CA Data Disclosure Act Possible

Wednesday, April 3, 2013 @ 03:04 PM gHale

California wants to become the first state to require companies upon request to disclose to consumers the data they’ve collected and to whom they shared it with during the past year. They would be required to respond within 30 days and provide the report for free.

Known as the “Right to Know Act of 2013,” AB 1291 ended up amended this week to boost its chances of success after state Assembly member Bonnie Lowenthal introduced it in February.

Slow Fix: DNS Flaw 5 Years Later
Back to Basics: Security 101
Agencies Join in Security Plan
Ensuring Software Security Policies

If passed, it would require any business that retains customer data to give a copy of that information, including who they shared it with, for the past year upon request. It applies to companies that are both on- and offline.

Privacy advocacy groups such as the San Francisco-based Electronic Frontier Foundation (EFF) wrote Tuesday the bill could set a precedent for other states, much as California’s 2002 Breach Notification Act which required California data breach victims be notified ended up replicated by almost all U.S. states.

“Under current California law, customers can contact companies and ask for an accounting of disclosures for direct marketing purposes — basically, a list of what companies got your personal data for them to send you junk mail, spam, or call you on the phone — and general facts about what types of data were disclosed,” said EFF Activism Director Rainey Reitman.

“The new proposal brings California’s outdated transparency law into the digital age, making it possible for California consumers to request an accounting of all the ways their personal information is being trafficked—including with online advertisers, data brokers and third-party apps,” Reitman said.

Proponents of the bill say it provides a level of data sharing enjoyed in some other parts of the world, but caution that it doesn’t demand additional security measures around data storage. However, passage could impact how companies handle identifiable data they collect in the course of doing business. For instance, they could make more data anonymous so it does not link to a specific consumer or only retain necessary information for transactions.

To reduce the costs of compliance, companies may also elect to disclose how submitted information ends up treated prior to the transaction, thus meeting the letter of the law, Reitman said.

“California has a reputation for passing important laws around consumer protection. We’re fortunate to be paving the way when it comes to issues like data breach notification, medical privacy rights, online privacy policy notices, and employment law,” she said. “But what happens in California can prove to have positive benefits for users all over the country (and sometimes the world).”

Leave a Reply

You must be logged in to post a comment.