The dust has only just settled on the EU's General Data Protection Regulation ("GDPR"). The swift passage of the California Consumer Privacy Act ("CCPA") left companies scrambling to propose a federal privacy framework. And now U.S. businesses must brace for the impact of municipal privacy legislation. San Francisco has adopted an expansive data privacy measure, positioning the City to have some of the strongest protections in the country.
On November 6, 2018, a San Francisco data protection ballot measure passed by over 56%, setting a new precedent for cities across the U.S. Known as the Privacy First Policy ("Privacy First Policy" or the "Policy"), the measure updated the Charter of the City and County of San Francisco to include Section 16.130, which establishes eleven guiding principles for City agencies.1 The Charter Amendment was placed on the ballot by a unanimous vote of the Board of Supervisors, signifying a bipartisan push among progressives and moderates. The Policy requires the City Administrator to propose an ordinance to the Board of Supervisors, by no later than May 31, 2019, outlining how third-parties must protect personal information to receive entitlements or enter into contracts with San Francisco. Privacy protections implemented through such legislation must be revisited at least every three years for the sake of ensuring adherence to the guiding principles and to keep up with the rapidly evolving state of data collection.2
The Privacy First Policy mirrors the CCPA by giving consumers significantly more control over the collection and use of their personal data. However, the Policy is not a guarantee of privacy but rather a set of principles to guide the development of municipal laws. It is intended to be a touchstone for future policymakers. Under the Policy, the City must take inventory of new data collection methods and amend privacy protection laws accordingly. It also targets the discrepancy between "expectations of privacy" and individuals being deemed to have no expectation of privacy when private information is made public or available to third parties, particularly when it involves government access to information. The Policy mandates that all criteria and rules apply equally to the collection of Personal Information by the City government as it would to third-party beneficiaries of City contracts, permits, licenses, and grants.
Four key principles of the Privacy First Policy exceed the scope of the CCPA: (1) providing equal access to services for individuals who deny consent to the collection of their Personal Information (the CCPA gives consumers the right to opt out of their information being sold, but not opt out of that information being collected initially); (2) allowing individuals to move freely in the City without being tracked in a manner that subjects them to unconsented collection of their Personal Information; (3) discouraging the collection of Personal Information that may identify race, religion, gender, sexual orientation, disability or other potentially sensitive demographics; and (4) mitigating bias in the collection and analysis of Personal Information.
The Privacy First Policy defines "Personal Information" to include any information that identifies, relates to, describes, or is capable of being associated with an individual. This definition is similar to the CCPA's and encompasses genetic and biometric data, geolocation data, IP addresses, financial information, medical information, or data relating to health insurance.
Guiding Principles. The eleven principles the City Administrator must follow when crafting the ordinance by May 2019 are:
- Inform those likely to be affected by the collection of their Personal Information prior to authorizing and prior to any change regarding the collection of their Personal Information.
- Ensure that Personal Information is collected pursuant to a lawful and authorized purpose.
- Allow individuals to access and correct any inaccurate Personal Information about themselves that has been collected.
- Solicit informed consent to the collection of Personal Information and provide alternative and equal access to goods and services for those who deny or revoke consent.
- Discourage the collection of Personal Information, including potentially sensitive demographic information.
- De-identify data sets collected for research and other analytical purposes by removing the ability to connect personal characteristics with specific individuals and implementing technical safeguards to prevent re-identification of information.
- Adopt and make public policies and practices to respond to requests for Personal Information from governmental entities.
- Allow individuals to move and organize in the City without being tracked or located in a manner that subjects them to unconsented collection of their personal information.
- Evaluate, anticipate, and mitigate actual or potential bias or inaccuracy in the collection of Personal Information.
- Retain Personal Information for only as long as necessary to accomplish a lawful and authorized purpose.
- Secure Personal Information against unauthorized or unlawful processing or disclosure; unwarranted access, manipulation, or misuse; and accidental loss, destruction, or damage.
Implementation. By May 31, 2019, San Francisco's City Administrator must present an ordinance to the Board of Supervisors that establishes criteria for the City to use in all future privacy-related policies and agreements. The City Administrator must evaluate the ordinance every three years and provide a report describing the City's implementation of the Privacy First Policy, new dimensions of data collection that may threaten privacy, and make recommendations to improve the ordinance.
Applicability and Scope. The Privacy First Policy applies to (1) the City itself, including officials, departments, commissions and boards; (2) third parties who enter into contracts, grants or leases with the city; (3) City contractors and lease holders; and (4) all who hold City-issued licenses, permits or other entitlements. The ordinance may also extend to all persons (including businesses and other entities) within the City.
Potential Challenges and Conflicts. The measure is not itself a law, but rather establishes guidelines that serve as a precursor for a set of ordinances to be proposed by May 31, 2019. As it stands, the measure is currently nonbinding. The City Administrator will likely come under heavy pressure and scrutiny from companies and industry the City seeks to closely regulate.
The Privacy First Policy may threaten San Francisco's landmark Sunshine Ordinance, a voter-enacted government transparency law.3 A provision included in the measure gives the Board of Supervisors power to amend previous voter-approved ordinances so long as the amendments are "not inconsistent" with the "purpose or intent" of the law. This provision is vague and may enable officials to limit access to government records or change certain aspects of how the ordinance is carried out.
Again, the enactment of strict municipal data protection ordinances may conflict with state and/or federal law. The CCPA goes into effect after the City ordinances are to be proposed and its passage may affect any amendments to the same. Municipalities derive their power to govern from federal sources and state authority so preemption poses a significant threat. US Businesses continue to be caught in a waiting or lobbying game as they watch ballot initiatives and local legislatures act within the vacuum that is data collection and transparency in the US. In the meantime, the GDPR, continues to gather momentum.
San Francisco will not be the last or the only municipality to adopt data privacy principles and ordinances. The definition of Personal Information, as memorialized by the GDPR, appears to be finding harmony in the United States. Companies should continue to evaluate their use of data and Personal Information and understand, as an organization, how they collect and analyze that data. While the minutia will change in the application and scope of these local laws and policies, the overall effects are becoming more and more predictable and US companies should be mindful.
1 Available at https://sfgov.legistar.com/View.ashx?M=F&ID=6401403&GUID=1C71D0AC-5EF1-4BE3-947A-AE5D0C53B560
2 See Board of Supervisor’s Comment at http://www.marinatimes.com/2018/08/this-november-put-your-privacy-first
3 See Full Legislation at
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm of approximately 750 lawyers practicing throughout a network of 14 offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy and technology sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.