California recently introduced "AB-1291 Privacy: Right to Know Act of 2013: disclosure of a customer’s personal information." If enacted, the bill would update California's 2003 "Shine the Light" law (Civil Code Section 1798.80-1798.84) to account for the new data mining technologies and information sharing practices that have proliferated over the past ten years. According to the bill's sponsor Assemblymember Bonnie Lowenthal, "AB 1291 expands the definition of personal information to include sensitive data, such as location, buying habits, and sexual orientation. By modernizing the requirements, consumers have a right to know not just how their basic information may have been used for junk mail, but also how it's collected and shared with data brokers, advertisers, and others."
The
2003 "Shine the Light" law enabled California residents to find out
how businesses utilize their personal information.
In general, the law requires most companies (except federal financial
institutions and those with less than 20 employees) that do business with
California residents to either disclose how personal information is being
shared for direct marketing purposes or allow customers to opt out of
information sharing. The law provides Californians
the right once a calendar year to obtain free of charge the type of personal
data that a business has disclosed to third parties for direct marketing
activities and the names and contact information of all third parties that
received the personal data.
Since
2003, data mining and behavioral advertising has proliferated beyond what many
may have envisioned when the "Shine the Light" law was enacted. To reign in some of these practices,
a
coalition of privacy organizations are advocating updating the law to
account for new technologies. According
the Wall
Street Journal, there has been significant industry backlash against
updating the 2003 law.
The
Right To Know Act's general principles appear to follow the European
Union's philosophy that its citizens have a right to require companies
doing business with them to provide them with the type of information that is
being collected about them. Europe's
privacy laws generally provide its citizens more control than the U.S. over how
personal data may be utilized. This was
demonstrated when six EU
data protection authorities recently
initiated coordinated enforcement measures against Google for failing to fix alleged
flaws in its 2012 privacy policy update.
Google's privacy policy change along with Austrian
law student Max Schrems experience with Facebook may have sparked the
decision to introduce the Right to Know Act.
Earlier
this year, NBC
News reported that Equifax has a database that contains almost 200 million
employment and salary records that covers more than a third of all U.S. adults. Some of these records may include week by
week pay stub information. While it may
be troubling that Equifax has acquired this detailed information, at least under
the Fair Credit Reporting Act consumers are able to obtain a report once a year
about the data that is being collected about them.
Personal
privacy may be further damaged by the new new partnership between Facebook and data brokers Acxiom, Epsilon, and Datalogic that is designed to better
monetize the content of their users. The FTC is so concerned
about some of the practices of data brokers that late last year it announced
that it is studying how the industry collects and utilizes consumer data. In what might be an effort to ward off
potential future regulation, Axciom
recently announced it was planning a service to allow consumers to obtain their
personal files.
Should
advertisers be able to analyze your personal emails and/or your personal files in the cloud and utilize the information to behavioral advertise and/or combine
this information with other digital and/or real world data across multiple
platforms to create personal user profiles that may be accessed not only by marketers
but also by insurance companies, banks, law enforcement, etc...? What if due to the types of ads that are
processed on a particular email account a company is able to make an inference
about one's sexual orientation, race, religion, etc.. and this inference is
utilized for discriminatory purposes?
The intentions of the law are noble; however, due to the way the bill is currently drafted it may lead to some unintended compliance costs for businesses. Therefore, I believe the California state legislature should work to find common ground between supporters and opponents of the bill that would increase transparency for consumers without creating an economic hardship on the business community.
To learn more about these issues you may contact me at www.shearlaw.com.
Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.
Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.