California’s Right to Know Act

California recently introduced “AB-1291 Privacy: Right to Know Act of 2013: disclosure of a customer’s personal information.”  If enacted, the bill would update California’s 2003 “Shine the Light” law (Civil Code Section 1798.80-1798.84) to account for the new data mining technologies and information sharing practices that have proliferated over the past ten years.  According to the bill’s sponsor Assemblymember Bonnie Lowenthal, AB 1291 expands the definition of personal information to include sensitive data, such as location, buying habits, and sexual orientation. By modernizing the requirements, consumers have a right to know not just how their basic information may have been used for junk mail, but also how it’s collected and shared with data brokers, advertisers, and others.”

The 2003 “Shine the Light” law enabled California residents to find out how businesses utilize their personal information.  In general, the law requires most companies (except federal financial institutions and those with less than 20 employees) that do business with California residents to either disclose how personal information is being shared for direct marketing purposes or allow customers to opt out of information sharing.  The law provides Californians the right once a calendar year to obtain free of charge the type of personal data that a business has disclosed to third parties for direct marketing activities and the names and contact information of all third parties that received the personal data.
Since 2003, data mining and behavioral advertising has proliferated beyond what many may have envisioned when the “Shine the Light” law was enacted.  To reign in some of these practices, a coalition of privacy organizations are advocating updating the law to account for new technologies.  According the Wall Street Journal, there has been significant industry backlash against updating the 2003 law. 
The Right To Know Act’s general principles appear to follow the European Union’s philosophy that its citizens have a right to require companies doing business with them to provide them with the type of information that is being collected about them.  Europe’s privacy laws generally provide its citizens more control than the U.S. over how personal data may be utilized.  This was demonstrated when six EU data protection authorities  recently initiated coordinated enforcement measures against Google for failing to fix alleged flaws in its 2012 privacy policy update.  Google’s privacy policy change along with Austrian law student Max Schrems experience with Facebook may have sparked the decision to introduce the Right to Know Act. 
Earlier this year, NBC News reported that Equifax has a database that contains almost 200 million employment and salary records that covers more than a third of all U.S. adults.  Some of these records may include week by week pay stub information.  While it may be troubling that Equifax has acquired this detailed information, at least under the Fair Credit Reporting Act consumers are able to obtain a report once a year about the data that is being collected about them.
Personal privacy may be further damaged by the new new partnership between Facebook and data brokers Acxiom, Epsilon, and Datalogic that is designed to better monetize the content of their users. The FTC is so concerned about some of the practices of data brokers that late last year it announced that it is studying how the industry collects and utilizes consumer data.  In what might be an effort to ward off potential future regulation, Axciomrecently announced it was planning a service to allow consumers to obtain their personal files.     
Should advertisers be able to analyze your personal emails and/or your personal files in the cloud and utilize the information to behavioral advertise and/or combine this information with other digital and/or real world data across multiple platforms to create personal user profiles that may be accessed not only by marketers but also by insurance companies, banks, law enforcement, etc…?  What if due to the types of ads that are processed on a particular email account a company is able to make an inference about one’s sexual orientation, race, religion, etc.. and this inference is utilized for discriminatory purposes? 
The intentions of the law are noble; however, due to the way the bill is currently drafted it may lead to some unintended compliance costs for businesses.  Therefore, I believe the California state legislature should work to find common ground between supporters and opponents of the bill that would increase transparency for consumers without creating an economic hardship on the business community.  
To learn more about these issues you may contact me at

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.  

© 2009-2016 Law Office of Bradley S. Shear, LLC All Rights Reserved.