clock menu more-arrow no yes mobile

Filed under:

California bill would require companies to tell you what personal data they're storing or selling

New, 6 comments
facebook mobile sponsored stories ads
facebook mobile sponsored stories ads

One of the basic bargains we've struck in modern society is that "free" tools and convenience are often paid for with personal information: Facebook, for example, targets ads using consumer information bought from offline loyalty programs in addition to its own massive data farm. And while European data protection laws give citizens options for seeing what advertisers know about them, most Americans have no such options. That's what California Assemblymember Bonnie Lowenthal hopes to fix with the California Right to Know Act of 2013, a bill that would require companies who keep sensitive personal data like buying habits or location information to disclose it to users on demand.

California already has a similar consumer protection law in place: if a company sells information to someone else for direct marketing purposes like mailings or telephone calls, a consumer can request both a list of companies that have been sold that information and a summary of what data categories ("names of children," "name and address," "religion," and "weight" are a few) went to them. As Lowenthal points out, though, the law was designed with junk mail in mind, not large-scale data trading for advertising or startups that frequently err on the side of collecting more than they need.

The old law was designed with junk mail in mind, not large-scale targeted advertising or slipshod startups

Accordingly, instead of focusing on companies that sell to direct marketers, the bill targets anyone who stores information after it's initially collected. It also adds new internet-specific categories of personal information, including browsing history, user-generated content like photos or text posts, and location data. If asked, a company must provide all relevant stored or sold information from the past year within 30 days. Companies that don't keep data, or that anonymize it to the extent that it cannot be linked to a particular person, won't have to report.

The Right to Know Act of 2013 was introduced first in late February, but it kept a low profile until very recently. At the start of April, it was softened slightly in an amendment and re-referred to California's Judiciary Committee, after which it started becoming widely reported. While the ACLU and EFF have recently come out in support, we fully expect an opposition to start mobilizing as well, as companies fight to keep their obligations as minimal as possible.