These laws concern specific areas of privacy, such as health care and credit cards. However, with technology rapidly evolving, and information being spread out more, personal data is getting harder to keep to oneself.
The original privacy laws were made in a time before the Internet, a time when personal information was easier to account for. Tax forms and social security cards were printed and physically stored, rather than saved online; there was a reasonable amount of responsibility given to the individual to keep these records private.
Now that the digital age has propelled everyone’s vital information away from manila envelopes to cyberspace, the time to update this law has come. Citizens simply cannot keep tabs on their personal information as closely anymore.
A newly-proposed California Personal Privacy Initiative (CPPI) attempts to update the current law by broadening the scope of what is considered private information, and shifting the burden of proof from an individual whose information has been compromised to the entity that has compromised it.
More importantly, the CCPI places a “presumption of harm” on the offending party, much like libel and defamation law. A plaintiff need not show actual, demonstrative damages in the court room; mere proof of any breach of personal information is sufficient for the plaintiff to receive a reward from the offending party.
To put it plainly: if one’s classified personal information is distributed without the party’s consent, the offending party has to prove the information distributed wasn’t classified, and that no harm was caused by its distribution.
The following is a transcript of the initiative’s amendments to the state constitution [updated to reflect recent amendments to the initiative]:
SECTION 1. Whenever a natural person supplies personally identifying information to a legal person that is engaged in collecting such information for a commercial or governmental purpose, the personally identifying information shall be presumed to be confidential and the legal person collecting such information shall use all reasonably available means for protecting such information from unauthorized disclosure.
SEC. 2. Harm to a natural person shall be presumed whenever his or her confidential personally identifying information has been disclosed without his or her authorization.
SEC. 3. Confidential personally identifying information may be disclosed without authorization if there is a countervailing compelling interest to do so (such as public safety or protected non-commercial free speech) and there is no reasonable alternative for accomplishing such compelling interest.
The CPPI defines private information as “any information which can be used to distinguish or trace a natural person’s identity, including but not limited to financial and/or health information, which is linked or linkable to a specific natural person, provided that “personally identifying information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.”
Current privacy laws grant privacy “protections” in many ways, but are generally not enforceable because of the current lack of legal remedy for the plaintiff coupled with no consequence to the breaching party.
[editor’s note: this post has been updated to reflect recent amendments to the initiative filed with the Attorney General]