California Introduces "Right to Know" Privacy Law, Seeking to Increase Transparency

April.12.2013

California Assembly Member Bonnie Lowenthal recently introduced the “Right to Know Act of 2013” (AB1291) in the California State Assembly. If passed, this legislation would allow U.S. consumers unprecedented access to information collected about them online.

As currently drafted, the bill would require a company to disclose–upon request of a California resident whose personal information was retained or shared–copies of all personal information a business has retained about that customer in the 12 months prior to the request, together with (1) the names and contact information of all third parties with whom the business shared personal data within the previous 12 months, and (2) the categories of personal information shared with such third parties. Companies would have to provide the data, free of charge, within 30 days of receiving the request. Failure to comply could lead to legal consequences, including civil actions brought by a customer, the Attorney General or others filed on behalf of the city or state. The statute applies to all businesses that retain or share personal information of California residents.

This legislation is a significant expansion of the rights provided under California’s 2003 Shine the Light law (which this bill would repeal), that currently gives consumers the right to request a list of third parties with whom their personal data is shared for direct marketing purposes, and the categories of personal data that is shared. In particular, the Right to Know Act:

Applies to all businesses that retain or share with third parties personal information of California residents.
Expands definition of “personal information” to include IP addresses, device identifiers, location, Internet or mobile activity, user-generated content, and commercial information, which includes “records of products provided, obtained or considered, or other purchasing or consuming histories or tendencies.”
Expands definition of “customer” to include any California resident whose personal information is obtained by the business directly from the customer or obtained by the business from another business.
Requires disclosure of all personal information a company retains about a customer, with only very limited exceptions (e.g., retained to perform specific action and immediately deleted; to comply with law, etc.). This requirement may present significant compliance challenges. While biographical and registration information (such as customer profile data, including name, birth date, and billing data) may be stored in a single, easily-accessible database, other personal information (such as user-generated content, social media interactions and web-tracking data) may be collected through various channels and stored in different locations throughout a company. Companies will need to establish mechanisms to track what personal information is collected and retained throughout the business.
Requires disclosure of the types of personal information a company discloses to third parties for a variety of purposes, with only limited exceptions (e.g., disclosed to service providers subject to privacy and nondisclosure contract provisions; to comply with law, etc.).
Requires that all privacy policies be updated to notify customers of their rights under the statute and provide a designated request address. If multiple policies for individual products and services exist, all must be updated.
Specifies that a violation of the statute “constitutes injury to a consumer,” which would pave the way for class action privacy lawsuits, many of which have previously been dismissed for failure to show injury.

If the proposed legislation passes, companies could limit the applicability of the statute to their businesses by de-identifying information that is stored or shared, or ensuring personal information is not stored in the first place. Companies that share personal information also could minimize the need to respond to individual requests for information by providing notice of the types of personal information shared and the names and contact information for the third parties with whom the data is shared just prior to or after the disclosure occurring. The proposed legislation also provides that companies only have to provide an accounting of their retention and disclosure of personal information to individual customers once every 12 months.

California is often at the forefront of the privacy debate and several of its state laws have become the de facto standard for privacy across the nation, if not the jumping-off point for other states to follow suit. For example, California’s 2004 Online Privacy Protection Act (CalOPPA) requires Web sites and mobile applications to post a privacy policy. Even though CalOPPA is a state law, many U.S. companies now comply with it if they want to collect information online from California consumers. Similarly, if the Right to Know Act becomes law, these provisions could have wide-ranging impact on virtually every Web site or online property that has California users.

Authors

Emily S. Tabatabai Partner, Cyber, Privacy & Data Innovation, Technology Companies Group

Washington, D.C.; Houston

See my bio

D:+1 202 339 8698
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Companies Group
Internet of Things
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Emily S. Tabatabai Partner

Washington, D.C.; Houston

Emily provides strategic counseling and advice on privacy, consumer protection and online safety matters to clients across industries, including retail, ecommerce, mobile apps, gaming, social media, advertising technology (adtech), financial services, education, business services and technology. She also represents clients subject to regulatory investigations, including before the FTC and States Attorneys General, Congressional committees and other regulatory agencies and groups.

Emily provides proactive compliance guidance, and regulatory investigation defense, on a variety of privacy and consumer protection laws, including:

U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states
Children’s Online Privacy Protection Act (COPPA)
Online safety laws for kids and teens, including California Age-Appropriate Design Code Act (AADC), Utah Social Media Regulation Act and others
Section 5 of the Federal Trade Commission Act (FTC Act) and state unfair and deceptive acts and practices (UDAP) laws
Family Educational Rights and Privacy Act (FERPA)
California’s Student Online Personal Information Protection Act (SOPIPA), New York’s Education Law 2-d and other state student data privacy laws
Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Washington My Health My Data Act and other state health privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Telephone Consumer Protection Act (TCPA)
Telemarketing Sales Rule (TSR)
Restore Online Shoppers’ Confidence Act (ROSCA)

Emily is a frequent speaker on data privacy matters, with a particular focus on children’s privacy (COPPA), student data privacy and EdTech and online safety laws for kids and teens. She has been featured as an “Up and Coming” Privacy & Data Security attorney by Chambers USA and Chambers Global. Clients tell Chambers, “She’s been an excellent partner. She has a very good understanding of the practical realities of implementing privacy policies for large companies.” Citing her expertise in the field of educational privacy, student data and EdTech matters, Chambers reports that clients regard her as “very knowledgeable and truly an expert in this space,” with some saying, “On the student data side, she is unmatched,” and The Legal 500 notes that Emily “is the first port of call for child- and student-directed service providers for compliance advice with COPPA, SOPIPA and CalOPPA regulations.”

Emily also has an active consumer protection practice, focused on marketing and promotional issues. She counsels clients on advertisements and endorsements, retail sales and e-commerce, advertising substantiation, SMS and telemarketing, social media and online advertising.

Related Areas

Markets

Bay Area: San Francisco and Silicon Valley