On November 6, 2018, voters in San Francisco will decide whether to enact the city’s “Privacy First Policy” that aims to protect the personal information of residents and visitors from abuse by companies doing business in San Francisco. The policy establishes a set of privacy principles to guide the city’s government when considering the adoption of privacy policies, laws, and regulations, and when determining whether to issue permits, licenses, or other entitlements to the its contractors and third parties. If the policy is passed, businesses in San Francisco would be required to disclose their data collection policies and obtain input from communities impacted when drafting those policies.
According to the city supervisor, the policy is motivated primarily by the city’s sense of “responsibility to set ground rules that protect the best interest of the general public” as “the information technology sector shap[es] much of our city’s identity.” The policy rides the coattails of the California Consumer Privacy Act passed in June 2018, which empowers consumers with various rights such as the right to know what information is being collected about them and whether it is being sold and the right to opt out of the sale of their personal information.
The initiative
On July 24, 2018, San Francisco city supervisors unanimously approved placing the policy initiative on the November ballot. The initiative cites 11 principles for the city to abide by in adopting privacy laws and regulations:
- Engage with and inform those likely to be affected by the collection, storage, sharing, or use of their Personal Information prior to authorizing and prior to any change regarding the collection, storage, sharing, or use of their Personal Information.
- Ensure that Personal Information collected, stored, shared, or used is done so pursuant to a lawful and authorized purpose.
- Allow individuals to access Personal Information about themselves that has been collected, and provide access and tools to correct any inaccurate Personal Information.
- Solicit informed consent to the collection, storage, sharing, or use of Personal Information, and provide alternative and equal access to goods and services for those who deny or revoke consent.
- Discourage the collection, storage, sharing, or use of Personal Information, including potentially sensitive demographic information, unless necessary to accomplish a lawful, authorized purpose.
- De-identify data sets collected for research and other analytical purposes by removing the ability to connect personal characteristics with specific individuals and implementing technical safeguards to prevent re-identification of information.
- Adopt and make public or cause to be made public policies and practices to respond to requests or demands for Personal Information from governmental entities.
- Allow individuals to move and organize in the city without being tracked or located in a manner that subjects them to unconsented collection of their personal information.
- Evaluate, anticipate, and mitigate actual or potential bias or inaccuracy in the collection, storage, sharing, or use of personal information.
- Retain personal information for only as long as necessary to accomplish a lawful and authorized purpose.
- Secure personal information against unauthorized or unlawful processing or disclosure; unwarranted access, manipulation, or misuse; and accidental loss, destruction, or damage.
Here, Personal Information is defined as “any information that identifies, relates to, describes, or is capable of being associated with, a particular individual,” and includes, but is not limited to, an individual’s name, signature, social security number, physical characteristics or description, address, geolocation data, IP address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, genetic and biometric data, or health insurance information. The initiative would preclude the City and County of San Francisco from issuing permits and entering into contracts with any business that does not comply with the policy.