California Law Would Require Companies To Disclose All Consumer Data Collected 119
Trailrunner7 writes "California, which set the standard for data breach notifications nationwide, is again seeking to set a precedent by becoming the first state in the nation to require companies upon request disclose to California consumers the data they've collected and to whom it was shared during the past year. ... The 'Right to Know Act of 2013,' AB 1291 was amended this week to boost its chances of success after being introduced in February by state Assembly member Bonnie Lowenthal. ... It applies to companies that are both on- and off- line Privacy advocacy groups such as the EFF wrote Tuesday that the bill could set a precedent for other states, much as California's 2002 Breach Notification Act requiring California data breach victims be notified was later replicated by almost all U.S. states."
That's not all: you'd be able to request a copy of all the data they've stored about you too.
Great first step (Score:5, Interesting)
The next step would naturally be to force the companies to correct the data that they have wrong. For example, one link mentioned a woman who lost a job because she was misidentified as having a criminal record.
Here's to hoping.
Re: (Score:2, Interesting)
Why force them? More accuracy increases the value of the database. I'm certainly not participating in the invasion of my own privacy.
Re:Great first step (Score:4, Insightful)
Why force them? More accuracy increases the value of the database.
Because in many cases the user of the data is not the owner of the data, and by the time you have received their junk mail piece, it is a sunk cost, and they couldn't care less about the accuracy of the DB. There is an entire industry based on renting customer data for one-time use.
Re:Great first step (Score:5, Interesting)
I'm happy to let them spend all the money they want on junk advertising. It's a compete waste of time, effort, and resources on their part, and it costs me nothing but a slightly heavier recycling bin. And it performs a valuable service in informing me who *not* to do business with in the future.
Re: (Score:3)
As far as advertising is concerned, I see your point, and largely agree. They can tailor their advertising as much as the please, since they can't make me see it (unopened junk mail, AdBlockPlus).
But some of this data can affect other real-life interactions, like credit and employment opportunities.
This would the reason I'd want some visibility and input into this data, the same we have (now) with credit bureau informatino.
Re:Great first step (Score:5, Insightful)
This would the reason I'd want some visibility and input into this data, the same we have (now) with credit bureau informatino.
This puts the burden on the wrong party, just like we have now with credit bureau information. The burden for accuracy should be on the data broker, and they should be liable if they sell incorrect data.
Re: (Score:3)
This would the reason I'd want some visibility and input into this data, the same we have (now) with credit bureau informatino.
This puts the burden on the wrong party, just like we have now with credit bureau information. The burden for accuracy should be on the data broker, and they should be liable if they sell incorrect data.
It would seem that in most states (California included), the data broker could be brought up on libel/defamatory charges. Wikipedia's article on this [wikipedia.org] points out that some statements are "defamatory per se", noteably:
Allegations or imputations "injurious to another in their trade, business, or profession"
It goes on to add that if a statement is "defamatory per se", "damages for such false statements are presumed and do not have to be proven."
Also, IMNAL.
Re: (Score:2)
Just for posterity, the proper acronym is "IANAL" for "I Am Not A Lawyer". The alternative is "IAAL" (I Am A Lawyer) or perhaps "IANYL" (I Am Not Your Lawyer). Perhaps you did not know of the acronym, or perhaps you find it offensive or uncomfortable. Either way, please don't write new acronyms for things that have been well established. If you search a site like Groklaw [groklaw.net], you will see the acronym used heavily.
There is a whole Wiki [wikipedia.org] page devoted to this acronym and it's relatives.
Re: (Score:2)
Re: (Score:2)
Always happy to help educate, thanks for taking no offense to the post as some may have.
Re: (Score:1)
No, he got it correct - IMNAL is someone who has passed the bar, I'm Maybe Not A Lawyer.
This is just the usual attorney double-speak, but you're right a slightly more experienced lawyer would write IAAL;
one in the business would write IANYL, but could be for the right price (prostitution). JIMHO.
Re: (Score:2)
No, he got it correct - IMNAL is someone who has passed the bar, I'm Maybe Not A Lawyer.
This is just the usual attorney double-speak, but you're right a slightly more experienced lawyer would write IAAL;
one in the business would write IANYL, but could be for the right price (prostitution). JIMHO.
