Header graphic for print
Privacy Law Blog

Shine the Light a Little Brighter – Changes Resulting in Increased Customer Access Proposed to California’s “Shine the Light” Act

Posted in California, Data Privacy Laws, Online Privacy

California Assembly Member, Bonnie Lowenthal, recently introduced the “Right to Know Act of 2013″ (AB 1291), which would require any company that retains a  California resident’s personal information to provide a copy of that information to that person, free of charge, within 30 days of the request. The company would also have to disclose a list of all third parties with whom it has shared the resident’s data during the previous 12 months, the contact information of such third parties, and the types of personal information that was shared. In contrast to the existing Shine the Light Act, this legislation would not be limited to data sharing for direct marketing purposes, and would not provide exceptions for companies that maintain an opt-in or opt-out policy for data sharing.  Moreover, the legislation’s definition of “personal information” is broader, and includes data such as online usage information. Also, the legislation would apply to businesses even if they do not have a direct relationship with the California resident, such as data aggregators and online ad networks.  Additional requirements also exceed what is present in the existing law.  If a company does not comply, California residents would be empowered to file a civil suit to force compliance. The law does not distinguish between brick-and-mortar businesses and online companies.

Although the Right to Know Act contains certain provisions intended to prevent abuse, it provides for an unprecedented level of data access for California residents. Under CA Civil Code § 1798.83 (better known as the Shine the Light Act), California residents may request from a company an accounting of disclosures made to third parties for direct marketing purposes, as well as general facts about the types of data disclosed. The Right to Know Act would allow California residents to know all of the ways that their personal information is being shared – including via online interactions – with the exception only of data sharing with service providers who are only permitted to use the information to provide service to the company.

The Right to Know Act provides that in lieu of responding to individual California resident requests, a company can provide a California resident with a notice about what data will be disclosed and to whom— prior to or immediately following a disclosure. In addition, a company would only have to provide each California resident with the required information once every 12 months.

The bill is expected to be debated by California legislators within the next few months.