California legislation, called the “Right to Know Act of 2013” (AB 1291), would, if passed, considerably alter how businesses must comply with the existing California Shine the Light Act. In February 2013, California Assembly Member, Bonnie Lowenthal, first introduced the Right to Know Act, which would repeal Shine the Light and impose new information disclosure duties on any company doing business with California consumers.
Under Shine the Light, which was enacted in 2003, companies that share California residents’ personal information with third parties who use that information for their own direct marketing purposes are required to allow the California resident to opt-out of the sharing or, upon request from the resident, must provide a detailed disclosure of the kinds of personal information that was shared and the names of the parties who received such information.
The new law expands these obligations in a number of ways. First, it would apply to all businesses, whether online or offline, that retain personal information of California residents. Thus, the applicability of Right to Know is significantly broader than Shine the Light, which only applies to businesses that have an “established business relationship” with the California resident. Second, businesses would be required to, upon request, provide a copy of all personal information concerning a particular resident, including the categories of information disclosed to third parties over the past 12 months, as well as the name and contact information for those third parties. Only California residents would be permitted to request this information, and businesses would be required to respond within 30 days and not charge for providing the information. Notably, the law would include any information that was given to a third party – unlike Shine the Light, which only applies to information that is provided to a third party for its direct marketing purposes. However, disclosures made to vendors for the purpose of providing a specified service would not have to be disclosed.
California legislators are also focused on other consumer privacy issues. Senator Elle Corbert, the majority leader of the California Senate recently introduced an amended version of SB 501, which would require social networking sites to remove certain user personal information upon request or for minors younger than 18 years of age, upon the request of a parent or legal guardian. Such information that could be removed would include address, telephone numbers, social security numbers, bank account numbers and credit card numbers.
As our previous blogs regarding a variety of topics – such as mobile privacy, online privacy, mobile applications, social networking, enforcement and mobile app developers – indicate, California legislators and regulators are very focused on consumer privacy issues and, as such, companies that interact with California residents should be cognizant of the ongoing legislative and regulatory developments.