Privacy groups are rallying behind a proposed California law that would require online businesses operating in the state to provide consumers with an accounting of all the information the company has on them and with whom it has been shared.
The bill is called the "Right to Know Act" (AB 1291) and is sponsored by California Assembly member Bonnie Lowenthal (D-Long Beach). It seeks to broaden the provisions of California's "Shine the Light Law," which requires companies to disclose to consumers how their personal information is being used and shared for direct marketing purposes.
Lowenthal's bill adds new language that will require companies to give consumers access to any personal data it has collected on them. It would also require online companies to provide consumers who ask with specific details on how their personal information is being shared, not just with direct marketers but also with data brokers, online advertisers and application vendors.
Under the law, consumers will have the right to ask Internet companies such as Google and Facebook for a complete accounting of how their data is being collected and used, a maximum of once each year.
Companies will not be obligated to respond to consumer data disclosure requests if they do not collect or store personal data. They also have safe harbor if they take adequate measures to anonymize consumer data before storing or sharing it. In addition, if an online company cannot reasonably link a data profile to the specific person making the request, the company will not be obligated to respond to a data disclosure request.
The Right to Know Act helps brings some transparency to how Internet user information is collected and shared with third parties, said Rainey Reitman, activism director at the Electronic Frontier Foundation. The EFF is an ardent supporter of the proposed bill.
Most Internet users have very little knowledge about the enormous amounts of personal information that is being routinely gathered and shared about them by Internet companies, Reitman said. The proposed bill will give consumers a better view of not only what information is being shared but also what is being collected and stored, she said.
The law imposes no restrictions on information collection, sharing or selling. It will not require Internet companies to make any changes to their data collection, sharing, storage or security processes, Reitman said. In fact, the provisions contained in the bill are similar to data disclosure laws in Europe that U.S. online companies already must comply with, she noted.
The bill gives online companies plenty of flexibility in terms of compliance, said Chris Conley, technology and civil liberties fellow at the American Civil Liberties Union (ACLU) of Northern California.
For instance, instead of having to implement new processes for responding to individual consumer data disclosure queries, an online company could simply choose to provide just-in-time notices to consumers. Such notices can be used to inform consumers precisely what data of theirs is being collected at a specific moment and with whom it is being shared, he said.
Online companies will also only be required to provide information on consumer profiles that are "reasonably available" to them. They will not have to search for or provide access to data profiles that might be buried in a database, he said.
The industry response to the bill -- the first of its kind in the country -- has been decidedly mixed so far, Conley said. While some Internet companies view it as an opportunity to pitch their privacy friendly practices, others view it as onerous and impractical, he said.
The bill is scheduled for a hearing in the state legislature sometime later this month, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.