Risk
4/8/2013
02:02 PM
Connect Directly
RSS
E-Mail
50%
50%

California Weighs Tough Rules For Data Brokers

Right To Know Act would allow state residents to see full reports from any website, mobile app or data broker who collects personal data about them.

What personal information about you is being bought, sold or shared by online advertisers, data brokers or anyone else who handles consumer data?

A proposed California state law, "The Right to Know Act" (AB 1291), would give consumers the right to receive -- for free -- a copy of all personal data being stored about them by a data broker, website or mobile app provider, as well as a list of all third parties with which that information has been shared.

According to a current draft of the legislation, which was proposed by California State Assembly member Bonnie Lowenthal, the bill would "require any business that has a customer's personal information, as defined, to provide at no charge, within 30 days of the customer's specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer."

According to the American Civil Liberties Union of Northern California, which is backing the legislation, the bill would "modernize current privacy law and give Californians an effective tool to monitor how personal information, including about health, finances, your location, politics, religious, sexual orientation, buying habits and more, is being collected and disclosed in unexpected and potentially harmful ways."

[ Are you willing to trade privacy for a GPS-style map of the mall? See Indoor Location Tracking Has Lost Common Sense. ]

California law already mandates that state residents be allowed to ascertain how some types of personal information about them are being collected. "But this law, which focuses on direct marketing, has been outpaced by rapid changes in technology and data collection and sharing practices," according to a letter written by EFF senior staff attorney Lee Tien in support of the bill.

Lowenthal's law would expand current protections to cover all online and offline information collected and stored by websites, mobile apps and data brokers, including location data. "This law is about transparency and access, not new restrictions on data sharing," said Rainey Reitman, the EFF's activism director, in a blog post. "The proposed law wouldn't limit or restrict sales of data, and it wouldn't provide additional security measures for how data is stored or new requirements for anonymization. While those are all important issues to consider, the law is actually far more basic. It helps consumers, regulators, policymakers and the world at large shine a light onto the largely hidden, highly lucrative world of the personal data economy."

What's the concern with consumer data collection? By some estimates, data brokers now maintain reports on 500 million consumers, and that data can be combined in sometimes unexpected ways to give advertisers and marketers insights that a person would rather remain private. One oft-repeated example hails from a 2012 New York Times story, in which a statistician working for Target -- who was later instructed to stop talking to the Times reporter -- detailed how the retailer could use people's shopping patterns to ascertain when website visitors were most likely pregnant, for the purpose of enticing them to purchase baby-related products.

To date, data brokers have resisted requests from Congress to detail which types of information they're collecting, storing and sharing on consumers, defending their lack of disclosure by citing, in part, non-disclosure agreements with other businesses and their need to protect trade secrets.

But Reitman suggested affected companies would have little difficulty complying with Lowenthal's proposed information disclosure requirement bill. "This law mimics the rights of data access already available to users in Europe, which means that most of the big tech companies should already have systems in place to facilitate user access," she said.

Regardless, consumer rights groups have long recommended that people who are worried about having their personal information tracked should beware what they share via Facebook, Twitter, blogs or other online forums, as well as participating in telephone surveys and other mechanisms used for collecting consumer data for marketing purposes.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
J. Nicholas Hoover
50%
50%
J. Nicholas Hoover,
User Rank: Apprentice
4/8/2013 | 11:57:06 PM
re: California Weighs Tough Rules For Data Brokers
Reitman's comments about Europe are spot on, and what I came here hoping to see. This won't be impossible. However, it will be inconsistent with practices in the rest of the United States, and cloud service providers of course crave consistency, as rigid standardization helps drive economies of scale and, ultimately, profit.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio