California Law Would Require Companies To Disclose All Consumer Data Collected 119
Trailrunner7 writes "California, which set the standard for data breach notifications nationwide, is again seeking to set a precedent by becoming the first state in the nation to require companies upon request disclose to California consumers the data they've collected and to whom it was shared during the past year. ... The 'Right to Know Act of 2013,' AB 1291 was amended this week to boost its chances of success after being introduced in February by state Assembly member Bonnie Lowenthal. ... It applies to companies that are both on- and off- line Privacy advocacy groups such as the EFF wrote Tuesday that the bill could set a precedent for other states, much as California's 2002 Breach Notification Act requiring California data breach victims be notified was later replicated by almost all U.S. states."
That's not all: you'd be able to request a copy of all the data they've stored about you too.
Re:Great first step (Score:4, Insightful)
Why force them? More accuracy increases the value of the database.
Because in many cases the user of the data is not the owner of the data, and by the time you have received their junk mail piece, it is a sunk cost, and they couldn't care less about the accuracy of the DB. There is an entire industry based on renting customer data for one-time use.
Have they thought this through? (Score:2, Insightful)
I thought one of the growing concerns people had, and at first glance it appears to fall within this bill, is all the pseudonymous "tracking" which various companies do (particularly in advertising), where lots of details can be inferred about a person, and possibly even be cleverly determined to be about a specific person. For example, my computer figures out that you, John Smith on 1234 Fake St in zip code 66666, are into midget porn.
It's a real risk and can happen, and yet also, probably doesn't reliably happen. That is, I can figure out that this midget-porn-lover is very likely to be a guy in zipcode 66666, and if I were to combine some of the things I know with another database, which I may or may not have, I might determine it's very likely John Smith. But I don't know, and I can't turn the inferences around and really say what John Smith's porn preferences are. If I try really hard (to a degree that I would never be commercially motivated to, and therefore wouldn't do unless someone pointed a gun at me and demanded it), then I really will sometimes make mistakes, and mistakenly attribute Joe Schmoe's porn preferences as being John Smith's.
If you make a law that I need to be able to tell John Smith what I think about him (an opinion which I don't really have) and make me liable for mistakes (make my opinion become critically important) then I need to DE-ANONYMIZE my data, and make the extra effort to join other databases so that I can resolve things more reliably.
I need to make the "privacy nightmare" that everyone is worrying about worse. Thanks, State of California. Just as your left hand sasys the corporations are the real Big Brother, right hand is there to assure us that no, government will always remain the primary threat. By force and good intentions, if necessary.
Re:Great first step (Score:5, Insightful)
This would the reason I'd want some visibility and input into this data, the same we have (now) with credit bureau informatino.
This puts the burden on the wrong party, just like we have now with credit bureau information. The burden for accuracy should be on the data broker, and they should be liable if they sell incorrect data.