California’s “Right to Know Act”: Are New Privacy Disclosure Requirements on the Horizon?
And you thought the privacy legal landscape couldn’t get any more challenging to traverse for online operators. Guess again. California legislators recently proposed a bill that would significantly broaden its “Shine the Light Law,” Cal. Civ. Code § 1798.83. Enacted ten years ago, the Shine the Light Law became the de facto federal law regulating online privacy, requiring online operators to disclose to consumers how they use and share consumers’ personal information.
Proponents of the bill argue that it would provide more transparency to consumers about the data collection and sharing practices of online operators. Proponents also contend that the bill would more closely align United States law with the data disclosure laws in Europe, laws with which many online operators in the United States already comply.
Opponents of the bill see things differently. They argue that the bill is too broad and unworkable. For example, the California Chamber of Commerce contends that the bill unnecessarily expands the definition of “personal information” to include device identifiers. Opponents also argue that it would be impractical to require online operators to provide the name and address of every entity with which they share consumer information. Even more harrowing, opponents argue, are the bill’s failure to define what constitutes injury to the consumer and the bill’s stiff penalties. If an online operator fails to comply, the consumer may recover a civil penalty of up to $500 per violation and up to $3,000 per willful, intentional or reckless violation. The bill provides, however, that non-willful violations may be cured within 90 days of notice to avoid a penalty.
The bill for the “Right to Know Act” is scheduled for a hearing in the state legislature at the end of this month.