California's Right to Know Act of 2013 (Assembly Bill 1291),
permits a consumer to obtain full disclosure upon request of
personal information held by a company about the consumer. It is
the latest in a long line of privacy initiatives from California,
which considers itself a leader in this space. California privacy
laws often spread throughout the country, so beyond its impact in
California, the Right to Know Act may create significant compliance
implications and litigation risks for businesses throughout the
country.
California's proactive approach has driven privacy debates
nationwide for more than a decade. For example, in 2002, California
passed its data breach notification law, and virtually every other
state has since followed. In 2004, California passed its Online
Privacy Protection Act ("CalOPPA") that required web
sites to post their privacy policies in a location that is easily
seen and accessible. Last year, California Attorney General Kamala
Harris notified the developers of many popular mobile applications
that CalOPPA applied to mobile applications. She began enforcement
shortly thereafter.
While it is generally understood that enormous amounts of data
about consumers are being collected from the web sites and mobile
applications they use, most consumers have very little
understanding of specifically what is being gathered or how it is
being used. California's Right to Know Act, as currently
pending, is designed to give people the right to see all the
information that companies have about them, and to understand with
whom it is shared. Although this type of transparency already
applies in Europe, California's Right to Know Act is the first
legislation of its kind in the U.S. Consumer groups, many of which
have been lobbying for such protections, claim it will provide
consumers the ability to evaluate how a company uses personal
information to decide if they want to continue to do business with
the company.
Although California's Right to Know Act does not dictate what
information can be collected, how it must be stored, or with whom
it can be shared, it nonetheless has significant implications.
First, it expands the definition of "personal
information" to include information such as the IP address of
a computer, and device identifiers for smart phones. Second, the
bill requires disclosure of all personal information that is held
by the business. This includes data that likely is systematically
maintained and easily accessible in customer profiles (such as
birth date or credit card numbers), but possibly also data that may
not be stored systematically (such as customer service notes).
Third, the bill provides that a violation "constitutes an
injury to a customer" and provides statutory penalties, which
creates a significant risk of class action litigation by
statutorily attempting to avoid standing challenges to lawsuits on
the basis that a violation did not cause an injury.
In light of the potential impact, companies operating in
California and elsewhere should acquaint themselves with
California's Right to Know Act and how it may impact their
business, and, if appropriate, participate in the debate directly
or through industry or business groups.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.