A new proposal in California, supported by a diverse coalition including EFF and the ACLU of Northern California, is fighting to bring transparency and access to the seedy underbelly of digital data exchanges. The Right to Know Act (AB 1291) would require a company to give users access to the personal data the company has stored on them—as well as a list of all the other companies with whom that original company has shared the users' personal data—when a user requests it. It would cover California residents and would apply to both offline and online companies. If you live in California, click here to support this bill.
Under current California law, customers can contact companies and ask for an accounting of disclosures for direct marketing purposes—basically, a list of what companies got your personal data for them to send you junk mail, spam, or call you on the phone—and general facts about what types of data were disclosed. For example, if you went to PetSilly and bought dog bones, and then PetSilly sold your data to 17 companies that were using it for direct marketing, you could ask PetSilly for an accounting of disclosures. PetSilly would have to provide you with the names of those 17 companies as well as what categories of information were disclosed (name, address, phone number, etc).
The new proposal brings California's outdated transparency law into the digital age, making it possible for California consumers to request an accounting of all the ways their personal information is being trafficked—including with online advertisers, data brokers, and third-party apps. So while current law provides information about data exchanged for direct marketing, the Right to Know Act would update existing transparency law to ensure that users could track the flow of their data from online interactions. It also updates the definitions in the law in important ways, including adding location data—a sensitive data set not adequately protected by current law.
It's not just about knowing what a company is sharing, it’s about knowing what a company is storing. The new proposal would require companies to make available, free of charge, access to or a copy of the customer's personal information. That means you the consumer will really know what information a company has about you.
Lots of people around the world already enjoy these rights. This law mimics the rights of data access already available to users in Europe, which means that most of the big tech companies should already have systems in place to facilitate user access.
This law is about transparency and access, not new restrictions on data sharing. The proposed law wouldn't limit or restrict sales of data, and it wouldn't provide additional security measures for how data is stored or new requirements for anonymization. While those are all important issues to consider, the law is actually far more basic. It helps consumers, regulators, policymakers, and the world at large shine a light onto the largely hidden, highly lucrative world of the personal data economy.
The Right to Know Act is written specifically to ensure that companies big and small will be able to tell Californians how they’re collecting and sharing your personal data. You ask and they tell you what they have collected, the list of companies they gave your data to, and general facts about what kind of data was handed over (like “sexual information ” and "address"). However, the law has three important safeguards to make sure that even little startups with limited resources will be able to comply:
- Companies can choose to not store unnecessary data. Or, if they must retain information, they could take protective measures to de-identify user data before retaining or disclosing it. Taking such measures would mean companies would not have to respond to data disclosure requests.
- If a company doesn't want to respond to individual requests for data disclosures, it can provide you with a notice about what data will be disclosed and to whom—just before or after it happens.
- Companies only have to provide each user an accounting once every 12 months. This safeguards against any repetitive requests.
California has a reputation for passing important laws around consumer protection. We're fortunate to be paving the way when it comes to issues like data breach notification, medical privacy rights, online privacy policy notices, and employment law. But what happens in California can prove to have positive benefits for users all over the country (and sometimes the world). We see this, for example, with privacy policies. The California Online Privacy Protection Act requires websites to conspicuously show a privacy policy that provides general information about data collection and use. Though this is a California law, privacy policies have become a norm and they are helpful to users all over the web. Hopefully, as companies put efficient systems into place to enable Californians to learn what is happening to their data, it will be easy for the companies to make those systems available to people outside of California. And like California’s model for data breach notification laws, (first enacted in California in 2002 and now integrated into law in 46 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands), transparency will become the default, helping consumers while saving companies money down the line.
California’s Right to Know Act is supported by a diverse coalition of civil liberties groups, domestic violence advocates, consumer protection groups, sexual health, and women’s rights groups. And EFF recently sent a letter (PDF) to Assemblymember Bonnie Lowenthal, the bill’s author, to affirm our strong support of this bill.