Internet companies and privacy advocates appear headed for a fight over a proposal to broaden California's so-called Shine the Light Law, which requires online companies to disclose to consumers how their personal information is used.
The so-called "Right to Know Act" (AB 1291) would also require online companies to give users access to any data compiled on them.
Privacy groups say the new bill would give consumers more visibility into the data collection and sharing habits of online companies they interact with. Some industry groups, however, contend that the proposal is too broad -- and is unworkable.
The new bill, sponsored by Assemblywoman Bonnie Lowenthal (D-Long Beach), would broaden the provisions of the 10-year-old Shine the Light Law, which requires disclosure of how personal consumer information is used and how it is shared for direct marketing purposes. Lowenthal's bill also requires that online companies provide consumers who ask with specific details on how their personal information is shared with data brokers, online advertisers and application vendors.
Under the proposed law, individual consumers could ask Internet companies like Google and Facebook once a year for a complete accounting of how their data is being collected and used.
The bill gives companies a safe harbor if they take adequate measures to anonymize consumer data before storing or sharing it. In addition, if an online company cannot reasonably link a data profile to a specific person, it would not be obligated to respond to a data disclosure request.
The Right to Know Act helps bring some transparency to how online companies collect and use consumer information, said Rainey Reitman, activism director at the Electronic Frontier Foundation.
The EFF supports the proposed bill.
Most Internet users today are unaware of how much of their personal information is routinely gathered and shared by Internet companies, Reitman said. The proposed legislation would give consumers a view of that, she said.
The law imposes no restrictions on information collection, sharing or selling.
It would not require Internet companies to change current data collection, sharing, storage or security processes, Reitman said. In fact, the provisions contained in the bill are similar to data disclosure laws in Europe, laws that many American online firms must already comply with, she noted.
The bill also provides much flexibility to online firms, said Chris Conley, technology and civil liberties fellow at the American Civil Liberties Union (ACLU) of Northern California.
For instance, instead of having to respond to individual data disclosure queries, an online firm could simply provide just-in-time notices to consumers. The notices could inform consumers of what data of theirs is being collected at a specific moment, and with whom it is being shared, he said.