At first glance, and based on a lot of the press coverage, California's proposed “Right to Know Act 2013” appears to give Californians similar rights of access to personal information stored about them, and how that information is used and disclosed. Although the bill doesn't specificy levels of security or restrictions on disclosure, they are nevertheless implied as a business will need to manage, and control, the sharing of information in order to be able to comply with the act. The “Big Data” implications come from some of the definitions of data within the scope of disclosure: “(A) Any information that identifies or references a particular individual or electronic device, including, but not limited to, a real name, alias, postal address, telephone number, electronic mail address, Internet Protocol address, account name, social security number, driver's license number, passport number, or any other identifier intended or able to be uniquely associated with a particular individual or device.”
"(Q) Location information.
(R) Internet or mobile activity information, including, but not
limited to, Internet Protocol addresses or information concerning the
access or use of any Internet or mobile-based site or service.
(S) Content, including text, photographs, audio or video
recordings, or other material generated by or provided by the
(T) Any of the above categories of information as they pertain to
the children of the customer."
(Source: http://www.leginfo.ca.gov/pub/13-14/bill/asm/ab_1251-1300/ab_1291_bill_20130401_amended_asm_v98.html) This gets particularly interesting when looking at device-based identifiers, which are complex in a number of ways: does disclosure to a customer require records of access / use from all the devices a customer owns or uses? Does that include devices belonging to an employer, or other shared devices like internet cafes or even family PCs or entertainment systems? Where shared device are concerned, where's the boundary? If multiple, or many, individuals use a shared device such as a family PC/home entertainment system/games console, or Internet Cafe/library computer facilites, or workplace IS environments, where is the line drawn when disclosing information? Does all data get disclosed, potentially violating the privacy of others, or is only information about the data subject disclosed? With respect to “the children of the customer”, at what point are the rights of the child protected? After all, the child may be seeking guidance relating to issues they aren't able, or ready, to discuss with the family. This cuts two ways – parents may argue that they want to protect their children from predators, but children may be exploring issues (such as “I want to find out about a certain religion”, “What is the military like as a career choice?” or “I think I'm gay”) which, if revealed at an inappropriate time could be very damaging to family relationships … or in the worst case a child may be seeking help about an abusive or dangerous home environment. What's also interesting is that, in order to comply with some of the more complex or device-related disclosure requirements, businesses or service providers may end up storing much more information about customer's use, access habits and content than might otherwise have been the case… and of course many already do so to enable advertising and other service offerings can be tailored to the needs or interests of the customer. There's no doubt that the whole area of privacy and subject access needs updating. The amount of information collected about individual's use both of the internet and specific devices, especially in the age of always-on smartphones and other personal devices – even ones you mightn't immediately think about. OnStar, a cellphone and assistance service popular in the US and fitted as standard in many cars, was criticised for collecting information even from devices that weren't subject to a service subscription, and in Europe internet-connected vehicle systems have been an option for some time now on premium brands like BMW. Smart electricity metering in the home means whole new areas of life will be online and trackable if not actually tracked. It will be very interesting to follow the final implementation of California's Right to Know Act 2013, how businesses outside California address it and even more interesting to see how it works in practice. Could California follow in the EU's footsteps by giving the impetus to the next evolution of data and privacy management?