A California legislator recently re-introduced a bill that, if passed, would further solidify California’s place at the forefront of privacy regulation among U.S. States. AB 1291, the “Right to Know Act of 2013,” would require businesses to provide to consumers, upon request, a copy of all personal information the company has collected and retained about that consumer, as well as information about any parties with whom that information is shared.
Under California’s existing “Shine the Light” law, California consumers already have a right to request, no more than once a year, a list of third parties with whom a company has shared personal information for direct marketing purposes, and a description of the information shared. Companies may currently comply with the law by allowing consumers to opt-out of having their information shared with third parties for direct-marketing purposes.
The proposed law would broaden a consumer’s right of access considerably, giving consumers a right to obtain a copy of any personal information a company retains about that customer, regardless of whether the information is shared with third party marketers. Significantly, this includes both information a company may collect from a customer in connection with a transaction (e.g. name, email address, mailing address, order history), as well as any information purchased from third-party data brokers and incorporated into the consumer profile maintained by the company (e.g. demographic information provided by data brokers).
It is too early to predict whether the bill will be passed by the California legislature, but it is sure to be controversial. Some privacy advocates have applauded the bill, arguing that consumers need greater transparency regarding data collection practices, and noting that Europeans already enjoy similar rights of access. (An Austrian law student made headlines several years ago when he requested his information from Facebook and received more than 1,200 pages of data). Industry groups, on the other hand, are justifiably concerned about the potential cost of complying with the bill’s mandate, and about potentially increased exposure to lawsuits. As currently written, the bill would allow private consumer lawsuits, which could make litigation attractive to class-action lawyers.
We will continue to monitor developments in this area. Whether or not this particular bill becomes law, it is not the first and will not be the last time we see a push for greater transparency around data collection, particularly with respect to the practice of “data enhancement” or using information about consumers provided by data brokers rather than the consumers, themselves. (See related blog posts, here and here).