SF Prop B
Data Protection Guidelines
City Privacy Guidelines
Puts forward guidelines that any city department or the Board of Supervisors could enact to protect privacy in the collection, storage and sharing of personal information of San Francisco residents and visitors.
What the Measure Would Do
Prop. B would amend San Francisco’s charter to put forth a set of 11 data privacy guidelines that aim to protect personal information that is collected about people living in or visiting San Francisco. Covered information would include name, address, physical description, banking information, Social Security number and geolocation, among other data.
The 11 guidelines would offer a nonbinding reference for the city in considering future privacy laws and regulations, as well as requirements for contractors, grantees or other parties who receive permits, licenses or entitlements from the city. The measure would also require the city administrator to submit criteria for the city’s own collection, storage, use and sharing of personal information to the Board of Supervisors by March 31, 2019.
Under the guidelines: personal information would only be collected, stored or shared for authorized purposes; consent would be required to gather or share personal information; no one would be denied services or products if they didn’t give consent to collect their information; and everyone would be given the chance to see and correct their personal information, among other requirements.
This proposed charter amendment was introduced in July 2018 amid recent scrutiny over personal data privacy related to Facebook and other companies, as well as global conversations about data privacy in the wake of the European Union’s recently adopted General Data Protection Regulation (GDPR).
Prop. B’s proposed guidelines are similar to the rules in the California Consumer Privacy Act, which was signed into law in June 2018, in time to negotiate the removal of a more stringent state initiative that would have appeared on the November state ballot. California’s recently passed law is the strongest data privacy law in the United States, inspired by the EU’s GDPR. The California state law will take effect in 2020 and requires businesses to disclose what personal information they collect and for what business purpose, to delete data at a consumer’s request and to allow consumers to opt out of the sale of their data without consequence or charges. It also fines companies that don’t comply.
The original version of Prop. B included stronger, more prescriptive language than what was finalized. Negotiation with technology companies and others resulted in a policy that would only provide nonbinding guidance for future data privacy legislation.
This measure was placed on the ballot by a 9 to 0 vote of the Board of Supervisors. As a charter amendment, it must be on the ballot and requires a simple majority (50 percent plus one vote) to pass.
• This measure recognizes a widely shared desire to better regulate the collection, storage, sharing and selling of personal information, especially when people do not know about or consent to their information being collected or shared. It also acknowledges the sweeping effects technology practices can have, as exemplified by the recent use of personal Facebook information by the third-party firm Cambridge Analytica in the lead-up to the 2016 presidential election.
• In addition to regulating data collection, storage and sharing by third parties, this measure includes City of San Francisco government agencies to ensure that government is good actor in consumer data privacy.
• The state or federal level is a better place to achieve the goal of protecting the privacy of personal information. For example, California’s recent law ensures wider predictability for entities that operate across multiple cities in the state.
• This nonbinding measure would not have an enforceable impact on the city’s collection of personal data. Because it is a set of guidelines only, it could result in different city departments adopting different or conflicting policies.
• This measure does not need to be on the ballot. Should the City of San Francisco want to enact its own policies and practices regarding the collection, storage and sharing of personal information, the Board of Supervisors could do so without going to the voters and amending the City Charter.
Recent events in the United States and elsewhere demonstrate the need to regulate how personal data is collected, stored and used — and government should be proactive in protecting citizens as technology evolves. This measure seeks to be forward-thinking and comprehensive, and including government agencies in the regulation is a worthy expansion of the current scope of California’s new law around data privacy. However, SPUR believes that either the state or federal level is the more appropriate scale for regulating the collection and use of personal information, particularly for creating consistent rules for companies that operate across city boundaries. Prop. B is set at too small a scale to accomplish its stated intent.