California, which set the standard for data breach notifications nationwide, is again seeking to set a precedent by becoming the first state in the nation to require companies upon request disclose to California consumers the data they’ve collected and to whom it was shared during the past year. They would be required to respond within 30 days and provide the report for free.
Known as the “Right to Know Act of 2013,” AB 1291 was amended this week to boost its chances of success after being introduced in February by state Assembly member Bonnie Lowenthal. If passed, it would require any business that retains customer data to give a copy of that information, including who it has been shared with, for the past year upon request. It applies to companies that are both on- and offline.
Privacy advocacy groups such as the San Francisco-based Electronic Frontier Foundation wrote Tuesday that the bill could set a precedent for other states, much as California’s 2002 Breach Nofication Act requiring California data breach victims be notified was later replicated by almost all U.S. states.
“Under current California law, customers can contact companies and ask for an accounting of disclosures for direct marketing purposes—basically, a list of what companies got your personal data for them to send you junk mail, spam, or call you on the phone—and general facts about what types of data were disclosed,” EFF Activism Director Rainey Reitman wrote.
“The new proposal brings California’s outdated transparency law into the digital age, making it possible for California consumers to request an accounting of all the ways their personal information is being trafficked—including with online advertisers, data brokers and third-party apps.”
Proponents of the bill say it provides a level of data sharing enjoyed in some other parts of the world, but caution that it doesn’t demand additional security measures around data storage. However, passage could impact how companies handle identifiable data they collect in the course of doing business. For instance, they could anonymize more data so it isn’t linked to a specific consumer or only retain necessary information for transactions.
To reduce the costs of compliance, companies may also elect to disclose how submitted information is treated prior to the transaction, thus meeting the letter of the law, Reitman said.