California Assembly Member Bonnie Lowenthal recently introduced the “Right to Know Act of 2013” (AB1291) in the California State Assembly. If passed, this legislation would allow U.S. consumers unprecedented access to information collected about them online.
As currently drafted, the bill would require a company to disclose–upon request of a California resident whose personal information was retained or shared–copies of all personal information a business has retained about that customer in the 12 months prior to the request, together with (1) the names and contact information of all third parties with whom the business shared personal data within the previous 12 months, and (2) the categories of personal information shared with such third parties. Companies would have to provide the data, free of charge, within 30 days of receiving the request. Failure to comply could lead to legal consequences, including civil actions brought by a customer, the Attorney General or others filed on behalf of the city or state. The statute applies to all businesses that retain or share personal information of California residents.
This legislation is a significant expansion of the rights provided under California’s 2003 Shine the Light law (which this bill would repeal), that currently gives consumers the right to request a list of third parties with whom their personal data is shared for direct marketing purposes, and the categories of personal data that is shared. In particular, the Right to Know Act:
Specifies that a violation of the statute “constitutes injury to a consumer,” which would pave the way for class action privacy lawsuits, many of which have previously been dismissed for failure to show injury.
If the proposed legislation passes, companies could limit the applicability of the statute to their businesses by de-identifying information that is stored or shared, or ensuring personal information is not stored in the first place. Companies that share personal information also could minimize the need to respond to individual requests for information by providing notice of the types of personal information shared and the names and contact information for the third parties with whom the data is shared just prior to or after the disclosure occurring. The proposed legislation also provides that companies only have to provide an accounting of their retention and disclosure of personal information to individual customers once every 12 months.