When Austrian law student Max Schrems wanted to know what information Facebook had about him, all he had to do was ask. In turn, the social networking service gave him a 1,200-page report of friend lists, photos, records of chats, “likes,” “pokes,” people he unfriended, material he “deleted,” and event invitations.
As a resident of Europe, Schrems was entitled to that information because the EU's broad privacy laws give people the right to demand data about themselves that's held by companies.
Now, a lawmaker in California has proposed a bill that would give state residents that same right. State Assembly member Bonnie Lowenthal recently introduced the Right to Know Act (AB 1291), which would require Web companies to share with consumers the “personal” information that's been collected about them upon request. The measure also would require companies to disclose which ad networks, data brokers, or other third parties have received consumers' data.
The measure defines personal information broadly as “any information that identifies or references a particular individual or electronic device.” That type of information includes names, email addresses, IP addresses and unique cookies. It also includes any inferences that companies make about consumers -- such as whether they're likely to purchase a new car in the next few months.
The bill updates and expands California's 2003 Shine the Light law, which provides that companies selling customer lists must allow state residents to either opt out, or learn who is purchasing their names.
The measure is backed by the ACLU of Northern California. Chris Conley, technology and civil liberties policy attorney with the group, says the bill will enable consumers to make better decisions about the use of their data. (People obviously can't prevent all types of data collection, but often can opt out of certain types of information-sharing.)
He adds that the proposed law will make it easier for people to understand how everyone -- from big retailers to mom-and-pop Web sites -- handles consumers' information.
The ACLU is better known for trying to curb data collection by the government than by marketing companies, but Conley says the issues could be related. For instance, law enforcement authorities conceivably could demand that a marketing company or data broker share its information about consumers. But if marketing companies don't collect information, or don't store it in a way that's linkable to individuals, then there's less data available for the government. The scenario might sound far-fetched, but it's worth remembering that several years ago, government lawyers asked search engine operators to provide data about millions of queries.
A broad array of business groups, including the California Chamber of Commerce, Direct Marketing Association, NetChoice (which represents AOL, eBay, Overstock others) and TechAmerica (made up of companies like Google, Microsoft and Facebook), oppose the measure.
NetChoice executive director Steve DelBianco points out that the bill in its current form would require disclosure of information relating to all cookies, including ones that aren't shared with third parties for marketing purposes -- like cookies used for site optimization. “There's some implication now that this is sensitive information that's worthy of protection by the state of California,” he says. “You've stigmatized something as benign as a session cookie.”
He adds that Web companies could find it logistically difficult to compile information about those kinds of cookies and organize it in a way that it could be shared with consumers.
Unlike the Shine the Light law, which only applies to companies of 20 or more people, the new law would apply to companies of all sizes -- including small startups. DelBianco says that compliance would be difficult for very small companies.
Lawmakers in California are expected to consider the bill in early May.