Businesses, privacy activists wrestle over California privacy bill

For privacy advocates, bill a 'foundational step,' but the Chamber of Commerce says proposed law goes too far


Businesses and privacy advocates are squaring off over a proposed law that would make California the first state in the nation to give people the right to see all the information companies have on them and to find out who the data is shared with.

Groups such as the Electronic Frontier Foundation and the American Civil Liberties Union say California Assembly bill AB 1291 would help consumers decide whether they wanted to continue doing business with a company, based on the way it handled their personal information.

To opponents such as the California Chamber of Commerce and TechAmerica, the bill is too broad in defining the information covered and would open businesses up to frivolous lawsuits.

On Monday, lawmakers amended the bill, introduced in February by Democratic Assemblywoman Bonnie Lowenthal, to increase its chances of getting through the Legislature. To opponents, the changes were not enough.

"TechAmerica has some obvious high-level concerns with the bill," said Robert Callahan, director of state government affairs for the industry trade group. "In addition to several of its provisions being unworkable from a compliance standpoint for tech companies, the new language specifically states that any violation of the law will constitute injury to consumer, opening the door wide open for abusive lawsuits."

California has been a leader among states in toughening online privacy laws. In 2004, the state passed the Online Privacy Protection Act that required Web sites to post their privacy policies where it can be easily seen and accessed. Last year, state Attorney General Kamala Harris formed a special unit to prosecute companies that break California's strict privacy laws.

The latest bill, called the Right To Know Act of 2013, deals only with giving people access to personal information. It does not set any limits on the amount of data a company can collect, nor does it say how the data should be secured or whom it can be shared with.

For privacy advocates, the bill is a "foundational step," said Rainey Reitman, activism director for the Electronic Frontier Foundation. Transparency is what the consumer needs to see how their personal data is being used and to decide whether to continue a relationship with a company or website.

"It's important for consumer trust on the Internet," Reitman said.

Nevertheless, from the standpoint of the Chamber of Commerce, the bill goes too far in expanding the definition of personal information to cover not only data that identifies an individual, but also the IP address of personal computers and the device identifiers of smartphones. Such devices are often used in contacting a business or website just to get information.

[Also see: Facing FTC pressure, Apple bolsters privacy, security]

"While we understand that the bill is sponsored by several consumer organizations, it is unworkable, rests on mistaken assumptions about how the Internet works, and would impose costly and unrealistic mandates on California's technology sector with minimal benefit to state residents," the chamber said in a letter to bill sponsor Lowenthal. The letter was signed by more than a dozen other organizations, including insurance, tech and banking groups.

If the bill became law, companies would have to spend more to comply, said Rick Holland, an analyst with Forrester Research. "Time and time again I talk to clients that don't know where all of their data exists, much less how it is actually being used."

For some companies, complying with the law would require auditing the use and storage of customer information across business units. While structured data such as Social Security and credit card numbers would be relatively easy to find, unstructured data, such as dates, numbers and notes stored outside a relational database, would be more difficult to gather.

"This disclosure requirement would significantly raise the cost of compliance," Holland said.

The bill does give companies a way to reduce the amount of data they would have to provide to consumers. For example, data that is altered so it can't be linked to an individual would not be covered. Companies could also become more selective in the information they do keep.

Under the bill, people could request a copy of the information kept by organizations every 12 months. Companies would have 30 days to respond.

The bill is similar to requirements in some European countries.

Privacy has become a major concern for consumers because of the massive amounts of data being collected on them each day from websites and mobile apps. In most cases, consumers do not know what is being gathered or how it is being shared with advertisers or other companies.

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)