California’s “Right to Know Act”: Are New Privacy Disclosure Requirements on the Horizon?

And you thought the privacy legal landscape couldn’t get any more challenging to traverse for online operators.  Guess again. California legislators recently proposed a bill that would significantly broaden its “Shine the Light Law,” Cal. Civ. Code § 1798.83.  Enacted ten years ago, the Shine the Light Law became the de facto federal law regulating online privacy, requiring online operators to disclose to consumers how they use and share consumers’ personal information.

The proposed bill (which has been come to know as the “Right to Know Act” (AB 1291)), applies to online operators who have 20 or more employees.  There would be two ways to comply with the bill.  An online operator may provide consumers, upon request, a description of the categories of personal information it has shared with third party marketers and the names of those marketers. The bill would only require an online provider to respond to each consumer’s request for personal data collection and sharing information once per year.  Alternatively, an online provider may disclose in its privacy policy a free method by which consumers may opt-in or opt-out of all disclosure of their personal information by the online provider. The bill would not regulate or impose restrictions upon internet operators’ information collection, sharing, or selling practices.

Proponents of the bill argue that it would provide more transparency to consumers about the data collection and sharing practices of online operators. Proponents also contend that the bill would more closely align United States law with the data disclosure laws in Europe, laws with which many online operators in the United States already comply.

Opponents of the bill see things differently.  They argue that the bill is too broad and unworkable. For example, the California Chamber of Commerce contends that the bill unnecessarily expands the definition of “personal information” to include device identifiers.  Opponents also argue that it would be impractical to require online operators to provide the name and address of every entity with which they share consumer information.  Even more harrowing, opponents argue, are the bill’s failure to define what constitutes injury to the consumer and the bill’s stiff penalties.  If an online operator fails to comply, the consumer may recover a civil penalty of up to $500 per violation and up to $3,000 per willful, intentional or reckless violation.  The bill provides, however, that non-willful violations may be cured within 90 days of notice to avoid a penalty.

The bill for the “Right to Know Act” is scheduled for a hearing in the state legislature at the end of this month.