The proposed legislation is Assembly Bill No. 1291, which was introduced by Assembly Member Lowenthal on February 22, 2013. If passed, the bill would replace some existing privacy related law.
Specifically, the bill would expand current reporting requirements for businesses that possess or disclose personal information. As described in the bill itself, those requirements would be for:
…any business that retains a customer’s personal information, as defined, or discloses that information to a 3rd party, to provide at no charge, within 30 days of the customer’s specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer.
The reporting requirement in current California law is limited to personal information that is disclosed to a third party for marketing purposes.
How is this bill different from the Attorney General’s mobile app initiative? In a word – clarity.
In contrast to the vagueness of some aspects of the Attorney General’s work, the bill’s key provisions are clear. Who can require a business to report? What does a business need to report? When does a business need to report? How is the report to be provided?
Well, pretty much. The bill hasn’t solved the problem of clearly defining the subject personal information. On the plus side, the bill does adopt personal information as the name for that information. This as opposed to the odious personally identifiable information, which we have agreed should be purged from all further discussion of privacy matters.
Here is another example of clarity in the bill. It’s an exception to certain nondisclosure requirements:
Disclosure of personal information by a business to a third party pursuant to a written contract authorizing the third party to utilize the personal information to perform services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, or similar services, but only if (I) the contract prohibits the third party from using the personal information for any reason other than performing the specified service(s) on behalf of the business and from disclosing any such personal information to additional third parties and (II) the business effectively enforces these prohibitions.
It’s a shame there isn’t this level of clarity in all legislation. By the way, the subject matter of this provision is commonly addressed in privacy policies, so this clarity is a benefit to all concerned. It’s a good example of how privacy regulation should be handled.
On Thursday we’ll leave the Golden State and move on to some issues of contract law that are of importance to data and technology licensors and licensees. We’ll be back though.