Slashdot Mirror

← Back to Stories (view on slashdot.org)

California Law Would Require Companies To Disclose All Consumer Data Collected

Posted by Unknown on from the watching-you-sleep dept.

Trailrunner7 writes "California, which set the standard for data breach notifications nationwide, is again seeking to set a precedent by becoming the first state in the nation to require companies upon request disclose to California consumers the data they've collected and to whom it was shared during the past year. ... The 'Right to Know Act of 2013,' AB 1291 was amended this week to boost its chances of success after being introduced in February by state Assembly member Bonnie Lowenthal. ... It applies to companies that are both on- and off- line Privacy advocacy groups such as the EFF wrote Tuesday that the bill could set a precedent for other states, much as California's 2002 Breach Notification Act requiring California data breach victims be notified was later replicated by almost all U.S. states." That's not all: you'd be able to request a copy of all the data they've stored about you too.

30 of 119 comments (clear)

  1. Great first step by mrdogi · · Score: 4, Interesting

    The next step would naturally be to force the companies to correct the data that they have wrong. For example, one link mentioned a woman who lost a job because she was misidentified as having a criminal record.

    Here's to hoping.

    1. Re:Great first step by Bradmont · · Score: 2

      I would say the better second step would be to, upon request, force companies to delete all the data they have on you, and stop tracking you in perpetuity.

    2. Re:Great first step by PPH · · Score: 2

      That would be the "I wish never to do business with you" button on their web site.

      --
      Have gnu, will travel.
    3. Re:Great first step by ShanghaiBill · · Score: 2

      I would say the better second step would be to, upon request, force companies to delete all the data they have on you, and stop tracking you in perpetuity.

      So if I default on my debts, I can demand that credit reporting companies delete the data? If I am a corrupt politician, I can demand that journalists delete any data they have on me, including any ongoing investigations? Passing a law requiring facts to just "go away" is the dumbest idea I have heard so far today.

    4. Re:Great first step by ShanghaiBill · · Score: 3, Insightful

      Why force them? More accuracy increases the value of the database.

      Because in many cases the user of the data is not the owner of the data, and by the time you have received their junk mail piece, it is a sunk cost, and they couldn't care less about the accuracy of the DB. There is an entire industry based on renting customer data for one-time use.

    5. Re:Great first step by Hatta · · Score: 4, Interesting

      I'm happy to let them spend all the money they want on junk advertising. It's a compete waste of time, effort, and resources on their part, and it costs me nothing but a slightly heavier recycling bin. And it performs a valuable service in informing me who *not* to do business with in the future.

      --
      Give me Classic Slashdot or give me death!
    6. Re:Great first step by IndustrialComplex · · Score: 3

      Honestly, I don't think that would be a problem.

      Man defaults on loans.

      Man: "Delete all of the data you have on me."
      Equiexperitransunion: "OK. You have been purged from our records."
      Man: "Hehehe! Now for phase 2"

      *The next day*

      Man: "Hello, I would like a signature loan please"
      CreditCo: "No."
      Man: "But... I have a completely clean record"
      CreditCo: "You have no credit record. Therefore you are high risk, and we only make signature loans to people with known good credit histories"
      CreditCo: "You may however, apply for the entry level loans we offer to build a credit history. It's at a low rate too!"
      Man: "Fine, what's the limit?"
      CreditCo: "$250"

      --
      Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
    7. Re:Great first step by idontgno · · Score: 2

      As far as advertising is concerned, I see your point, and largely agree. They can tailor their advertising as much as the please, since they can't make me see it (unopened junk mail, AdBlockPlus).

      But some of this data can affect other real-life interactions, like credit and employment opportunities.

      This would the reason I'd want some visibility and input into this data, the same we have (now) with credit bureau informatino.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    8. Re:Great first step by Hatta · · Score: 5, Insightful

      This would the reason I'd want some visibility and input into this data, the same we have (now) with credit bureau informatino.

      This puts the burden on the wrong party, just like we have now with credit bureau information. The burden for accuracy should be on the data broker, and they should be liable if they sell incorrect data.

      --
      Give me Classic Slashdot or give me death!
    9. Re:Great first step by yl-roller · · Score: 2

      The law refers to companies doing business with California consumers. I seriously doubt that companies will cease doing business in the most populous state because of this law.

    10. Re:Great first step by Cederic · · Score: 3, Interesting

      1. We are now centralizing all the data to a single point, so hackers have one really good target to get such data.

      Really? Where?

      now there will be a spot that has the full picture of me

      Again, where? Are you planning to contact every company and collate the data they all hold on you, in a single MySQL database attached to the web?

      I ask only because nobody else is*

      So overnight I become a law abiding citizen to a criminal, where the police will watch me break a law I didn't know I broke, because they see that I have a tendency to do something against the popular fad

      How would the police see this? Why would you continue to do it if it was against the law? Are you actually complaining that you can't break the law?

      4. How are we going to pay for this. California has a lot of big data companies, that means California will need bigger data just to handle this all.

