California Introduces "Right to Know" Privacy Law, Seeking to Increase Transparency


​California Assembly Member Bonnie Lowenthal recently introduced the “Right to Know Act of 2013” (AB1291) in the California State Assembly. If passed, this legislation would allow U.S. consumers unprecedented access to information collected about them online.

As currently drafted, the bill would require a company to disclose–upon request of a California resident whose personal information was retained or shared–copies of all personal information a business has retained about that customer in the 12 months prior to the request, together with (1) the names and contact information of all third parties with whom the business shared personal data within the previous 12 months, and (2) the categories of personal information shared with such third parties. Companies would have to provide the data, free of charge, within 30 days of receiving the request. Failure to comply could lead to legal consequences, including civil actions brought by a customer, the Attorney General or others filed on behalf of the city or state. The statute applies to all businesses that retain or share personal information of California residents.

This legislation is a significant expansion of the rights provided under California’s 2003 Shine the Light law (which this bill would repeal), that currently gives consumers the right to request a list of third parties with whom their personal data is shared for direct marketing purposes, and the categories of personal data that is shared. In particular, the Right to Know Act:

  • Applies to all businesses that retain or share with third parties personal information of California residents.
  • Expands definition of “personal information” to include IP addresses, device identifiers, location, Internet or mobile activity, user-generated content, and commercial information, which includes “records of products provided, obtained or considered, or other purchasing or consuming histories or tendencies.”
  • Expands definition of “customer” to include any California resident whose personal information is obtained by the business directly from the customer or obtained by the business from another business.
  • Requires disclosure of all personal information a company retains about a customer, with only very limited exceptions (e.g., retained to perform specific action and immediately deleted; to comply with law, etc.). This requirement may present significant compliance challenges. While biographical and registration information (such as customer profile data, including name, birth date, and billing data) may be stored in a single, easily-accessible database, other personal information (such as user-generated content, social media interactions and web-tracking data) may be collected through various channels and stored in different locations throughout a company. Companies will need to establish mechanisms to track what personal information is collected and retained throughout the business.
  • Requires disclosure of the types of personal information a company discloses to third parties for a variety of purposes, with only limited exceptions (e.g., disclosed to service providers subject to privacy and nondisclosure contract provisions; to comply with law, etc.). 
  • Requires that all privacy policies be updated to notify customers of their rights under the statute and provide a designated request address. If multiple policies for individual products and services exist, all must be updated.
  • Specifies that a violation of the statute “constitutes injury to a consumer,” which would pave the way for class action privacy lawsuits, many of which have previously been dismissed for failure to show injury. 

If the proposed legislation passes, companies could limit the applicability of the statute to their businesses by de-identifying information that is stored or shared, or ensuring personal information is not stored in the first place. Companies that share personal information also could minimize the need to respond to individual requests for information by providing notice of the types of personal information shared and the names and contact information for the third parties with whom the data is shared just prior to or after the disclosure occurring. The proposed legislation also provides that companies only have to provide an accounting of their retention and disclosure of personal information to individual customers once every 12 months.

California is often at the forefront of the privacy debate and several of its state laws have become the de facto standard for privacy across the nation, if not the jumping-off point for other states to follow suit. For example, California’s 2004 Online Privacy Protection Act (CalOPPA) requires Web sites and mobile applications to post a privacy policy. Even though CalOPPA is a state law, many U.S. companies now comply with it if they want to collect information online from California consumers. Similarly, if the Right to Know Act becomes law, these provisions could have wide-ranging impact on virtually every Web site or online property that has California users.