Slashdot Mirror
California Law Would Require Companies To Disclose All Consumer Data Collected
Trailrunner7 writes "California, which set the standard for data breach notifications nationwide, is again seeking to set a precedent by becoming the first state in the nation to require companies upon request disclose to California consumers the data they've collected and to whom it was shared during the past year. ... The 'Right to Know Act of 2013,' AB 1291 was amended this week to boost its chances of success after being introduced in February by state Assembly member Bonnie Lowenthal. ... It applies to companies that are both on- and off- line Privacy advocacy groups such as the EFF wrote Tuesday that the bill could set a precedent for other states, much as California's 2002 Breach Notification Act requiring California data breach victims be notified was later replicated by almost all U.S. states."
That's not all: you'd be able to request a copy of all the data they've stored about you too.
The next step would naturally be to force the companies to correct the data that they have wrong. For example, one link mentioned a woman who lost a job because she was misidentified as having a criminal record.
Here's to hoping.
Companies are really careful about protecting their data but offer us no option to protect ours. At least giving people am idea what they're doing will help inform people and maybe they'll realise what's going on and maybe freebies aren't the best deal.
Welcome to the 1980's, guys.
Data Protection Act (1984) UK, subsequently revised several times to clarify its intent.
You can write to ANY company, entity or organisation (even a website) and DEMAND all information they are storing on you. They may charge you only a reasonable administrative cost. Even applies to CCTV of yourself (but, obviously, in that case you have to give them enough information to determine who you are on their CCTV systems and can't just expect them to trawl years of video looking for your left arm).
How can you know whether a company is distributing incorrect / damaging information about yourself without the right to demand to see that information, the right to change it where it is erroneous, and the ability to control what they are allowed to do with it.
Please completely devestate your business model.
Bonnie Lowenthal
Temporary Assistant Deputy Backup Politician from Long Beach
I'd rather have a law informing me of who is receiving my information. I'm getting nagged by Google all the time to turn my pseudo-anonymous accounts into explicit links to the real me via phone numbers and nagging for my real name. I want to know where all that information is going.
I just got an iPhone with the "Find My Phone" app. It seems to work by posting my phone's location to iCloud. Who has access to that info?
I swear to God...I swear to God! That is NOT how you treat your human!
We've had that for years up here in Canada. The Personal Information Protection and Electronic Documents Act. When it first came out, I was the DBA at a small company. First thing I had to do was scrub everything from our database that could possibly be construed as disparaging towards a customer, just in case they asked for their records.
I'd be surprised if one in a hundred Canadians are even aware that the act exists, let alone their rights because of it.
Interesting side problem: how do you know which corporations have data about you? The big companies like Google are known, but there's alot of other data brokers around...how can I demand data from a company I don't know about?
They need to add wording so that my data can't be shared without my permission with anyone who doesn't have the same company name. Way too much is being hidden behind "associates" and "partners". Anyone who touches my data should have to accept the same security and legal restrictions/responsibilities as the parent company that collected it. I'm tired to getting those Privacy Notices from everyone I have an account with, written in legaleze so generic as to make them useless. If you can take the time to send me a revised privacy statement every six months, then you can take the time to list who your "associate companies" actually are.
Google and Facebook will fight this tooth and nail, I'm sure, and if it goes through - well, California might see even -more- business leave their state. Not that I think it's a good thing it'll happen. This is just how it is.
The only way you can ever know who has what is by accident or by stealing the hard drives. This stuff is too easy to hide.
“He’s not deformed, he’s just drunk!”
Sounds like a identity thiefs dream come true.
That's right, keep The Peole's attention focused on "spying evil corporations" rather than the real danger from those who spy on you. Government good. Corporations that jam shelves with products evil.
So sayeth your meme overlords. So let it be!
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Steal enough info to fool google into thinking your someone else. Then request from google everything it knows about that person. They better require such request to occur in person with documenation.
Plan A:
In an effort to improve its privacy concerns and relations, Facebook has announced it's plan to buy all properties and businesses within California.
In related news Facebook has changed it's "Friend" functionality to the much more appropriate "Vassal" system.
This re-imagination of the tried and true Monarchy system converted into a Corporate Oligarchy will pave the way for a brighter future that Facebook hopes other businesses will replicate.
Plan B:
Stipulate facebook is free to use and as such you gain no such Consumer Privacy Protection rights.
This seems like generally a good direction to be going, but there are issues to think about. For example, what if a company's data about me relates to other users' interactions with me? Giving me that data could well become a privacy issue for the other users.
And follow up with Right To Be Forgotten.
This could be our first great step to cripple the surveillance state that Google and other surveillance (marketing) companies have produced.
I should be able to call Google and say: Forget me.
And they should have to provide proof to the government under threat of massive fines (and executive prison time) that they have no data matching a particular set.
Cut these bastards off at the knees.
I thought one of the growing concerns people had, and at first glance it appears to fall within this bill, is all the pseudonymous "tracking" which various companies do (particularly in advertising), where lots of details can be inferred about a person, and possibly even be cleverly determined to be about a specific person. For example, my computer figures out that you, John Smith on 1234 Fake St in zip code 66666, are into midget porn.
It's a real risk and can happen, and yet also, probably doesn't reliably happen. That is, I can figure out that this midget-porn-lover is very likely to be a guy in zipcode 66666, and if I were to combine some of the things I know with another database, which I may or may not have, I might determine it's very likely John Smith. But I don't know, and I can't turn the inferences around and really say what John Smith's porn preferences are. If I try really hard (to a degree that I would never be commercially motivated to, and therefore wouldn't do unless someone pointed a gun at me and demanded it), then I really will sometimes make mistakes, and mistakenly attribute Joe Schmoe's porn preferences as being John Smith's.