      In the UK it's a cost of doing business. I write to a company with a Subject Access Request, demand all data they hold on me - including HR records, customer records, marketing records, transactional records, paper records and surveillance footage - and they write back saying, "We can only do that if you pay a fee." So I hand over the maximum allowable fee of £10 and they send me.. well, could be a palette of printouts, could be a DVD, could be a polite letter saying, "I'm sorry, we've never heard of you. Why did you write to us?"

      * other than Facebook and Google of course

    11. Re:Great first step by Bobfrankly1 · · Score: 2

      This would the reason I'd want some visibility and input into this data, the same we have (now) with credit bureau informatino.

      This puts the burden on the wrong party, just like we have now with credit bureau information. The burden for accuracy should be on the data broker, and they should be liable if they sell incorrect data.

      It would seem that in most states (California included), the data broker could be brought up on libel/defamatory charges. Wikipedia's article on this points out that some statements are "defamatory per se", noteably:

      Allegations or imputations "injurious to another in their trade, business, or profession"

      It goes on to add that if a statement is "defamatory per se", "damages for such false statements are presumed and do not have to be proven."

      Also, IMNAL.

    12. Re:Great first step by Wookact · · Score: 2

      Imagine if you tried to create a new Facebook (or whatever) account and you were not able to because California was your home state, and the company decided it would be too much trouble to comply with all that states demands.

      No new data harvesters? Nothing of value was lost.

    13. Re:Great first step by houghi · · Score: 2

      The next step would naturally be to force the companies to correct the data that they have wrong.

      Just for your information: this is already law in Europe.
      Many people think that this means they can remove their details, but that is not possible because of other laws. e.g. for billing reasons you can not remove the customers data, but you are allowed to update it.
      This can also mean that in various cases, they will need proof. e.g. we asked a signed form if you want to change your address.

      This does not mean that you need to hand over every detail you have on the customer. e.g. notes made do not need to be handed over (unless there is some sort of order by a judge, but then everything goes.)

      --
      Don't fight for your country, if your country does not fight for you.
    14. Re:Great first step by Kaenneth · · Score: 2

      I recently realized, advertizing is targeted at people that advertizing works on. Us techie types are more methodical and logical that average, we want specs, facts, and figures; we would never buy something just because Justin Beiber endoses it; but there exists people who would; and this is utterly incomprenible to us as our unfashionable clothes are to them.

    15. Re:Great first step by Roman+Coder · · Score: 3, Interesting

      Good riddance to them. As a native Californian, who has lived in other states (Texas, Arizona, etc.), I love that my state laws protect me from corporations bad practices.

      Also, if you were right, we would not be in such a hurry to do business in China. Business goes where the customers are at. There's a VERY high threshold of anti-business practices before a corporation will forgo profits and move on.

      Its ok to make it harder for corporations to make money, as long as its fair/reasonable. They'll make better products, that serves people better.

      People > Corporations.

      --
      "The future can only affect the present if there is room to write its influence off as a mistake." - Yakir Aharonov
    16. Re:Great first step by HairyNevus · · Score: 2

      The burden for accuracy should be on the data broker, and they should be liable if they sell incorrect data.

      Yeah I wouldn't mind that one bit. Maybe this would be a different matter, but a couple years ago I almost wasn't given a job because the background check company flagged me as having a criminal record. The person had the same first and last name (but not middle), and birthday (but different year) as me but I was held up for a month and the owner almost moved on to different candidates because of this. It took very little to flag me as a crook, but the burden of proof then fell on my shoulder to exonerate myself with LexisNexus, for some guy's crime over a thousand miles from where I live.

      --
      You were critically hit for no damage. The bruise will look nice, and maybe the scars will make good party talk.
    17. Re:Great first step by nospam007 · · Score: 3, Informative

      "So if I default on my debts, I can demand that credit reporting companies delete the data?"

      No.

      "If I am a corrupt politician, I can demand that journalists delete any data they have on me, including any ongoing investigations?"

      No.

      "Passing a law requiring facts to just "go away" is the dumbest idea I have heard so far today."

      It has been like that in Europe for years. You can ask the data they have about you and they have to delete wrong data and correct the data that is erroneous. Piece of cake.

  2. Welcome to the 1980's by ledow · · Score: 5, Informative

    Welcome to the 1980's, guys.

    Data Protection Act (1984) UK, subsequently revised several times to clarify its intent.

    You can write to ANY company, entity or organisation (even a website) and DEMAND all information they are storing on you. They may charge you only a reasonable administrative cost. Even applies to CCTV of yourself (but, obviously, in that case you have to give them enough information to determine who you are on their CCTV systems and can't just expect them to trawl years of video looking for your left arm).

    How can you know whether a company is distributing incorrect / damaging information about yourself without the right to demand to see that information, the right to change it where it is erroneous, and the ability to control what they are allowed to do with it.

    1. Re:Welcome to the 1980's by tlhIngan · · Score: 2

      Welcome to the 1980's, guys.

      Data Protection Act (1984) UK, subsequently revised several times to clarify its intent.

      You can write to ANY company, entity or organisation (even a website) and DEMAND all information they are storing on you. They may charge you only a reasonable administrative cost. Even applies to CCTV of yourself (but, obviously, in that case you have to give them enough information to determine who you are on their CCTV systems and can't just expect them to trawl years of video looking for your left arm).