Maybe he/she is just hopeful? as in "I Might Nail A Lawyer...if I hang out in this nightclub a bit longer" ? Just a bit of braggadocio, perhaps? :P
Re: (Score:2)
Also, IMNAL.
Let's see... I... May... Not... Always... Lie. So you're saying, you're not a lawyer.
Re: (Score:2)
The burden for accuracy should be on the data broker, and they should be liable if they sell incorrect data.
Oh, I agree with you on principle. However, that proposal moves the solution space into the realm of converting our entire industrial energy base to consuming unicorn farts as a counter to anthropogenic global warming. I generally don't get excited about flatly impossible solutions, and anything that shifts liability to a business and away from a consumer is pretty much the legal definition of "impo
Re: (Score:3)
The burden for accuracy should be on the data broker, and they should be liable if they sell incorrect data.
Yeah I wouldn't mind that one bit. Maybe this would be a different matter, but a couple years ago I almost wasn't given a job because the background check company flagged me as having a criminal record. The person had the same first and last name (but not middle), and birthday (but different year) as me but I was held up for a month and the owner almost moved on to different candidates because of this. It took very little to flag me as a crook, but the burden of proof then fell on my shoulder to exonerate m
Re: (Score:2)
The burden for accuracy should be on the data broker, and they should be liable if they sell incorrect data.
a couple years ago I almost wasn't given a job because the background check company flagged me as having a criminal record.
As long as the background check was not through a credit bureau (they easily escape liability) it is even better for you to find out about issues like that.
You describe an ideal defamation case if you had the actual evidence. To falsely impute a criminal offense is defamation and damages are automatic; if you can show that the defamation also cost you a job or a job offer you could claim rather substantial damages against the background check company.
Do you still have the background check information? H
Re: (Score:1)
If I have something, say - a car, and unknown to me, my brake system was in error, and as a result someone else suffered a loss, am I liable? I would say I am. Criminally liable? I would not think so, but still I feel I am responsible for the loss to the other party.
If I knew the brake system was in error, yet I continued to drive the car, should I then be criminally responsible for my damages to others? I woul
Re: (Score:3)
I recently realized, advertizing is targeted at people that advertizing works on. Us techie types are more methodical and logical that average, we want specs, facts, and figures; we would never buy something just because Justin Beiber endoses it; but there exists people who would; and this is utterly incomprenible to us as our unfashionable clothes are to them.
Re: (Score:2)
False.
Much research has gone into this. Most advertising works by shirt circuiting decision making.
You are looking for a bottle of shampoo.
The truly rational decision might be to examine each shampoo for price per wash, health effects, effects on the appearance of your hair, and the possible effects of the ingredients on you.
This may take a couple of weeks for your typical shelf of shampoo.
Advertising is designed to get you to the first step of recognising the product out of a couple of dozen alternatives.
O
Re: (Score:2)
Which is why going shopping for personal toiletries with me is some peoples version of hell, because I do read the ingredients of every item, calculate the unit cost (and may stores that posts unit quantities in different measures for the same product type (volume vs. weight) die in flames.) compare to store brands, etc.
Re: (Score:3)
Re: (Score:3)
That would be the "I wish never to do business with you" button on their web site.
Re: (Score:3)
I would say the better second step would be to, upon request, force companies to delete all the data they have on you, and stop tracking you in perpetuity.
So if I default on my debts, I can demand that credit reporting companies delete the data? If I am a corrupt politician, I can demand that journalists delete any data they have on me, including any ongoing investigations? Passing a law requiring facts to just "go away" is the dumbest idea I have heard so far today.
Re: (Score:1)
Re:Great first step (Score:4)
Honestly, I don't think that would be a problem.
Man defaults on loans.
Man: "Delete all of the data you have on me."
Equiexperitransunion: "OK. You have been purged from our records."
Man: "Hehehe! Now for phase 2"
*The next day*
Man: "Hello, I would like a signature loan please"
CreditCo: "No."
Man: "But... I have a completely clean record"
CreditCo: "You have no credit record. Therefore you are high risk, and we only make signature loans to people with known good credit histories"
CreditCo: "You may however, apply for the entry level loans we offer to build a credit history. It's at a low rate too!"
Man: "Fine, what's the limit?"
