Slashdot Mirror
California Law Would Require Companies To Disclose All Consumer Data Collected
Trailrunner7 writes "California, which set the standard for data breach notifications nationwide, is again seeking to set a precedent by becoming the first state in the nation to require companies upon request disclose to California consumers the data they've collected and to whom it was shared during the past year. ... The 'Right to Know Act of 2013,' AB 1291 was amended this week to boost its chances of success after being introduced in February by state Assembly member Bonnie Lowenthal. ... It applies to companies that are both on- and off- line Privacy advocacy groups such as the EFF wrote Tuesday that the bill could set a precedent for other states, much as California's 2002 Breach Notification Act requiring California data breach victims be notified was later replicated by almost all U.S. states."
That's not all: you'd be able to request a copy of all the data they've stored about you too.
The next step would naturally be to force the companies to correct the data that they have wrong. For example, one link mentioned a woman who lost a job because she was misidentified as having a criminal record.
Here's to hoping.
Companies are really careful about protecting their data but offer us no option to protect ours. At least giving people am idea what they're doing will help inform people and maybe they'll realise what's going on and maybe freebies aren't the best deal.
Welcome to the 1980's, guys.
Data Protection Act (1984) UK, subsequently revised several times to clarify its intent.
You can write to ANY company, entity or organisation (even a website) and DEMAND all information they are storing on you. They may charge you only a reasonable administrative cost. Even applies to CCTV of yourself (but, obviously, in that case you have to give them enough information to determine who you are on their CCTV systems and can't just expect them to trawl years of video looking for your left arm).
How can you know whether a company is distributing incorrect / damaging information about yourself without the right to demand to see that information, the right to change it where it is erroneous, and the ability to control what they are allowed to do with it.
I'd rather have a law informing me of who is receiving my information. I'm getting nagged by Google all the time to turn my pseudo-anonymous accounts into explicit links to the real me via phone numbers and nagging for my real name. I want to know where all that information is going.
I just got an iPhone with the "Find My Phone" app. It seems to work by posting my phone's location to iCloud. Who has access to that info?
I swear to God...I swear to God! That is NOT how you treat your human!
Interesting side problem: how do you know which corporations have data about you? The big companies like Google are known, but there's alot of other data brokers around...how can I demand data from a company I don't know about?
They need to add wording so that my data can't be shared without my permission with anyone who doesn't have the same company name. Way too much is being hidden behind "associates" and "partners". Anyone who touches my data should have to accept the same security and legal restrictions/responsibilities as the parent company that collected it. I'm tired to getting those Privacy Notices from everyone I have an account with, written in legaleze so generic as to make them useless. If you can take the time to send me a revised privacy statement every six months, then you can take the time to list who your "associate companies" actually are.
Google and Facebook will fight this tooth and nail, I'm sure, and if it goes through - well, California might see even -more- business leave their state. Not that I think it's a good thing it'll happen. This is just how it is.
The only way you can ever know who has what is by accident or by stealing the hard drives. This stuff is too easy to hide.
“He’s not deformed, he’s just drunk!”
Sounds like a identity thiefs dream come true.
That's right, keep The Peole's attention focused on "spying evil corporations" rather than the real danger from those who spy on you. Government good. Corporations that jam shelves with products evil.
So sayeth your meme overlords. So let it be!
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
The equivalent exists in France since 1978. There are quite heavy fines and even prison terms for inappropriate collection and use of personal data. There's even been at least one spammer convicted on the grounds that his use of a list of e-mails constituted illicit use of infringing data.
Steal enough info to fool google into thinking your someone else. Then request from google everything it knows about that person. They better require such request to occur in person with documenation.
I thought one of the growing concerns people had, and at first glance it appears to fall within this bill, is all the pseudonymous "tracking" which various companies do (particularly in advertising), where lots of details can be inferred about a person, and possibly even be cleverly determined to be about a specific person. For example, my computer figures out that you, John Smith on 1234 Fake St in zip code 66666, are into midget porn.
