If you got Google, Facebook and Microsoft into a room and asked them to compile a list of things that they are most afraid of, that list would probably look something like this:
Getting into a Twitter fight with a Justin Bieber fan
California’s Right to Know Act of 2013
You may not be familiar with California’s Right to Know Act, but you can bet that the largest online retailers and service providers are closely watching the California legislature’s proceedings.
So, what is the “Right to Know Act?”
Assembly Bill 1291, introduced by state Assembly member Bonnie Lowenthal, would amend Section 1798.83 of the California Civil Code to require that any business that retains a customer’s personal information, or discloses customer personal information to a third party, provide, at no charge and within 30 days of receiving a request from a customer, a copy of all information retained about that customer, as well as the names and contact information for all third parties with which that business has shared customer data within the last 12 months. This requirement would apply regardless of whether the business has a relationship with the customer.
Think of it as the data privacy version of that bill that required restaurants to list the number of calories in each food item next to that item on the menu.
What would be the practical effect?
If passed in its current form, it would be difficult to overstate the potential impact on online businesses that retain personally identifiable information. In addition to names, social security numbers, birthdates and similar information, categories of “personal information” can include a user’s IP address, mobile device data and geolocation data, which are often collected on an ongoing basis in the background of services that are provided to consumers. (A complete definition “personal information” and a list of categories of personal information can be found here).
Since the Act requires that the business provide copies of this information to customers who request it, compliance with the Act may require updates to record keeping systems. Moreover, since copies of information must be provided to the customer free of charge, the cost of complying with such requests must either be borne solely by the business or (as is more likely to be the case) factored into the cost of the services or products offered by the business.
Even the limitations in the scope of the Act create potential pitfalls for online businesses. For example, the new definition of “retain” does not include storing information solely for one or more of the following purposes:
to perform a service or complete a transaction initiated by or on behalf of the customer, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, or similar services;
to address fraud, security, or technical issues; to protect the disclosing business’ rights or property; or to protect customers or the public from illegal activities as required or permitted by law; or
to comply with applicable law or regulation or with a court order or other legal process where the business has a good-faith belief that the law, regulation, court order, or legal process requires the information to be stored or held.
However, the above exception applies only so long as the information is deleted as soon as it is no longer needed for these purposes. In other words, any business that intends to rely on this exception will likely need to have a system in place to periodically monitor the information it has collected to delete personally identifiable information that is no longer needed for those specific purposes. Such businesses will also need to ensure that the information is not being used for any other purpose, since doing so would also invalidate this exception.
Questions to ask in preparation
The Right to Know Act of 2013 isn’t the law of land yet — it is working its way throught the legislative process and you can track its status here – but as it gets closer to adoption the Act’s ranking in the list of things that online companies are afraid of will only go up. In the meantime, there are certain questions you can consider to help you gauge your preparedness:
Do you know the full scope of information that is collected from your users or customers, including background data that is collected automatically?
Do you have data retention and destruction policies in place to eliminate personally identifiable information that is no longer necessary?
Do you know what personally identifiable information is being collected by all third parties who help you provide services or products? Do you know what data storage, retention and destruction policies those third parties have in place?
For every type of information that is collected, do you have a clear understanding of each way in which the information is used, including for strictly internal purposes like data analytics?
It is essential to ask these questions early because once the Right to Know Act of 2013 gives consumers the right to ask the question, businesses will have to know the answer. As always, Mintz Levin’s data privacy attorneys are available to help you find the answers you need.