Risk
4/8/2013
02:02 PM
50%
50%

California Weighs Tough Rules For Data Brokers

Right To Know Act would allow state residents to see full reports from any website, mobile app or data broker who collects personal data about them.

What personal information about you is being bought, sold or shared by online advertisers, data brokers or anyone else who handles consumer data?

A proposed California state law, "The Right to Know Act" (AB 1291), would give consumers the right to receive -- for free -- a copy of all personal data being stored about them by a data broker, website or mobile app provider, as well as a list of all third parties with which that information has been shared.

According to a current draft of the legislation, which was proposed by California State Assembly member Bonnie Lowenthal, the bill would "require any business that has a customer's personal information, as defined, to provide at no charge, within 30 days of the customer's specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer."

According to the American Civil Liberties Union of Northern California, which is backing the legislation, the bill would "modernize current privacy law and give Californians an effective tool to monitor how personal information, including about health, finances, your location, politics, religious, sexual orientation, buying habits and more, is being collected and disclosed in unexpected and potentially harmful ways."

[ Are you willing to trade privacy for a GPS-style map of the mall? See Indoor Location Tracking Has Lost Common Sense. ]

California law already mandates that state residents be allowed to ascertain how some types of personal information about them are being collected. "But this law, which focuses on direct marketing, has been outpaced by rapid changes in technology and data collection and sharing practices," according to a letter written by EFF senior staff attorney Lee Tien in support of the bill.

Lowenthal's law would expand current protections to cover all online and offline information collected and stored by websites, mobile apps and data brokers, including location data. "This law is about transparency and access, not new restrictions on data sharing," said Rainey Reitman, the EFF's activism director, in a blog post. "The proposed law wouldn't limit or restrict sales of data, and it wouldn't provide additional security measures for how data is stored or new requirements for anonymization. While those are all important issues to consider, the law is actually far more basic. It helps consumers, regulators, policymakers and the world at large shine a light onto the largely hidden, highly lucrative world of the personal data economy."

What's the concern with consumer data collection? By some estimates, data brokers now maintain reports on 500 million consumers, and that data can be combined in sometimes unexpected ways to give advertisers and marketers insights that a person would rather remain private. One oft-repeated example hails from a 2012 New York Times story, in which a statistician working for Target -- who was later instructed to stop talking to the Times reporter -- detailed how the retailer could use people's shopping patterns to ascertain when website visitors were most likely pregnant, for the purpose of enticing them to purchase baby-related products.

To date, data brokers have resisted requests from Congress to detail which types of information they're collecting, storing and sharing on consumers, defending their lack of disclosure by citing, in part, non-disclosure agreements with other businesses and their need to protect trade secrets.

But Reitman suggested affected companies would have little difficulty complying with Lowenthal's proposed information disclosure requirement bill. "This law mimics the rights of data access already available to users in Europe, which means that most of the big tech companies should already have systems in place to facilitate user access," she said.

Regardless, consumer rights groups have long recommended that people who are worried about having their personal information tracked should beware what they share via Facebook, Twitter, blogs or other online forums, as well as participating in telephone surveys and other mechanisms used for collecting consumer data for marketing purposes.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
J. Nicholas Hoover
50%
50%
J. Nicholas Hoover,
User Rank: Apprentice
4/8/2013 | 11:57:06 PM
re: California Weighs Tough Rules For Data Brokers
Reitman's comments about Europe are spot on, and what I came here hoping to see. This won't be impossible. However, it will be inconsistent with practices in the rest of the United States, and cloud service providers of course crave consistency, as rigid standardization helps drive economies of scale and, ultimately, profit.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7421
Published: 2015-03-02
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644.

CVE-2014-8160
Published: 2015-03-02
net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disall...

CVE-2014-9644
Published: 2015-03-02
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-201...

CVE-2015-0239
Published: 2015-03-02
The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYS...

CVE-2014-8921
Published: 2015-03-01
The IBM Notes Traveler Companion application 1.0 and 1.1 before 201411010515 for Window Phone, as distributed in IBM Notes Traveler 9.0.1, does not properly restrict the number of executions of the automatic configuration option, which makes it easier for remote attackers to capture credentials by c...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.