Sophos Cloud Optix
Stop me if you’ve heard this one:
A consumer goes into a bar and walks up to a data broker.
“So tell me, where do you get data on me and 500 million other consumers?” she asks.
“Drop dead,” the data broker says.
It’s not a good punchline, but it is, more or less, the punchline given by nine data brokers (Acxiom, Epsilon, Equifax, Experian, Harte-Hanks, Intelius, FICO, Merkle and Meredith Corp.) when the US Congress asked them, last fall, to name their data sources and to explain what they’re doing with the privacy-obliviating data they collect and compile.
The dossiers, as ZDNet’s Violet Blue describes, are secret.
The data brokers’ responses to Congress amounted to fluffy PR. They are listed on Massachusetts Congressman Ed Markey’s website here.
Their coyness has irked the Californian legislature, which is poised to put its heavy foot down in the form of The Right to Know Act (AB 1291).
That legislation would require companies to give users access to the personal data stored on them, along with a list of all the other companies a given company has shared users’ personal data with, whenever a user requests it.
The bill, supported by a coalition that includes the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) of California, would cover California residents and would apply to both offline and online companies.
According to the EFF, under current California law, customers can ask what companies are doing with data and what companies have your personal data for marketing purposes, plus general facts about the type of data.
The EFF gives this example:
If you went to PetSilly and bought dog bones, and then PetSilly sold your data to 17 companies that were using it for direct marketing, you could ask PetSilly for an accounting of disclosures. PetSilly would have to provide you with the names of those 17 companies as well as what categories of information were disclosed (name, address, phone number, etc).
The proposed act would expand what the EFF calls an outdated transparency law, making it possible for consumers to find out all the myriad ways companies are profiting from the trafficking of their personal information, and updating the existing law to include digital-era data types such as location data.
One thing the law would specifically not do is limit data sharing or restrict its sale. Nor would it require additional security measures for data storage or anonymization.
In fact, the EFF says, The Right to Know Act is “written specifically to ensure that companies big and small will be able to tell Californians how they’re collecting and sharing your personal data,” and it includes these three safeguards to ensure that even small companies with limited resources won’t find it onerous to comply:
- Companies can choose to not store unnecessary data. Or, if they must retain information, they could take protective measures to de-identify user data before retaining or disclosing it. Taking such measures would mean companies would not have to respond to data disclosure requests.
- If a company doesn’t want to respond to individual requests for data disclosures, it can provide you with a notice about what data will be disclosed and to whom—just before or after it happens.
- Companies only have to provide each user an accounting once every 12 months. This safeguards against any repetitive requests.
The act would allow the US to begin to catch up with Europeans’ superior consumer rights to data access.
One need look no further for examples of Europe’s superiority in this regard than to the tale of Max Schrems, the Viennese man who squeezed 1,200 pages worth of his personal-data dossier from Facebook and who then filed 22 complaints with the Irish Data Protection Commissioner based on what he found.
Where is the US’s Irish Data Protection Commissioner?
If the act passes in California and is emulated by other states (California is, in fact, a leader in consumer privacy rights), perhaps the USA’s own DPC will have a chance to emerge.
The EFF has provided this site for Californians to register support for the act.
If you don’t live in California, please pass the link on to those in your network who do.
It’s high time for the US to emulate Europe’s example.
Binary eye image from Shutterstock.
I haven't read them all but I took a quick look at a few and the answers about deleting data. Acxiom's response is ridiculous "We consider correction a form of deletion. We also consider suppression a form of deletion." Experian at least admits they don't delete which is accurate because, as we all know, nothing can ever actually be deleted once it is recorded – there's a tape or HDD somewhere with the data.
Intelius:
"Through the opt-out process, individuals can remove records from appearing within people search results, as described in our Privacy Policy."
That's probably as good as you're going to get – a promise not to show some data. However, the records will always be there and you're going to be vulnerable to someone making a mistake and reshowing that data after you asked them not to.