California Law Would Require Companies To Disclose All Consumer Data Collected

Trailrunner7 writes "California, which set the standard for data breach notifications nationwide, is again seeking to set a precedent by becoming the first state in the nation to require companies upon request disclose to California consumers the data they've collected and to whom it was shared during the past year. ... The 'Right to Know Act of 2013,' AB 1291 was amended this week to boost its chances of success after being introduced in February by state Assembly member Bonnie Lowenthal. ... It applies to companies that are both on- and off- line Privacy advocacy groups such as the EFF wrote Tuesday that the bill could set a precedent for other states, much as California's 2002 Breach Notification Act requiring California data breach victims be notified was later replicated by almost all U.S. states." That's not all: you'd be able to request a copy of all the data they've stored about you too.

Welcome to the 1980's

[ledow]

Welcome to the 1980's, guys.

Data Protection Act (1984) UK, subsequently revised several times to clarify its intent.

You can write to ANY company, entity or organisation (even a website) and DEMAND all information they are storing on you. They may charge you only a reasonable administrative cost. Even applies to CCTV of yourself (but, obviously, in that case you have to give them enough information to determine who you are on their CCTV systems and can't just expect them to trawl years of video looking for your left arm).

How can you know whether a company is distributing incorrect / damaging information about yourself without the right to demand to see that information, the right to change it where it is erroneous, and the ability to control what they are allowed to do with it.

Re:Great first step

[nospam007]

"So if I default on my debts, I can demand that credit reporting companies delete the data?"

No.

"If I am a corrupt politician, I can demand that journalists delete any data they have on me, including any ongoing investigations?"

No.

"Passing a law requiring facts to just "go away" is the dumbest idea I have heard so far today."

It has been like that in Europe for years. You can ask the data they have about you and they have to delete wrong data and correct the data that is erroneous. Piece of cake.

Re:Welcome to the 1980's

[fatquack]

In EU privacy law (on which the UK Data Protection Act is based) selling personal information is in principle not allowed. Even giving it away for free is only allowed in a few cases.

Re:Welcome to the 1980's

[galadran]

Welcome to the 1980's, guys.

Data Protection Act (1984) UK, subsequently revised several times to clarify its intent.

You can write to ANY company, entity or organisation (even a website) and DEMAND all information they are storing on you. They may charge you only a reasonable administrative cost. Even applies to CCTV of yourself (but, obviously, in that case you have to give them enough information to determine who you are on their CCTV systems and can't just expect them to trawl years of video looking for your left arm).

How can you know whether a company is distributing incorrect / damaging information about yourself without the right to demand to see that information, the right to change it where it is erroneous, and the ability to control what they are allowed to do with it.

I believe the California law goes one further in not just saying what the business knows about you, but who they sold the information to as well. And it's ongoing - as long as your information is passed to a third party, the company has an obligation to notify you of what they passed on.

The DPA prevents companies from selling the data without your permission. Companies can only process data for the purpose it was collected for, e.g no reusing data without permission. Additionally they may not sell or transfer it to a jurisdiction where the privacy controls are weaker to get around this restriction.