California's Right to Know Act of 2013 (Assembly Bill 1291), permits a consumer to obtain full disclosure upon request of personal information held by a company about the consumer. It is the latest in a long line of privacy initiatives from California, which considers itself a leader in this space. California privacy laws often spread throughout the country, so beyond its impact in California, the Right to Know Act may create significant compliance implications and litigation risks for businesses throughout the country.
California's proactive approach has driven privacy debates nationwide for more than a decade. For example, in 2002, California passed its data breach notification law, and virtually every other state has since followed. In 2004, California passed its Online Privacy Protection Act ("CalOPPA") that required web sites to post their privacy policies in a location that is easily seen and accessible. Last year, California Attorney General Kamala Harris notified the developers of many popular mobile applications that CalOPPA applied to mobile applications. She began enforcement shortly thereafter.
While it is generally understood that enormous amounts of data about consumers are being collected from the web sites and mobile applications they use, most consumers have very little understanding of specifically what is being gathered or how it is being used. California's Right to Know Act, as currently pending, is designed to give people the right to see all the information that companies have about them, and to understand with whom it is shared. Although this type of transparency already applies in Europe, California's Right to Know Act is the first legislation of its kind in the U.S. Consumer groups, many of which have been lobbying for such protections, claim it will provide consumers the ability to evaluate how a company uses personal information to decide if they want to continue to do business with the company.
Although California's Right to Know Act does not dictate what information can be collected, how it must be stored, or with whom it can be shared, it nonetheless has significant implications. First, it expands the definition of "personal information" to include information such as the IP address of a computer, and device identifiers for smart phones. Second, the bill requires disclosure of all personal information that is held by the business. This includes data that likely is systematically maintained and easily accessible in customer profiles (such as birth date or credit card numbers), but possibly also data that may not be stored systematically (such as customer service notes). Third, the bill provides that a violation "constitutes an injury to a customer" and provides statutory penalties, which creates a significant risk of class action litigation by statutorily attempting to avoid standing challenges to lawsuits on the basis that a violation did not cause an injury.
In light of the potential impact, companies operating in California and elsewhere should acquaint themselves with California's Right to Know Act and how it may impact their business, and, if appropriate, participate in the debate directly or through industry or business groups.