CreditCo: "$250"
Re: (Score:1)
Since nearly every journalist in the world is acting as the agent of a corporation, I would say that journalist most definitely does equal corporation. At least for the purpose referred to by the GP.
Re:Great first step (Score:4, Informative)
"So if I default on my debts, I can demand that credit reporting companies delete the data?"
No.
"If I am a corrupt politician, I can demand that journalists delete any data they have on me, including any ongoing investigations?"
No.
"Passing a law requiring facts to just "go away" is the dumbest idea I have heard so far today."
It has been like that in Europe for years. You can ask the data they have about you and they have to delete wrong data and correct the data that is erroneous. Piece of cake.
Re: (Score:1)
The next step would naturally be to force the companies to correct the data that they have wrong
A more likely next step is for these companies to pack up and leave California, as so many others have already done. California has the highest unemployment rate in the country, and is rated as the most anti-business in terms of taxation and regulation. This probably is not the best time to be piling on more regulation. The two million unemployed Californians would probably prefer that the politicians focus on incentives for businesses to move into the state rather than out.
Re: (Score:2)
Re: (Score:2)
The law refers to companies doing business with California consumers.
No it doesn't. It only applies to companies located in California. Companies can avoid the regulation just by having no presence (and no employees) in California. States have no authority to regulate interstate commerce.
I seriously doubt that companies will cease doing business in the most populous state because of this law.
Just because of this law? Probably not. But because of the very long list of petty regulations that this is being tacked onto? Absolutely. We don't have the highest unemployment rate in the nation for nothing.
Re: (Score:1)
Re: (Score:1)
There are already companies that wont ship to or do business with California / NY
Imagine if you tried to create a new Facebook (or whatever) account and you were not able to because California was your home state, and the company decided it would be too much trouble to comply with all that states demands.
Re: (Score:3)
Imagine if you tried to create a new Facebook (or whatever) account and you were not able to because California was your home state, and the company decided it would be too much trouble to comply with all that states demands.
No new data harvesters? Nothing of value was lost.
Re: (Score:2)
There are already companies that wont ship to or do business with California / NY /etc residents etc because of onerous regulations.
That just means they're not as efficient as their competitors. You are presumably not suggesting that NO ONE ships to or does business in California or NY?
If you can't handle basic legal compliance work, you have no right to be in business in the 21st Century.
Re: (Score:3, Interesting)
Good riddance to them. As a native Californian, who has lived in other states (Texas, Arizona, etc.), I love that my state laws protect me from corporations bad practices.
Also, if you were right, we would not be in such a hurry to do business in China. Business goes where the customers are at. There's a VERY high threshold of anti-business practices before a corporation will forgo profits and move on.
Its ok to make it harder for corporations to make money, as long as its fair/reasonable. They'll make be
Re: (Score:2)
No, this is a stupid law!
1. We are now centralizing all the data to a single point, so hackers have one really good target to get such data.
2. What is to stop the government from further spying on people? Sure my data is spread out across a bunch of companies. But it is all a partial picture of me, so now there will be a spot that has the full picture of me. They can use to figure out where they should redraw the election maps, put me in a place where either I will be placed with the majority to keep them
Re:Great first step (Score:4, Interesting)
1. We are now centralizing all the data to a single point, so hackers have one really good target to get such data.
Really? Where?
now there will be a spot that has the full picture of me
Again, where? Are you planning to contact every company and collate the data they all hold on you, in a single MySQL database attached to the web?
I ask only because nobody else is*
So overnight I become a law abiding citizen to a criminal, where the police will watch me break a law I didn't know I broke, because they see that I have a tendency to do something against the popular fad
How would the police see this? Why would you continue to do it if it was against the law? Are you actually complaining that you can't break the law?
4. How are we going to pay for this. California has a lot of big data companies, that means California will need bigger data just to handle this all.
In the UK it's a cost of doing business. I write to a company with a Subject Access Request, demand all data they hold on me - including HR records, customer records, marketing records, transactional records, paper records and surveillance footage - and they write back saying, "We can only do that if you pay a fee." So I hand over the maximum allowable fee of £10 and they send me.. well, could be a palette of printouts, could be a DVD, could be a polite letter saying, "I'm sorry, we've never heard of you. Why did you write to us?"
* other than Facebook and Google of course
Re: (Score:2)
Did she have any recourse for wrongful termination?