      How can you know whether a company is distributing incorrect / damaging information about yourself without the right to demand to see that information, the right to change it where it is erroneous, and the ability to control what they are allowed to do with it.

      I believe the California law goes one further in not just saying what the business knows about you, but who they sold the information to as well. And it's ongoing - as long as your information is passed to a third party, the company has an obligation to notify you of what they passed on.

    2. Re:Welcome to the 1980's by fatquack · · Score: 3, Informative

      In EU privacy law (on which the UK Data Protection Act is based) selling personal information is in principle not allowed. Even giving it away for free is only allowed in a few cases.

    3. Re:Welcome to the 1980's by galadran · · Score: 3, Informative

      Welcome to the 1980's, guys.

      Data Protection Act (1984) UK, subsequently revised several times to clarify its intent.

      You can write to ANY company, entity or organisation (even a website) and DEMAND all information they are storing on you. They may charge you only a reasonable administrative cost. Even applies to CCTV of yourself (but, obviously, in that case you have to give them enough information to determine who you are on their CCTV systems and can't just expect them to trawl years of video looking for your left arm).

      How can you know whether a company is distributing incorrect / damaging information about yourself without the right to demand to see that information, the right to change it where it is erroneous, and the ability to control what they are allowed to do with it.

      I believe the California law goes one further in not just saying what the business knows about you, but who they sold the information to as well. And it's ongoing - as long as your information is passed to a third party, the company has an obligation to notify you of what they passed on.

      The DPA prevents companies from selling the data without your permission. Companies can only process data for the purpose it was collected for, e.g no reusing data without permission. Additionally they may not sell or transfer it to a jurisdiction where the privacy controls are weaker to get around this restriction.

  3. Next step: identify the companies by gclef · · Score: 3, Interesting

    Interesting side problem: how do you know which corporations have data about you? The big companies like Google are known, but there's alot of other data brokers around...how can I demand data from a company I don't know about?

  4. Good start, but... by webdog314 · · Score: 2

    They need to add wording so that my data can't be shared without my permission with anyone who doesn't have the same company name. Way too much is being hidden behind "associates" and "partners". Anyone who touches my data should have to accept the same security and legal restrictions/responsibilities as the parent company that collected it. I'm tired to getting those Privacy Notices from everyone I have an account with, written in legaleze so generic as to make them useless. If you can take the time to send me a revised privacy statement every six months, then you can take the time to list who your "associate companies" actually are.

  5. Implimentation by ZombieBraintrust · · Score: 2
    That's not all: you'd be able to request a copy of all the data they've stored about you too.

    Sounds like a identity thiefs dream come true.

  6. Re:PIPEDA by Lorens · · Score: 2

    The equivalent exists in France since 1978. There are quite heavy fines and even prison terms for inappropriate collection and use of personal data. There's even been at least one spammer convicted on the grounds that his use of a list of e-mails constituted illicit use of infringing data.

  7. Have they thought this through? by Anonymous Coward · · Score: 2, Insightful

    I thought one of the growing concerns people had, and at first glance it appears to fall within this bill, is all the pseudonymous "tracking" which various companies do (particularly in advertising), where lots of details can be inferred about a person, and possibly even be cleverly determined to be about a specific person. For example, my computer figures out that you, John Smith on 1234 Fake St in zip code 66666, are into midget porn.

    It's a real risk and can happen, and yet also, probably doesn't reliably happen. That is, I can figure out that this midget-porn-lover is very likely to be a guy in zipcode 66666, and if I were to combine some of the things I know with another database, which I may or may not have, I might determine it's very likely John Smith. But I don't know, and I can't turn the inferences around and really say what John Smith's porn preferences are. If I try really hard (to a degree that I would never be commercially motivated to, and therefore wouldn't do unless someone pointed a gun at me and demanded it), then I really will sometimes make mistakes, and mistakenly attribute Joe Schmoe's porn preferences as being John Smith's.

    If you make a law that I need to be able to tell John Smith what I think about him (an opinion which I don't really have) and make me liable for mistakes (make my opinion become critically important) then I need to DE-ANONYMIZE my data, and make the extra effort to join other databases so that I can resolve things more reliably.

    I need to make the "privacy nightmare" that everyone is worrying about worse. Thanks, State of California. Just as your left hand sasys the corporations are the real Big Brother, right hand is there to assure us that no, government will always remain the primary threat. By force and good intentions, if necessary.

  8. Re:Identity Theft by gewalker · · Score: 2

    Well, the bill specifies notification via writing or email. Clearly, no risk of identity theft whatsoever. Also, they specific the info must be provided to the consumer at no charge, so no disincentive to phishers of men that way either.

  9. Re:Problems? by Kumiorava · · Score: 2

    If you read the bill text you quickly see (without lawyers) that your logs that are held to comply with laws and then deleted afterwards are not considered information your company retains. However you might retain other information and that information needs to be shared with the customer.

  10. Google moves all operations outside of California by mcrbids · · Score: 2

    Moving in 3, 2, 1....

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.