Risk
4/8/2013
02:02 PM
50%
50%

California Weighs Tough Rules For Data Brokers

Right To Know Act would allow state residents to see full reports from any website, mobile app or data broker who collects personal data about them.

What personal information about you is being bought, sold or shared by online advertisers, data brokers or anyone else who handles consumer data?

A proposed California state law, "The Right to Know Act" (AB 1291), would give consumers the right to receive -- for free -- a copy of all personal data being stored about them by a data broker, website or mobile app provider, as well as a list of all third parties with which that information has been shared.

According to a current draft of the legislation, which was proposed by California State Assembly member Bonnie Lowenthal, the bill would "require any business that has a customer's personal information, as defined, to provide at no charge, within 30 days of the customer's specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer."

According to the American Civil Liberties Union of Northern California, which is backing the legislation, the bill would "modernize current privacy law and give Californians an effective tool to monitor how personal information, including about health, finances, your location, politics, religious, sexual orientation, buying habits and more, is being collected and disclosed in unexpected and potentially harmful ways."

[ Are you willing to trade privacy for a GPS-style map of the mall? See Indoor Location Tracking Has Lost Common Sense. ]

California law already mandates that state residents be allowed to ascertain how some types of personal information about them are being collected. "But this law, which focuses on direct marketing, has been outpaced by rapid changes in technology and data collection and sharing practices," according to a letter written by EFF senior staff attorney Lee Tien in support of the bill.

Lowenthal's law would expand current protections to cover all online and offline information collected and stored by websites, mobile apps and data brokers, including location data. "This law is about transparency and access, not new restrictions on data sharing," said Rainey Reitman, the EFF's activism director, in a blog post. "The proposed law wouldn't limit or restrict sales of data, and it wouldn't provide additional security measures for how data is stored or new requirements for anonymization. While those are all important issues to consider, the law is actually far more basic. It helps consumers, regulators, policymakers and the world at large shine a light onto the largely hidden, highly lucrative world of the personal data economy."

What's the concern with consumer data collection? By some estimates, data brokers now maintain reports on 500 million consumers, and that data can be combined in sometimes unexpected ways to give advertisers and marketers insights that a person would rather remain private. One oft-repeated example hails from a 2012 New York Times story, in which a statistician working for Target -- who was later instructed to stop talking to the Times reporter -- detailed how the retailer could use people's shopping patterns to ascertain when website visitors were most likely pregnant, for the purpose of enticing them to purchase baby-related products.

To date, data brokers have resisted requests from Congress to detail which types of information they're collecting, storing and sharing on consumers, defending their lack of disclosure by citing, in part, non-disclosure agreements with other businesses and their need to protect trade secrets.

But Reitman suggested affected companies would have little difficulty complying with Lowenthal's proposed information disclosure requirement bill. "This law mimics the rights of data access already available to users in Europe, which means that most of the big tech companies should already have systems in place to facilitate user access," she said.

Regardless, consumer rights groups have long recommended that people who are worried about having their personal information tracked should beware what they share via Facebook, Twitter, blogs or other online forums, as well as participating in telephone surveys and other mechanisms used for collecting consumer data for marketing purposes.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
J. Nicholas Hoover
50%
50%
J. Nicholas Hoover,
User Rank: Apprentice
4/8/2013 | 11:57:06 PM
re: California Weighs Tough Rules For Data Brokers
Reitman's comments about Europe are spot on, and what I came here hoping to see. This won't be impossible. However, it will be inconsistent with practices in the rest of the United States, and cloud service providers of course crave consistency, as rigid standardization helps drive economies of scale and, ultimately, profit.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2382
Published: 2014-11-20
The DfDiskLo.sys driver in Faronics Deep Freeze Standard and Enterprise 8.10 and earlier allows local administrators to cause a denial of service (crash) and execute arbitrary code via a crafted IOCTL request that writes to arbitrary memory locations, related to the IofCallDriver function.

CVE-2014-3625
Published: 2014-11-20
Directory traversal vulnerability in Pivitol Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

CVE-2014-8387
Published: 2014-11-20
cgi/utility.cgi in Advantech EKI-6340 2.05 Wi-Fi Mesh Access Point allows remote authenticated users to execute arbitrary commands via shell metacharacters in the pinghost parameter to ping.cgi.

CVE-2014-8493
Published: 2014-11-20
ZTE ZXHN H108L with firmware 4.0.0d_ZRQ_GR4 allows remote attackers to modify the CWMP configuration via a crafted request to Forms/access_cwmp_1.

CVE-2014-8767
Published: 2014-11-20
Integer underflow in the olsr_print function in tcpdump 3.9.6 through 4.6.2, when in verbose mode, allows remote attackers to cause a denial of service (crash) via a crafted length value in an OLSR frame.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?