If you make a law that I need to be able to tell John Smith what I think about him (an opinion which I don't really have) and make me liable for mistakes (make my opinion become critically important) then I need to DE-ANONYMIZE my data, and make the extra effort to join other databases so that I can resolve things more reliably.
I need to make the "privacy nightmare" that everyone is worrying about worse. Thanks, State of California. Just as your left hand sasys the corporations are the real Big Brother, right hand is there to assure us that no, government will always remain the primary threat. By force and good intentions, if necessary.
Man this is a great idea! If you can convince everyone to spend every waking moment scrutinizing the data collected on them every year they won't need silly things like TV or Elections to keep them distracted from what's happening in the world.
Sadly, a Libertarian cannot force his views on another, and freedom cannot spread as does the cancer known as religion.
So, this presents some challenges to me.
I'm one of the co-founders of WonderProxy (https://wonderproxy.com), running a global proxy network you might imagine that we have a fair large log set. Our billing process involves pulling those logs into a central location, parsing out the information billing cares about (customer & amount transferred) and recording that in aggregate. We store the raw log files in the raw form for some period of time to comply with any sort of warrant from law enforcement (our goal isn't to be an anonymous proxy), then delete them.
We've deliberately avoided storing the details we have about traffic in any sort of a searchable form. We don't care unless something comes up, and as a general rule we don't think it's any of our business. So this is information about a customer we do possess, but also information that we've deliberately avoided making easy to access. To grab it we'd eschew all our UI tools, drop to a command line, and start uncompromising raw logs, then dropping in with grep or something to filter the user. Then another manual pass to make sure we haven't accidentally included a line from a different customer. For a customer who has only paid us $15 we're going to lose money once we comply.
Then there's our webserver logs. If someone logged in, we can technically deduce what requests are associated with that user, but the apache logs don't store that in a nice easy to read format. We'd probably need to correlate a bunch of different systems in ways we've never done before (because we don't care who loaded main.css on Tuesday the 4th at 16:22:32) to ensure we've handed everything over.
This is of course assuming that we're required to comply. We're a Canadian corporation, federally registered, all that fun stuff. But we do have servers in the US, even ones in California. Of course, getting an answer from our lawyer on whether or not we're required to comply would also cost well more than $15, and that's before we've started trying.
Then there's more privileged information. Internally calculated fraud scores, internal customer notes ("these people never pay on time", "serious PITA, don't give a discount", "Super nice") which is also information we have on a customer, but generally something we'd rather not share.
As a user of the web, I like this idea. As a provider of services the cost of compliance scares me.
paul reinheimer
they have to comply to this in europe. thus they have a push button solution for complying with this. a bunch of other californian companies don't.
world was created 5 seconds before this post as it is.
'nuff said.
What the hell were they waiting on?
Until it applies, I say anything goes from the consumer side of things as well. If you obtain information on a company or agency, you should be able to sell it or trade it or provide it for free to anybody you like. And if those entities don't like it, then they shouldn't be doing it to us.
That data is rife for abuse.
Moving in 3, 2, 1....
I have no problem with your religion until you decide it's reason to deprive others of the truth.
And it doesn't seem to be a problem, so the FUD gaming here needs to be ignored.
Why would they bother?
They're already subject to something like this in the UK (DPA, as outlined above), yet they've not withdrawn their UK operations over it. Any information Google is storing on you is probably 'live' so they can actually use it (at least, if you believe the conspiracy types), and they probably have to retrieve this information in response to court orders and warrants anyway, so a lookup should be a pretty simple affair for them.
It's just a question of what format the information has to be presented in. If they're allowed to provide it as is by email, they'll barely notice. If they have to format the binary bits to make them human readable, then they'll need a few more machines to run the conversion scripts. It'll only hurt if they have to provide printouts without recompense - toner ain't cheap.
The only problem is proving that the person requesting the data is the person the data actually relates to.
Thing is, increasingly the government outsources it's spying to... those same corporations. Why do it in-house where you have to comply (or at least appear to comply) with a bunch of regulations when you can farm it out to a private company (who's dropping some nice campaign donations on you) that, not being a government agency, doesn't have to comply with any of those regulations?
Just wait until the web of plausible deniability that will result. Big Corporation X will outsource its data collection to provider Y who will have "affiliates" and "partners" and whatever else they can think of, and outsource data storage to provider Z, who will treat an app as its product. The result will be that no one will know who has what data about anyone. Corporations know how to do this stuff. If the State of California points a legal finger at Big Corporation X, then BCX will point to Y and Z, who will point to their affiliates and partners, who will find someone to throw under the bus.
that was my initial thought upon reading the summary.... that if the legislation passed, companies such as google, would leave california before the ink dries on the governor's signature.
Existing law also requires a business that collects customer information for marketing purposes and that discloses a customer’s personal information to a 3rd party for direct marketing purposes, to provide the customer with whom it had a business relationship, as defined, within 30 days after the customer’s request
This bill would instead require any business that has retains a customer’s personal information, as defined, or discloses that information to a 3rd party, to provide at no charge, within 30 days of the customer’s specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer
What kind of idiot would reference an advertising database when trying to hire an employee?
Moving in 3, 2, 1....
https://www.google.com/dashboard/ is already a good part of the way there to providing the information.
Unless there are some potential problems that aren't obvious to me now, this legislation is with Google's own ideas about privacy. Specifically, it's in line with "Make the collection of personal information transparent" and "Give users meaningful choices to protect their privacy."
See: http://googleblog.blogspot.com/2010/01/googles-privacy-principles.html
Ok. Here you go: everything-you-sent-us.pcap. What a stupid law.