California Could be the First State to Give Consumers a “Right to Know” How Companies Use Their Information

Saturday, April 6, 2013, by Reine Duffy
When we use our computers, iPads, phones, or other devices to connect to the Internet, companies are collecting and sharing our personal data. Companies such as Facebook and Google typically store user activity information and end up sharing it with data brokers or advertising networks  Indeed, when Austrian law student Max Schrems recently asked Facebook for a copy of all of his personal data, he got back a CD containing 1,200 pages of data. Schrems eventually filed dozens of complaints in Europe against Facebook for its data practices, but the key fact in this scenario is that Schrems was able to make the request for his personal data in the first place. Ireland’s strict privacy law includes a “right to access,” in which individuals interacting with an EU company or government agency can request all the data that the entity has on that individual and the EU company or government agency is required to comply. The United States has no such type of law, leaving Americans in the dark about what type of personal data is gathered, allowing companies and data brokers to continue refusing to reveal what is being done with the information they collect. However, California has introduced legislation that is the first of its kinds to address a right of access in the United States.
The “Right to Know Act of 2013,” introduced by California assembly member Bonnie Lowenthal, attempts to “bring California’s outdated transparency law into the digital age.” Under the current California state law, California consumers can only ask companies for an accounting of their disclosures for direct marketing purposes, such a list of what companies got consumers’ data to be used in junk mail or phone solicitations. But the Right to Know Act would go further by requiring that, upon request, companies disclose whatever data they have about a consumer and those with whom they have shared it in the past year, such as online advertisers, data brokers, and third-party apps. Companies would have to send all of that data free of charge to the consumer within 30 days from the request.
Online rights advocacy group the Electronic Frontier Foundation, which expressed strong support for the bill along with the ACLU of North California, argues that the law will bring “transparency and access” without imposing any actual restrictions on data sharing. Indeed, because this type of legislation already exists in Europe, the law should not be an excessive burden for big tech companies. Merely, the goal is to help “consumers, regulators, policymakers, and the world at large shine a light onto the largely hidden, highly lucrative world of the personal data economy.”
Whether the law will be passed is up to speculation at this point, and as a state law it is debatable whether the rest of the country will follow suit. But when California passed a data breach notification law in 2002, 46 states followed quickly thereafter. Thus, it’s arguable that if passed, California’s law could eventually allow all American consumers a right of access that has for so long been denied.