New California "Right to Know" Act Would Let Consumers Find Out Who Has Their Personal Data -- And Get a Copy of It

Let’s face it: most of us have no idea how companies are gathering and sharing our personal data. Colossal data brokers are sucking up personal facts about Americans from sources they refuse to disclose. Digital giants like Facebook are teaming up with data brokers in unsettling new ways. Privacy policies for companies are difficult to read at best and can change in a heartbeat. And even savvy users are unlikely to fend off the snooping eyes of online trackers working to build profiles of our interests and web histories.

So what can we do about it? A new proposal in California, supported by a diverse coalition including EFF and the ACLU of Northern California, is fighting to bring transparency and access to the seedy underbelly of digital data exchanges. The Right to Know Act (AB 1291) would require a company to give users access to the personal data the company has stored on them—as well as a list of all the other companies with whom that original company has shared the users' personal data—when a user requests it. It would cover California residents and would apply to both offline and online companies. If you live in California, click here to support this bill.

Under current California law, customers can contact companies and ask for an accounting of disclosures for direct marketing purposes—basically, a list of what companies got your personal data for them to send you junk mail, spam, or call you on the phone—and general facts about what types of data were disclosed. For example, if you went to PetSilly and bought dog bones, and then PetSilly sold your data to 17 companies that were using it for direct marketing, you could ask PetSilly for an accounting of disclosures. PetSilly would have to provide you with the names of those 17 companies as well as what categories of information were disclosed (name, address, phone number, etc).

The new proposal brings California's outdated transparency law into the digital age, making it possible for California consumers to request an accounting of all the ways their personal information is being trafficked—including with online advertisers, data brokers, and third-party apps. So while current law provides information about data exchanged for direct marketing, the Right to Know Act would update existing transparency law to ensure that users could track the flow of their data from online interactions. It also updates the definitions in the law in important ways, including adding location data—a sensitive data set not adequately protected by current law.

It's not just about knowing what a company is sharing, it’s about knowing what a company is storing. The new proposal would require companies to make available, free of charge, access to or a copy of the customer's personal information. That means you the consumer will really know what information a company has about you.

Lots of people around the world already enjoy these rights. This law mimics the rights of data access already available to users in Europe, which means that most of the big tech companies should already have systems in place to facilitate user access.

This law is about transparency and access, not new restrictions on data sharing. The proposed law wouldn't limit or restrict sales of data, and it wouldn't provide additional security measures for how data is stored or new requirements for anonymization. While those are all important issues to consider, the law is actually far more basic. It helps consumers, regulators, policymakers, and the world at large shine a light onto the largely hidden, highly lucrative world of the personal data economy. 

The Right to Know Act is written specifically to ensure that companies big and small will be able to tell Californians how they’re collecting and sharing your personal data. You ask and they tell you what they have collected, the list of companies they gave your data to, and general facts about what kind of data was handed over (like “sexual information ” and "address"). However, the law has three important safeguards to make sure that even little startups with limited resources will be able to comply:

1. Companies can choose to not store unnecessary data.  Or, if they must retain information, they could take protective measures of de-identify user d<