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
A lot of people would be greatly helped if such false information was treated as libel. They showed a callous disregard for the truth of their statements and so should fully compensate her for her losses AND punitive damages.
Most problems of 'identity theft' would also go away if that was done.
Re: (Score:2)
No. The next step is to force them to tell you what they are telling the other person, every time they tell the other person. Otherwise it is just gossip.
The step after that is to allow for suing them for libel if they refuse to correct mistakes.
Of course, the the company becomes less than profitable because it requires work to do all that. You can't just take a "business's" claim that they are owed $X amount, and let the company wait patiently until you want to buy a house or car.
Which brings us to the pro
Excellent start (Score:2)
Welcome to the 1980's (Score:5, Informative)
Welcome to the 1980's, guys.
Data Protection Act (1984) UK, subsequently revised several times to clarify its intent.
You can write to ANY company, entity or organisation (even a website) and DEMAND all information they are storing on you. They may charge you only a reasonable administrative cost. Even applies to CCTV of yourself (but, obviously, in that case you have to give them enough information to determine who you are on their CCTV systems and can't just expect them to trawl years of video looking for your left arm).
How can you know whether a company is distributing incorrect / damaging information about yourself without the right to demand to see that information, the right to change it where it is erroneous, and the ability to control what they are allowed to do with it.
Re: (Score:3)
Re:Welcome to the 1980's (Score:4, Informative)
In EU privacy law (on which the UK Data Protection Act is based) selling personal information is in principle not allowed. Even giving it away for free is only allowed in a few cases.
Re: (Score:3, Informative)
I believe the California law goes one further in not just saying what the business knows about you, but who they sold the information to as well. And it's ongoing - as long as your information is passed to a third party, the company has an obligation to notify you of what they passed on.
The DPA prevents companies from selling the data without your permission. Companies can only process data for the purpose it was collected for, e.g no reusing data without permission. Additionally they may not sell or transfer it to a jurisdiction where the privacy controls are weaker to get around this restriction.
I want to know who gets it (Score:2)
I'd rather have a law informing me of who is receiving my information. I'm getting nagged by Google all the time to turn my pseudo-anonymous accounts into explicit links to the real me via phone numbers and nagging for my real name. I want to know where all that information is going.
I just got an iPhone with the "Find My Phone" app. It seems to work by posting my phone's location to iCloud. Who has access to that info?
Re: (Score:2)
you do?
just in case you lose your iphone
Re: (Score:2)
Re: (Score:3)
The equivalent exists in France since 1978. There are quite heavy fines and even prison terms for inappropriate collection and use of personal data. There's even been at least one spammer convicted [quinot.org] on the grounds that his use of a list of e-mails constituted illicit use of infringing data.
Next step: identify the companies (Score:4, Interesting)
Interesting side problem: how do you know which corporations have data about you? The big companies like Google are known, but there's alot of other data brokers around...how can I demand data from a company I don't know about?
Re: (Score:2)
Sounds like an opportunity for a new service to do a blanket request to ALL know corporations for YOUR data, of course as a new startup we get to keep a copy of all requested data for our own nefarious uses.
yeah then all companies would have a record of you existing and where you asked them to send that data.
Re: (Score:2)
Here's some why: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2222822/ [ssrn.com]
Re: (Score:2)
That list is just companies that trade in financial information (credit scores, loan companies, etc). Notice that google doesn't show up in that list at all, but google *definitely* has information about me (whether I like it or not). So, your list is woefully incomplete. I suspect the full list of companies that collect personal information doesn't exist. That's kinda my point. Is the tacit expectation of this law that people will have to find out (somehow...) which companies *might* have information on th
Re: (Score:2)
I just requested a copy of my report from The Work Company (free, once a year - they do salary checks) and guess what... they have full details of every 2 week paycheck from my current job. Last two jobs: nothing. So even my own employer (or their payroll sub) is selling my info.
Re: (Score:2)
Good start, but... (Score:3)
They need to add wording so that my data can't be shared without my permission with anyone who doesn't have the same company name. Way too much is being hidden behind "associates" and "partners". Anyone who touches my data should have to accept the same security and legal restrictions/responsibilities as the parent company that collected it. I'm tired to getting those Privacy Notices from everyone I have an account with, written in legaleze so generic as to make them useless. If you can take the time to send me a revised privacy statement every six months, then you can take the time to list who your "associate companies" actually are.
