This is one of those bills that seems like a good idea to the general public. But how do you even define what data is covered and what uses have to be disclosed and in what level of detail? If someone objects how do you identify them (if there is no login) enough to avoid collecting any data about them without collecting enough to identify them? The legally required compliance with the law is likely to be a giant wormhole. In the end it probably will result in making no difference like the recent EU cookie rule.
This state has previously recognized the importance of
providing Californians with transparency about how their personal
information has been shared by businesses by enacting Section 1798.83
of the Civil Code into law in 2003
Businesses are now collecting types of personal information
not included in the original law and sharing and selling it in ways
not contemplated or properly covered by the current law.
- Some Web sites are installing up to 100 tracking tools when
consumers visit Web pages and sending very personal information such
as age, gender, race, income, health concerns, and recent purchases
to third-party advertising and marketing companies.
- Third-party data broker companies are buying, selling, and
trading personal information obtained from mobile phones, financial
institutions, social media sites, and other online and brick and
mortar companies.
- Some mobile applications are sharing personal information,
such as location information, unique phone identification numbers,
and age, gender, and other personal details with third-party
companies.
Proposed changes to the 2003 law:
This bill would instead require any business that retains a customer's personal information, as
defined, or discloses that information to a 3rd party, to provide at no charge, within 30 days of the customer's specified
request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer. This bill would require that a business subject to these provisions choose one of several specified options to provide the customer with a designated address for use in making a request for copies of information under these provisions.
