Header graphic for print
Privacy Compliance & Data Security Information on Data Breach Prevention and the Appropriate Response

California Legislature Advances Groundbreaking Privacy “Right to Know Act”

Posted in Proposed Law

In what amounts to a potential, unprecedented victory for consumers’ right to know how their personal information is used by businesses, California’s "Right to Know Act of 2013" (AB 1291) made further headway by being re-read and amended a second time on Monday, April 1st.  As reported by Ars Technica, the Right to Know Act, which was introduced by California Assembly Member Bonnie Lowenthal, was the result of significant lobbying by the Electronic Frontier Foundation and the American Civil Liberties Union of Northern California.

The current summary of the bill states:

(1) Existing law requires a business to ensure the privacy of a customer’s personal information, as defined, contained in records by destroying, or arranging for the destruction of, the records, as specified. Any customer injured by a business’ violation of these provisions is entitled to recover damages, obtain injunctive relief, or seek other remedies.

This bill would create the Right to Know Act of 2013, would repeal and reorganize certain provisions of existing law, and would provide legislative findings in support thereof.

(2) Existing law also requires a business that collects customer information for marketing purposes and that discloses a customer’s personal information to a 3rd party for direct marketing purposes, to provide the customer with whom it had a business relationship, as defined, within 30 days after the customer’s request, as specified, in writing or by e-mail, the names and addresses of the recipients of that information and specified details regarding the information disclosed, except as specified. Existing law requires a business subject to these provisions to provide an address, electronic address, or toll-free telephone or facsimile number that a customer may use to deliver requests for copies of his or her personal information.

This bill would instead require any business that has retains a customer’s personal information, as defined, or discloses that information to a 3rd party, to provide at no charge, within 30 days of the customer’s specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer. This bill would require that a business subject to these provisions choose one of several specified options to provide the customer with a designated address for use in making a request for copies of information under these provisions.

(3) Existing law also requires a business that is required to comply with these provisions to provide information to customers regarding its privacy policy and to provide a designated means of preventing disclosure of personal information.

This bill would require a business that is required to comply with these provisions to provide specified notice to the customer of its privacy policies.

(4) Existing law provides that a customer who sustains injury as a result of a violation of these provisions is entitled to specified remedies, including civil penalties.

This bill would also provide that a violation of these provisions is deemed to constitute an injury to the customer for purposes of seeking remedies available under law.

In other words, the Act also provides a private right of action to consumers for businesses that do not comply with the Act.

The EFF appears to be quite pleased with the bill, as noted in its press release on April 2nd.  The EFF noted that the point of the law if to allow consumers to better understand the vast economy that is data sharing: "This law is about transparency and access, not new restrictions on data sharing. The proposed law wouldn’t limit or restrict sales of data, and it wouldn’t provide additional security measures for how data is stored or new requirements for anonymization. While those are all important issues to consider, the law is actually far more basic. It helps consumers, regulators, policymakers, and the world at large shine a light onto the largely hidden, highly lucrative world of the personal data economy."

It will be interesting to see (1) if the Act continues toward enactment, (2) how companies outside of California, but with information regarding California residents, implement the law, and (3) if this very European-style law catches on in other states.