and notice to Chicago residents within 15 days of discovering a data breach. On the principle of consent, the policy generally requires informed consent to collect, store, share or use personal information. The ordinance, however, expressly requires stricter opt-in consent before using, disclosing, selling or permitting access to customer personal information. The ordinance further imposes specific and prescriptive obligations on data brokers to register with the city, a requirement that is not addressed in the policy.
Finally, the ordinance contains enforcement provisions while the policy does not. Under the ordinance, each privacy offense is subject to a specific fine, and a general fine between $100 and $250 will apply where no other fine is specified. Penalties can quickly add up because each day that a violation continues is considered a “separate and distinct offense” and each failure with respect to a single consumer could be interpreted as a violation. The ordinance would also create a private cause of action for enforcement by customers for failure to obtain a consumer’s consent prior to the collection, use, or sharing of sensitive personal information or location data.
Implications
If San Francisco voters approve the initiative, San Francisco lawmakers will negotiate a privacy ordinance by May 31, 2019, that would apply to any entity that enters into contracts, grants, leases, or receives permits, licenses, or other entitlements with the city. City officials have not released policy details of what a future privacy ordinance might look like, including specific privacy requirements and potential fines or other penalties. In the event the Privacy First Policy does pass in November, it will likely set the precedent for other cities in enacting their own privacy policies.