Internet companies and privacy advocates appear headed for a fight over a proposal to broaden California's so-called Shine the Light Law, which requires online companies to disclose to consumers how their personal information is used.
The so-called "Right to Know Act" (AB 1291) would also require online companies to give users access to any data compiled on them.
Privacy groups say the new bill would give consumers more visibility into the data collection and sharing habits of online companies they interact with. Some industry groups, however, contend that the proposal is too broad -- and is unworkable.
The new bill, sponsored by Assemblywoman Bonnie Lowenthal (D-Long Beach), would broaden the provisions of the 10-year-old Shine the Light Law, which requires disclosure of how personal consumer information is used and how it is shared for direct marketing purposes. Lowenthal's bill also requires that online companies provide consumers who ask with specific details on how their personal information is shared with data brokers, online advertisers and application vendors.
Under the proposed law, individual consumers could ask Internet companies like Google and Facebook once a year for a complete accounting of how their data is being collected and used.
The bill gives companies a safe harbor if they take adequate measures to anonymize consumer data before storing or sharing it. In addition, if an online company cannot reasonably link a data profile to a specific person, it would not be obligated to respond to a data disclosure request.
The Right to Know Act helps bring some transparency to how online companies collect and use consumer information, said Rainey Reitman, activism director at the Electronic Frontier Foundation.
The EFF supports the proposed bill.
Most Internet users today are unaware of how much of their personal information is routinely gathered and shared by Internet companies, Reitman said. The proposed legislation would give consumers a view of that, she said.
The law imposes no restrictions on information collection, sharing or selling.
It would not require Internet companies to change current data collection, sharing, storage or security processes, Reitman said. In fact, the provisions contained in the bill are similar to data disclosure laws in Europe, laws that many American online firms must already comply with, she noted.
The bill also provides much flexibility to online firms, said Chris Conley, technology and civil liberties fellow at the American Civil Liberties Union (ACLU) of Northern California.
For instance, instead of having to respond to individual data disclosure queries, an online firm could simply provide just-in-time notices to consumers. The notices could inform consumers of what data of theirs is being collected at a specific moment, and with whom it is being shared, he said.
The bill also lets online companies provide information on consumer profiles that are "reasonably available" to them. They will not have to search for, or provide access to profiles buried deep in a faraway database, he said.
The response from industry to the proposed bill -- the first of its kind in the country -- has been decidedly mixed, Conley said. While some Internet companies view it as an opportunity to pitch privacy-friendly practices, others view it as onerous and impractical, he said.
In a letter to Lowenthal last week, the California Chamber of Commerce and several other organizations called the bill "unworkable" and based on "mistaken assumptions of how the Internet works."
The Chamber contends that the law expands the definition of "personal information" to include not just individuals but also any attributes that might be used to identify a specific device, the letter noted. "It would specifically reach IP addresses and device identifiers, as well as information that could be associated with that information," the Chamber said.
The bill would also require that businesses provide consumers with free access to, or copies of an "amorphous" range of information on them in a personalized or standardized format, the letter said. Users could not be identified or authenticated based solely on an IP address or device identifier, the Chamber added.
Requiring that Internet companies provide the names and addresses of each entity with whom consumer information -- as described under the act -- is shared is also impractical, because of the manner in which IP address and device identifier information is sometimes automatically forwarded on the Internet, the Chamber said.
"Californians would be deluged with disclosures each time an IP address, device identifier, or other information on the bill's very long list of personal information was disclosed automatically or through a conscious decision by the business," it said.
In an email, Robert Callahan, director of state government affairs at TechAmerica, expressed "high-level concerns" about the bill.
"In addition to several of its provisions being unworkable from a compliance standpoint for tech companies, the new language specifically states that any violation of the law will constitute injury to consumer, opening the door wide open for abusive lawsuits," he said.
The bill is scheduled for a hearing in the state legislature sometime later this month, he added.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.