Re: (Score:1)
They need to add wording so that my data can't be shared without my permission...
That's all you really needed to say. All this data hoarding and selling by so many companies is ridiculous, even your bank does it and then they send a letter in the mail to the effect:
"If you'd like to opt-out of our wonderful system of making money off your personal information, jump through these flaming hoops and let us know. Otherwise we're going to try to make as much money as possible off your ass.
All of these types of things should be opt-in, they should never be opt-out. I could care fucking le
Re: (Score:2)
Ah yes, but the point isn't that the bastards shared my data... That's necessary to conduct business with me, etc. The point is that there's a difference between a "subsidiary" and an "associate". A subsidiary company is a part of the parent, and to some extent shares legal responsibility for your data. An associate company can be anyone that the parent has an association with. It could be a legit and respected service, or it could be a shady marketing firm who couldn't give a rat's ass about you or your pe
Re: (Score:2)
Sort of Done (Score:2)
Existing law also requires a business that collects customer information for marketing purposes and that discloses a customer’s personal information to a 3rd party for direct marketing purposes, to provide the customer with whom it had a business relationship, as defined, within 30 days after the customer’s request
This bill would instead require any business that has retains a customer’s personal information, as defined, or discloses that information to a 3rd party, to provide at no charge, within 30 days of the customer’s specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer
Silicon Valley (Score:1)
Re: (Score:2)
Fight this, no doubt. But if it happens, I'm not sure that companies like Google and Facebook moving out of state would be enough. Since the proposal appears to (based on the summary) apply to California customers, they'd actually have to stop doing business with residents of the state. Seeing as California tends to be the leader on these things, it's probably in their long term interest just to set up the systems necessary to comply.
Re: (Score:1)
Impossible to enforce (Score:1)
The only way you can ever know who has what is by accident or by stealing the hard drives. This stuff is too easy to hide.
Implimentation (Score:3)
Sounds like a identity thiefs dream come true.
Identity Theft (Score:2)
Re: (Score:2)
Well, the bill specifies notification via writing or email. Clearly, no risk of identity theft whatsoever. Also, they specific the info must be provided to the consumer at no charge, so no disincentive to phishers of men that way either.
I, for one, welcome our old government overlords. (Score:1)
That's right, keep The Peole's attention focused on "spying evil corporations" rather than the real danger from those who spy on you. Government good. Corporations that jam shelves with products evil.
So sayeth your meme overlords. So let it be!
Re: (Score:1)
Re: (Score:2)
Thing is, increasingly the government outsources it's spying to... those same corporations. Why do it in-house where you have to comply (or at least appear to comply) with a bunch of regulations when you can farm it out to a private company (who's dropping some nice campaign donations on you) that, not being a government agency, doesn't have to comply with any of those regulations?
facebook already has a system for this (Score:2)
they have to comply to this in europe. thus they have a push button solution for complying with this. a bunch of other californian companies don't.
Have they thought this through? (Score:2, Insightful)
I thought one of the growing concerns people had, and at first glance it appears to fall within this bill, is all the pseudonymous "tracking" which various companies do (particularly in advertising), where lots of details can be inferred about a person, and possibly even be cleverly determined to be about a specific person. For example, my computer figures out that you, John Smith on 1234 Fake St in zip code 66666, are into midget porn.
It's a real risk and can happen, and yet also, probably doesn't reliabl
Problems? (Score:2)
So, this presents some challenges to me.
I'm one of the co-founders of WonderProxy (https://wonderproxy.com), running a global proxy network you might imagine that we have a fair large log set. Our billing process involves pulling those logs into a central location, parsing out the information billing cares about (customer & amount transferred) and recording that in aggregate. We store the raw log files in the raw form for some period of time to comply with any sort of warrant from law enforcement (our g
Re: (Score:1)
I wonder what Google thinks about this?
Re: (Score:3)
If you read the bill text you quickly see (without lawyers) that your logs that are held to comply with laws and then deleted afterwards are not considered information your company retains. However you might retain other information and that information needs to be shared with the customer.
Re: (Score:2)
Thanks, I'd read the article, but not the bill text.
Google moves all operations outside of California (Score:3)
Moving in 3, 2, 1....