Risk
4/8/2013
02:02 PM
Connect Directly
RSS
E-Mail
50%
50%

California Weighs Tough Rules For Data Brokers

Right To Know Act would allow state residents to see full reports from any website, mobile app or data broker who collects personal data about them.

What personal information about you is being bought, sold or shared by online advertisers, data brokers or anyone else who handles consumer data?

A proposed California state law, "The Right to Know Act" (AB 1291), would give consumers the right to receive -- for free -- a copy of all personal data being stored about them by a data broker, website or mobile app provider, as well as a list of all third parties with which that information has been shared.

According to a current draft of the legislation, which was proposed by California State Assembly member Bonnie Lowenthal, the bill would "require any business that has a customer's personal information, as defined, to provide at no charge, within 30 days of the customer's specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer."

According to the American Civil Liberties Union of Northern California, which is backing the legislation, the bill would "modernize current privacy law and give Californians an effective tool to monitor how personal information, including about health, finances, your location, politics, religious, sexual orientation, buying habits and more, is being collected and disclosed in unexpected and potentially harmful ways."

[ Are you willing to trade privacy for a GPS-style map of the mall? See Indoor Location Tracking Has Lost Common Sense. ]

California law already mandates that state residents be allowed to ascertain how some types of personal information about them are being collected. "But this law, which focuses on direct marketing, has been outpaced by rapid changes in technology and data collection and sharing practices," according to a letter written by EFF senior staff attorney Lee Tien in support of the bill.

Lowenthal's law would expand current protections to cover all online and offline information collected and stored by websites, mobile apps and data brokers, including location data. "This law is about transparency and access, not new restrictions on data sharing," said Rainey Reitman, the EFF's activism director, in a blog post. "The proposed law wouldn't limit or restrict sales of data, and it wouldn't provide additional security measures for how data is stored or new requirements for anonymization. While those are all important issues to consider, the law is actually far more basic. It helps consumers, regulators, policymakers and the world at large shine a light onto the largely hidden, highly lucrative world of the personal data economy."

What's the concern with consumer data collection? By some estimates, data brokers now maintain reports on 500 million consumers, and that data can be combined in sometimes unexpected ways to give advertisers and marketers insights that a person would rather remain private. One oft-repeated example hails from a 2012 New York Times story, in which a statistician working for Target -- who was later instructed to stop talking to the Times reporter -- detailed how the retailer could use people's shopping patterns to ascertain when website visitors were most likely pregnant, for the purpose of enticing them to purchase baby-related products.

To date, data brokers have resisted requests from Congress to detail which types of information they're collecting, storing and sharing on consumers, defending their lack of disclosure by citing, in part, non-disclosure agreements with other businesses and their need to protect trade secrets.

But Reitman suggested affected companies would have little difficulty complying with Lowenthal's proposed information disclosure requirement bill. "This law mimics the rights of data access already available to users in Europe, which means that most of the big tech companies should already have systems in place to facilitate user access," she said.

Regardless, consumer rights groups have long recommended that people who are worried about having their personal information tracked should beware what they share via Facebook, Twitter, blogs or other online forums, as well as participating in telephone surveys and other mechanisms used for collecting consumer data for marketing purposes.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
J. Nicholas Hoover
50%
50%
J. Nicholas Hoover,
User Rank: Apprentice
4/8/2013 | 11:57:06 PM
re: California Weighs Tough Rules For Data Brokers
Reitman's comments about Europe are spot on, and what I came here hoping to see. This won't be impossible. However, it will be inconsistent with practices in the rest of the United States, and cloud service providers of course crave consistency, as rigid standardization helps drive economies of scale and, ultimately, profit.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.