No on San Francisco Proposition B

Proposition B sets non-binding data privacy guidelines for San Francisco government and companies with which it works.

The Privacy First Policy proposed by Prop B follows in the footsteps of the European Union’s General Data Protection Regulation (GDPR), which changed how virtually every company on the planet manages data about its users. That’s because GDPR applies to EU citizens regardless of where they are, so even companies that only operate in San Francisco could be subject.

Cities establishing their own such policies set a dangerous precedent. GDPR compliance is no small feat: from tech giants (such as YouTube where I worked when GDPR took effect) to startups, every tech company I’m aware of spent considerable effort parsing the specific legal language to avoid penalties. If every US state had its own version, each with their own tweaks, compliance would be a major challenge. In all likelihood, some of these regulations would conflict with each other, pushing companies into long court battles to adjudicate how they can fit together.

Data privacy should be regulated by countries, or at most by states, but certainly not by any of the 40,000 local governments in the US.

Even if this were a good idea, it doesn’t belong on the ballot. With San Franciscans voting on 40 races and ballot measures, it forces voters to consider yet another complex topic, which could be legislated by the Board of Supervisors. At first blush to many voters, it will appear more consequential than it is: the only binding element of the measure is a deadline of May 31, 2019 to establish the Privacy First Policy. Like June’s Prop I on courting sports teams, the rest of the measure is toothless.

Prop B risks creating precedent for a complicated web of city-level data privacy regulations, and is a poor use of the ballot process. Vote no.