Vote on landmark privacy expansions in California this year depends on signatures, deadlines

Less than a month before the deadline to allow a landmark privacy law to go before California voters in November, the validation process for the signatures submitted to election officials remains too close to call and may come down to the final hours.

Even though proponents of the California Privacy Rights Act delivered 931,002 raw signatures as of Thursday to election officials — well over the minimum 623,212 threshold needed to qualify an initiative for the statewide ballot — there is a significant chance those signatures won’t be validated in time to meet the June 25 legal deadline to qualify for the November 2020 ballot.

If that happens, the privacy initiative, which would create the first US stand-alone privacy regulator, couldn’t go to the voters until the end of 2022.

“If an initiative clears signature verification after June 25, 2020, it will appear on California’s November 2022 General Election ballot," said Sam Mahood, the press secretary to California Secretary of State Alex Padilla.

That would be a surprise for the privacy community, which is already hosting webinars and posting blogs about the CPRA under the assumption it will go to the voters and pass in November. Polls suggest that if the measure reaches the state’s voters this year, it is likely to pass. The ballot initiative would require companies to move beyond the California Consumer Privacy Act, which took effect Jan. 1 and which would be supplanted by the new California Privacy Rights Act.

Californians for Consumer Privacy, which said it was confident it had enough signatures to get the measure on the ballot this year when it submitted them May 4, didn't respond to multiple e-mails and telephone calls from MLex over several days about the possibility of a delay in the ballot measure.

If the measure fails to reach voters this year, it would be yet another casualty of the civic disruption of the Covid-19 pandemic, which forced proponents to change their signature strategy and ultimately left them about 70,000 signatures short of their stated goal of getting 1 million signatures.

There are several reasons for uncertainty about whether the measure, which would create easily the most sweeping privacy law in US history, will make it to voters this year.

Because some signatures will inevitably be invalid, ballot-measure proponents aim to gather 30 to 40 percent more signatures than the minimum threshold. The California privacy measure appears to have gathered enough signatures to reach the ballot — someday. But it is right on the edge of qualifying this year because of the nature of the validation process.

— Initiative math —

To qualify a measure for the ballot, proponents need to gather the signatures of 5 percent of the Californians who voted in the most recent gubernatorial election, with a minimum threshold of 623,212 signatures. Because of the limited time until the June 25 deadline, California counties are racing to use statistical sampling of the signatures to project how many are valid.

Using sampling means the measure must hit 110 percent of that threshold, or 685,534 signatures, for the privacy measure to reach the ballot this year. That means that at least 73.6 percent of the 931,002 raw signatures delivered to election officials must be ruled valid.

Failing to reach the higher 110-percent threshold would require election officials to verify one-by-one all of the signatures, a time-consuming process that can't be completed by June 25.

Complicating that picture is the fact that the timing of when privacy proponents submitted their signatures has led to a June 26 deadline to complete the random sampling — one day after the legal deadline to qualify the measure for the Nov. 3 ballot. Two other measures vying for a place on the November 2020 ballot have sampling deadlines ahead of the privacy initiative, meaning election officials will have to complete their sampling of those signatures first.

Elections officials could still beat the deadline. In most cases, they do. But none of the election officials contacted by MLex from larger counties, including Los Angeles County, San Diego County or San Francisco County, would promise — or could even forecast — they would beat the June 26 deadline.

Michael Vu, the registrar of voters for San Diego County, told MLex that election officials are focused on verifying the roughly 103,000 privacy initiative signatures collected in that county — the second largest total after Los Angeles County. But Vu said he could only promise San Diego would meet the June 26 sampling deadline.  “There are many factors that can impact the verification of a petition, and so it is difficult to gauge when we will complete this particular petition,” he said.

— Los Angeles is key —

As with so many things in California, the final say is likely to rest with Los Angeles County — by far the most populous county in the US and the source of nearly one-third of the raw signatures collected by the privacy initiative.

That's problematic for the privacy initiative for two reasons. One is that Los Angeles County has almost always had a lower rate of valid signatures than the state overall on ballot measures since 2018. Its rate of valid signatures has several times been lower than the 73.6 percent rate the privacy measure needs in the state to qualify through random sampling.

In eight recent ballot measures which have qualified or are vying to qualify for the 2020 ballot, the average validity rate for the state was 76.1 percent but just 73.9 percent for Los Angeles County, records kept by the Secretary of State show.

Los Angeles County has also frequently come close to missing the random-sampling deadline. In a ballot measure involving taxation of commercial property last fall, Los Angeles didn’t complete its sampling until the day of the Oct. 15 deadline to submit the numbers to the Secretary of State. The deadline for completing the sampling  is a day later than the deadline for getting the measure on the November ballot, so if the county uses all the time at its disposal, its signatures won't count.

“When you add all that together, it’s a really, really close call. I would say it’s right on the edge” to qualify for the November ballot, said Dan Clarke, president of IntraEdge Products and Solutions, who closely monitors state privacy laws. The company’s Truyo privacy platform provides compliance services for data privacy laws, and Clarke has been asked to testify on privacy legislation before the Texas legislature.

Although Californians for Consumer Privacy announced May 4 it was submitting its signatures for verification, some didn’t arrive with county election officials until May 8, the secretary of state’s records show. The counties didn’t submit all their raw signatures to the secretary of state until May 13. The secretary of state issued its order the following day to the counties to begin the 30-working-day clock for the sampling check.

Even if the measure qualifies, the sampling process is likely to go down to the final days. The secretary of state reported that as of last night, 22 of the 58 counties have completed their sampling checks for the privacy measure, bringing the total verified signatures to 134,534.

That list includes only three relatively big counties, San Bernardino County, Santa Clara County and Sacramento County. In those more heavily populated counties, 82.9 percent of San Bernardo signatures were valid, 81.5 percent of Santa Clara signatures were valid, and 71.4 percent of Sacramento signatures were valid.

Overall, of the counties that have completed their sampling, 79.84 percent of the signatures have been found valid, a bit ahead of the 73.6 percent rate the privacy measure needs.

— Few signatures from Silicon Valley —

Relatively few signatures were gathered in Silicon Valley and the rest of the San Francisco Bay Area and Northern California, where the tech industry is concentrated. San Mateo County — home to Facebook — accounted for just 4,761 raw signatures, and San Francisco, home to Twitter and many other tech startups, had 11,213 signatures.

The sparse totals in Northern California will magnify the influence of southern counties such as Orange County and Riverside County, which each produced more than 55,000 signatures, as well as the kingpin counties of Los Angeles and San Diego.

There is still a risk that proponents haven’t collected enough valid signatures to get the privacy initiative on the ballot at all because they were forced to stop collecting signatures when the Covid-19 pandemic intensified in March. But that risk appears to be fading.

To qualify for the ballot at all, 66.9 percent of the 931,002 raw signatures will have to prove valid.

So far, no county has found less than 70 percent of its signatures were valid, even rural Modoc County in far northeastern California, where just 10 signatures were collected.

As long as that rate holds up in densely populated Southern California, the initiative should make it to the voters. Someday. The question is when.

—With assistance from Amy Miller in San Francisco.