It's a real risk and can happen, and yet also, probably doesn't reliably happen. That is, I can figure out that this midget-porn-lover is very likely to be a guy in zipcode 66666, and if I were to combine some of the things I know with another database, which I may or may not have, I might determine it's very likely John Smith. But I don't know, and I can't turn the inferences around and really say what John Smith's porn preferences are. If I try really hard (to a degree that I would never be commercially motivated to, and therefore wouldn't do unless someone pointed a gun at me and demanded it), then I really will sometimes make mistakes, and mistakenly attribute Joe Schmoe's porn preferences as being John Smith's.
If you make a law that I need to be able to tell John Smith what I think about him (an opinion which I don't really have) and make me liable for mistakes (make my opinion become critically important) then I need to DE-ANONYMIZE my data, and make the extra effort to join other databases so that I can resolve things more reliably.
I need to make the "privacy nightmare" that everyone is worrying about worse. Thanks, State of California. Just as your left hand sasys the corporations are the real Big Brother, right hand is there to assure us that no, government will always remain the primary threat. By force and good intentions, if necessary.
Man this is a great idea! If you can convince everyone to spend every waking moment scrutinizing the data collected on them every year they won't need silly things like TV or Elections to keep them distracted from what's happening in the world.
Sadly, a Libertarian cannot force his views on another, and freedom cannot spread as does the cancer known as religion.
So, this presents some challenges to me.
I'm one of the co-founders of WonderProxy (https://wonderproxy.com), running a global proxy network you might imagine that we have a fair large log set. Our billing process involves pulling those logs into a central location, parsing out the information billing cares about (customer & amount transferred) and recording that in aggregate. We store the raw log files in the raw form for some period of time to comply with any sort of warrant from law enforcement (our goal isn't to be an anonymous proxy), then delete them.
We've deliberately avoided storing the details we have about traffic in any sort of a searchable form. We don't care unless something comes up, and as a general rule we don't think it's any of our business. So this is information about a customer we do possess, but also information that we've deliberately avoided making easy to access. To grab it we'd eschew all our UI tools, drop to a command line, and start uncompromising raw logs, then dropping in with grep or something to filter the user. Then another manual pass to make sure we haven't accidentally included a line from a different customer. For a customer who has only paid us $15 we're going to lose money once we comply.
Then there's our webserver logs. If someone logged in, we can technically deduce what requests are associated with that user, but the apache logs don't store that in a nice easy to read format. We'd probably need to correlate a bunch of different systems in ways we've never done before (because we don't care who loaded main.css on Tuesday the 4th at 16:22:32) to ensure we've handed everything over.
This is of course assuming that we're required to comply. We're a Canadian corporation, federally registered, all that fun stuff. But we do have servers in the US, even ones in California. Of course, getting an answer from our lawyer on whether or not we're required to comply would also cost well more than $15, and that's before we've started trying.
Then there's more privileged information. Internally calculated fraud scores, internal customer notes ("these people never pay on time", "serious PITA, don't give a discount", "Super nice") which is also information we have on a customer, but generally something we'd rather not share.
As a user of the web, I like this idea. As a provider of services the cost of compliance scares me.
paul reinheimer
they have to comply to this in europe. thus they have a push button solution for complying with this. a bunch of other californian companies don't.
world was created 5 seconds before this post as it is.
Moving in 3, 2, 1....
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Thing is, increasingly the government outsources it's spying to... those same corporations. Why do it in-house where you have to comply (or at least appear to comply) with a bunch of regulations when you can farm it out to a private company (who's dropping some nice campaign donations on you) that, not being a government agency, doesn't have to comply with any of those regulations?
Existing law also requires a business that collects customer information for marketing purposes and that discloses a customer’s personal information to a 3rd party for direct marketing purposes, to provide the customer with whom it had a business relationship, as defined, within 30 days after the customer’s request
This bill would instead require any business that has retains a customer’s personal information, as defined, or discloses that information to a 3rd party, to provide at no charge, within 30 days of the customer’s specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer