California Weighs Tough Rules For Data Brokers

Right To Know Act would allow state residents to see full reports from any website, mobile app or data broker who collects personal data about them.

Mathew J. Schwartz, Contributor

April 8, 2013

4 Min Read
Dark Reading logo in a gray background | Dark Reading

What personal information about you is being bought, sold or shared by online advertisers, data brokers or anyone else who handles consumer data?

A proposed California state law, "The Right to Know Act" (AB 1291), would give consumers the right to receive -- for free -- a copy of all personal data being stored about them by a data broker, website or mobile app provider, as well as a list of all third parties with which that information has been shared.

According to a current draft of the legislation, which was proposed by California State Assembly member Bonnie Lowenthal, the bill would "require any business that has a customer's personal information, as defined, to provide at no charge, within 30 days of the customer's specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer."

According to the American Civil Liberties Union of Northern California, which is backing the legislation, the bill would "modernize current privacy law and give Californians an effective tool to monitor how personal information, including about health, finances, your location, politics, religious, sexual orientation, buying habits and more, is being collected and disclosed in unexpected and potentially harmful ways."

[ Are you willing to trade privacy for a GPS-style map of the mall? See Indoor Location Tracking Has Lost Common Sense. ]

California law already mandates that state residents be allowed to ascertain how some types of personal information about them are being collected. "But this law, which focuses on direct marketing, has been outpaced by rapid changes in technology and data collection and sharing practices," according to a letter written by EFF senior staff attorney Lee Tien in support of the bill.

Lowenthal's law would expand current protections to cover all online and offline information collected and stored by websites, mobile apps and data brokers, including location data. "This law is about transparency and access, not new restrictions on data sharing," said Rainey Reitman, the EFF's activism director, in a blog post. "The proposed law wouldn't limit or restrict sales of data, and it wouldn't provide additional security measures for how data is stored or new requirements for anonymization. While those are all important issues to consider, the law is actually far more basic. It helps consumers, regulators, policymakers and the world at large shine a light onto the largely hidden, highly lucrative world of the personal data economy."

What's the concern with consumer data collection? By some estimates, data brokers now maintain reports on 500 million consumers, and that data can be combined in sometimes unexpected ways to give advertisers and marketers insights that a person would rather remain private. One oft-repeated example hails from a 2012 New York Times story, in which a statistician working for Target -- who was later instructed to stop talking to the Times reporter -- detailed how the retailer could use people's shopping patterns to ascertain when website visitors were most likely pregnant, for the purpose of enticing them to purchase baby-related products.

To date, data brokers have resisted requests from Congress to detail which types of information they're collecting, storing and sharing on consumers, defending their lack of disclosure by citing, in part, non-disclosure agreements with other businesses and their need to protect trade secrets.

But Reitman suggested affected companies would have little difficulty complying with Lowenthal's proposed information disclosure requirement bill. "This law mimics the rights of data access already available to users in Europe, which means that most of the big tech companies should already have systems in place to facilitate user access," she said.

Regardless, consumer rights groups have long recommended that people who are worried about having their personal information tracked should beware what they share via Facebook, Twitter, blogs or other online forums, as well as participating in telephone surveys and other mechanisms used for collecting consumer data for marketing purposes.

About the Author

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights