Digital rights advocates in California may soon be able to put a tally mark in the “win” column, with the announcement that a new proposal may expose the secretive underground world of digital data exchanges.
Known as the Right To Know Act (AB 1291), the new proposal would require a company to give users access to the personal data the company has stored on them. The bill would also require companies to disclose with whom they have shared users’ personal data with when requested by a customer. In addition to personal data, companies are also selling a person’s habits, interests and more.
Sponsored by many civil liberties groups, the Electronic Frontier Foundation (EFF) and the ACLU of Northern California, domestic violence advocates, consumer protection groups, sexual health and women’s rights groups. The new law would only cover California residents and would apply to all companies, and is intended to expose how companies gather and share a customer’s personal data, such as their name, addresses, habits, likes, interests, sexual information and more. The full extent of what information is shared with these companies is not fully known.
Though the EFF applauds what the bill does, the group notes that the new law would not limit or restrict data sharing or provide any additional security measures — it simply allows consumers, regulators and policymakers to be more aware of what kind of information is being shared and how it’s being shared.
As groups like the EFF have reported, legislation like this is needed because it’s estimated data brokers have collected information on about 500 million people, and have thus far refused to name their sources, even when asked via a Congressional inquiry.
Nine large data brokers (Acxiom, Epsilon, Equifax, Experian, Harte-Hanks, Intelius, FICO, Merkle and Meredith Corp) have shared the bare minimum with Congress, as the exposure to how they collect their information and what kind of information they have could put the billions of dollars they make in revenue each year in jeopardy.
Through what the EFF calls a “crafted response” to Congress, these nine companies shared that they gather their information from sources ranging from permissioned apps to the State Department Terrorist Exclusion list.
Current California law states that a customer can contact a company and ask for disclosures for direct marketing purposes, but the law only requires companies to share general information they shared about you, and the names of the companies they shared information with that sent advertisements in the form of junk mail, spam or via telephone.
The new law would update current law to include information exchanged online, so a customer can know about any information that is being trafficked about them online, including with online advertisers, data brokers and third-party apps.
On its website, the EFF wrote that the new law is not just about knowing what a company is sharing, but knowing what a company is storing about a person. “The new proposal would require companies to make available, free of charge, access to or a copy of the customer’s personal information. That means you the consumer will really know what information a company has about you.
“The Right to Know Act is written specifically to ensure that companies big and small will be able to tell Californians how they’re collecting and sharing your personal data. You ask and they tell you what they have collected, the list of companies they gave your data to, and general facts about what kind of data was handed over (like ‘sexual information’ and ‘address’). However, the law has three important safeguards to make sure that even little startups with limited resources will be able to comply:
— Companies can choose to not store unnecessary data. Or, if they must retain information, they could take protective measures to de-identify user data before retaining or disclosing it. Taking such measures would mean companies would not have to respond to data disclosure requests.
— If a company doesn’t want to respond to individual requests for data disclosures, it can provide you with a notice about what data will be disclosed and to whom — just before or after it happens.
— Companies only have to provide each user an accounting once every 12 months. This safeguards against any repetitive requests.