California companies may be forced to disclose the information they hold on users

California companies may be forced to disclose the information they hold on users
California companies may be forced to disclose the information they hold on users

AB 1291 is a proposed law to force companies to disclose, within 30 days of demand but no more than once in any 12 months, what data they hold on their users and what use they make of it. It “will modernize current privacy law and give Californians an effective tool to monitor how personal information, including about health, finances, your location, politics, religious, sexual orientation, buying habits, and more, is being collected and disclosed in unexpected and potentially harmful ways,” explains the ACLU of Northern California.

This is a right already enjoyed by Europeans, and likely to be improved by the proposed EU Data Protection Regulation (which now also adds a technically problematic ‘right to be forgotten’ concept). It is not a right enjoyed by US citizens. EFF, however, hopes that if the bill is passed in California, it will spread outwards first across the US and then around the world. “California has a reputation for passing important laws around consumer protection,” it notes, adding, “what happens in California can prove to have positive benefits for users all over the country (and sometimes the world).” It points to COPPA and the need for a conspicuous privacy policy, which has now become the norm everywhere.

EFF is hopeful that the bill will succeed. “This law,” it says, “is about transparency and access, not new restrictions on data sharing. The proposed law wouldn't limit or restrict sales of data, and it wouldn't provide additional security measures for how data is stored or new requirements for anonymization.” But California is home to many of the big companies that are currently lobbying – ferociously, one might say – the European Union in order to soften the impact of the Data Protection Regulation. These same companies do not yet appear to have turned their attention to the Right to Know Act.

It is also worth noting that the existing European ‘right to know’ is not considered very effective. The ‘Europe versus Facebook’ organization has a long running campaign to make Facebook more open. It states, “Facebook has made it more and more difficult to get access to your data. Users get routed to a ‘download tool’ that only gives you a copy of your own profile, which is only a fraction of all data Facebook stores about you. You can make a complaint to the Irish Data Protection Commission, but the Commission seems to turn down all complaints that were filed.” So despite a legal right to know in Europe, Europeans have difficulty in actually getting to know.

Whether any US law would be more effective – if passed – remains to be seen. “Remember the Compliance Lifecycle”, notes Rich Mogull, CEO of Securosis. “Laws are proposed, then passed, then responsibility is assigned to an enforcement body, then they interpret the law, then they start enforcement, then we play the compensating controls game, then the courts weigh in, and life goes on.”

He warns, however, that claims that the bill will not require additional data protection requirements are simply untrue. In particular, he suggests, “You will need mechanisms to securely share the data with customers. This will likely be the same as what healthcare and financial institutions do today (generally email encryption).” And, of course, better auditing of what data is shared with whom.

What’s Hot on Infosecurity Magazine?