Businesses, privacy activists wrestle over California privacy bill

Businesses and privacy advocates are squaring off over a proposed law that would make California the first state in the nation to give people the right to see all the information companies have on them and to find out who the data is shared with.

Groups such as the Electronic Frontier Foundation and the American Civil Liberties Union say California Assembly bill AB 1291 would help consumers decide whether they wanted to continue doing business with a company, based on the way it handled their personal information.

To opponents such as the California Chamber of Commerce and TechAmerica, the bill is too broad in defining the information covered and would open businesses up to frivolous lawsuits.

On Monday, lawmakers amended the bill, introduced in February by Democratic Assemblywoman Bonnie Lowenthal, to increase its chances of getting through the Legislature. To opponents, the changes were not enough.

"TechAmerica has some obvious high-level concerns with the bill," said Robert Callahan, director of state government affairs for the industry trade group. "In addition to several of its provisions being unworkable from a compliance standpoint for tech companies, the new language specifically states that any violation of the law will constitute injury to consumer, opening the door wide open for abusive lawsuits."

California has been a leader among states in toughening online privacy laws. In 2004, the state passed the Online Privacy Protection Act that required Web sites to post their privacy policies where it can be easily seen and accessed. Last year, state Attorney General Kamala Harris formed a special unit to prosecute companies that break California's strict privacy laws.

The latest bill, called the Right To Know Act of 2013, deals only with giving people access to personal information. It does not set any limits on the amount of data a company can collect, nor does it say how the data should be secured or whom it can be shared with.

For privacy advocates, the bill is a "foundational step," said Rainey Reitman, activism director for the Electronic Frontier Foundation. Transparency is what the consumer needs to see how their personal data is being used and to decide whether to continue a relationship with a company or website.

"It's important for consumer trust on the Internet," Reitman said.

Nevertheless, from the standpoint of the Chamber of Commerce, the bill goes too far in expanding the definition of personal information to cover not only data that identifies an individual, but also the IP address of personal computers and the device identifiers of smartphones. Such devices are often used in contacting a business or website just to get information.

[Also see: Facing FTC pressure, Apple bolsters privacy, security]

"While we understand that the bill is sponsored by several consumer organizations, it is unworkable, rests on mistaken assumptions about how the Internet works, and would impose costly and unrealistic mandates on California's technology sector with minimal benefit to state residents," the chamber said in a letter to bill sponsor Lowenthal. The letter was signed by more than a dozen other organizations, including insurance, tech and banking groups.

If the bill became law, companies would have to spend more to comply, said Rick Holland, an analyst with Forrester Research. "Time and time again I talk to clients that don't know where all of their data exists, much less how it is actually being used."

For some companies, complying with the law would require auditing the use and storage of customer information across business units. While structured data such as Social Security and credit card numbers would be relatively easy to find, unstructured data, such as dates, numbers and notes stored outside a relational database, would be more difficult to gather.

"This disclosure requirement would significantly raise the cost of compliance," Holland said.

The bill does give companies a way to reduce the amount of data they would have to provide to consumers. For example, data that is altered so it can't be linked to an individual would not be covered. Companies could also become more selective in the information they do keep.

Under the bill, people could request a copy of the information kept by organizations every 12 months. Companies would have 30 days to respond.

The bill is similar to requirements in some European countries.

Privacy has become a major concern for consumers because of the massive amounts of data being collected on them each day from websites and mobile apps. In most cases, consumers do not know what is being gathered or how it is being shared with advertisers or other companies.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecuritysoftwarelegislationgovernmentdata protectionTechAmericaprivacyCaliforniaElectronic Frontier FoundationData Protection | Data Privacy

More about ABAppleElectronic Frontier FoundationForrester ResearchFTC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts