Slashdot Mirror

← Back to Stories (view on slashdot.org)

California Law Would Require Companies To Disclose All Consumer Data Collected

Posted by Unknown on from the watching-you-sleep dept.

Trailrunner7 writes "California, which set the standard for data breach notifications nationwide, is again seeking to set a precedent by becoming the first state in the nation to require companies upon request disclose to California consumers the data they've collected and to whom it was shared during the past year. ... The 'Right to Know Act of 2013,' AB 1291 was amended this week to boost its chances of success after being introduced in February by state Assembly member Bonnie Lowenthal. ... It applies to companies that are both on- and off- line Privacy advocacy groups such as the EFF wrote Tuesday that the bill could set a precedent for other states, much as California's 2002 Breach Notification Act requiring California data breach victims be notified was later replicated by almost all U.S. states." That's not all: you'd be able to request a copy of all the data they've stored about you too.

12 of 119 comments (clear)

  1. Great first step by mrdogi · · Score: 4, Interesting

    The next step would naturally be to force the companies to correct the data that they have wrong. For example, one link mentioned a woman who lost a job because she was misidentified as having a criminal record.

    Here's to hoping.

    1. Re:Great first step by ShanghaiBill · · Score: 3, Insightful

      Why force them? More accuracy increases the value of the database.

      Because in many cases the user of the data is not the owner of the data, and by the time you have received their junk mail piece, it is a sunk cost, and they couldn't care less about the accuracy of the DB. There is an entire industry based on renting customer data for one-time use.

    2. Re:Great first step by Hatta · · Score: 4, Interesting

      I'm happy to let them spend all the money they want on junk advertising. It's a compete waste of time, effort, and resources on their part, and it costs me nothing but a slightly heavier recycling bin. And it performs a valuable service in informing me who *not* to do business with in the future.

      --
      Give me Classic Slashdot or give me death!
    3. Re:Great first step by IndustrialComplex · · Score: 3

      Honestly, I don't think that would be a problem.

      Man defaults on loans.

      Man: "Delete all of the data you have on me."
      Equiexperitransunion: "OK. You have been purged from our records."
      Man: "Hehehe! Now for phase 2"

      *The next day*

      Man: "Hello, I would like a signature loan please"
      CreditCo: "No."
      Man: "But... I have a completely clean record"
      CreditCo: "You have no credit record. Therefore you are high risk, and we only make signature loans to people with known good credit histories"
      CreditCo: "You may however, apply for the entry level loans we offer to build a credit history. It's at a low rate too!"
      Man: "Fine, what's the limit?"
      CreditCo: "$250"

      --
      Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
    4. Re:Great first step by Hatta · · Score: 5, Insightful

      This would the reason I'd want some visibility and input into this data, the same we have (now) with credit bureau informatino.

      This puts the burden on the wrong party, just like we have now with credit bureau information. The burden for accuracy should be on the data broker, and they should be liable if they sell incorrect data.

      --
      Give me Classic Slashdot or give me death!
    5. Re:Great first step by Cederic · · Score: 3, Interesting

      1. We are now centralizing all the data to a single point, so hackers have one really good target to get such data.

      Really? Where?

      now there will be a spot that has the full picture of me

      Again, where? Are you planning to contact every company and collate the data they all hold on you, in a single MySQL database attached to the web?

      I ask only because nobody else is*

      So overnight I become a law abiding citizen to a criminal, where the police will watch me break a law I didn't know I broke, because they see that I have a tendency to do something against the popular fad

      How would the police see this? Why would you continue to do it if it was against the law? Are you actually complaining that you can't break the law?

      4. How are we going to pay for this. California has a lot of big data companies, that means California will need bigger data just to handle this all.

      In the UK it's a cost of doing business. I write to a company with a Subject Access Request, demand all data they hold on me - including HR records, customer records, marketing records, transactional records, paper records and surveillance footage - and they write back saying, "We can only do that if you pay a fee." So I hand over the maximum allowable fee of £10 and they send me.. well, could be a palette of printouts, could be a DVD, could be a polite letter saying, "I'm sorry, we've never heard of you. Why did you write to us?"

      * other than Facebook and Google of course

    6. Re:Great first step by Roman+Coder · · Score: 3, Interesting

      Good riddance to them. As a native Californian, who has lived in other states (Texas, Arizona, etc.), I love that my state laws protect me from corporations bad practices.

      Also, if you were right, we would not be in such a hurry to do business in China. Business goes where the customers are at. There's a VERY high threshold of anti-business practices before a corporation will forgo profits and move on.

      Its ok to make it harder for corporations to make money, as long as its fair/reasonable. They'll make better products, that serves people better.

      People > Corporations.

      --
      "The future can only affect the present if there is room to write its influence off as a mistake." - Yakir Aharonov
    7. Re:Great first step by nospam007 · · Score: 3, Informative

      "So if I default on my debts, I can demand that credit reporting companies delete the data?"

      No.

      "If I am a corrupt politician, I can demand that journalists delete any data they have on me, including any ongoing investigations?"

      No.

      "Passing a law requiring facts to just "go away" is the dumbest idea I have heard so far today."

      It has been like that in Europe for years. You can ask the data they have about you and they have to delete wrong data and correct the data that is erroneous. Piece of cake.

  2. Welcome to the 1980's by ledow · · Score: 5, Informative

    Welcome to the 1980's, guys.

    Data Protection Act (1984) UK, subsequently revised several times to clarify its intent.

    You can write to ANY company, entity or organisation (even a website) and DEMAND all information they are storing on you. They may charge you only a reasonable administrative cost. Even applies to CCTV of yourself (but, obviously, in that case you have to give them enough information to determine who you are on their CCTV systems and can't just expect them to trawl years of video looking for your left arm).

    How can you know whether a company is distributing incorrect / damaging information about yourself without the right to demand to see that information, the right to change it where it is erroneous, and the ability to control what they are allowed to do with it.

    1. Re:Welcome to the 1980's by fatquack · · Score: 3, Informative

      In EU privacy law (on which the UK Data Protection Act is based) selling personal information is in principle not allowed. Even giving it away for free is only allowed in a few cases.

    2. Re:Welcome to the 1980's by galadran · · Score: 3, Informative

      Welcome to the 1980's, guys.

      Data Protection Act (1984) UK, subsequently revised several times to clarify its intent.

      You can write to ANY company, entity or organisation (even a website) and DEMAND all information they are storing on you. They may charge you only a reasonable administrative cost. Even applies to CCTV of yourself (but, obviously, in that case you have to give them enough information to determine who you are on their CCTV systems and can't just expect them to trawl years of video looking for your left arm).

      How can you know whether a company is distributing incorrect / damaging information about yourself without the right to demand to see that information, the right to change it where it is erroneous, and the ability to control what they are allowed to do with it.

      I believe the California law goes one further in not just saying what the business knows about you, but who they sold the information to as well. And it's ongoing - as long as your information is passed to a third party, the company has an obligation to notify you of what they passed on.

      The DPA prevents companies from selling the data without your permission. Companies can only process data for the purpose it was collected for, e.g no reusing data without permission. Additionally they may not sell or transfer it to a jurisdiction where the privacy controls are weaker to get around this restriction.

  3. Next step: identify the companies by gclef · · Score: 3, Interesting

    Interesting side problem: how do you know which corporations have data about you? The big companies like Google are known, but there's alot of other data brokers around...how can I demand data from a company I don't know about?