From revelations of widespread NSA spying to high profile data breaches, transparency about how personal information is collected, used, and disclosed is more important than ever. California has long been at the forefront of transparency efforts. With updates to the California Online Privacy Protection Act and data breach notification law passed this year and a bill to modernize the 2003 Shine the Light law up for a vote in January, the state is continuing to lead the way.
In our new ACLU of California policy paper, Losing the Spotlight: A Study of California’s Shine the Light Law, we take a close look at the state’s landmark transparency law as it turns a decade old. We examine why it’s important and whether it’s continuing to provide transparency about the “who, what, where, and when” of how a business handles personal information. We also highlight public support for transparency and draw specific lessons that can inform policymakers and businesses seeking to protect privacy and increase transparency about data collection, use, and sharing in the modern digital era.
Our major takeaways:
- Transparency really does work, and in three important ways. It incentivizes companies to take steps that are good for consumer privacy and good for business, facilitates public knowledge about issues that leads to policy change, and empowers consumers to make more privacy-protective choices.
- Consumers are very concerned about how their personal information is being collected and shared, and rightfully so because information landing in the hands of data brokers, third party advertisers, and applications has led to a wide range of harms. Seniors have been scammed. Americans have been denied jobs and mortgages. Pregnancies, health concerns, and sexual orientation have been revealed too.
- Californians cannot effectively use the Shine the Light law to learn what is happening to their personal information due to obsolete provisions and large loopholes.
Our suggestions to ensure that transparency measures work effectively for both consumers and companies in the modern digital world:
- Consumers should be able to learn what personal information companies collect and disclose about them.
- Transparency rights should encompass a wide array of personal information, including location and sexual orientation information, and should reach businesses that consumers may not directly interact with, such as online advertisers and data brokers.
- The process for learning how personal information has been collected and shared should be straightforward and quick for consumers.
- Transparency requirements should be flexible for companies to implement and balance legitimate business and security concerns with fair enforcement.
We are encouraged that policymakers at the state, federal, and international levels are focusing on transparency’s important role in protecting privacy, and we applaud initial efforts by businesses to increase transparency about government demands for information.
Almost 100 years ago, U.S. Supreme Court Justice Louis Brandeis said that sunlight is the “best of disinfectants.” Echoing Justice Brandeis’ classic observation, Federal Trade Commission Chairwoman Edith Ramirez recently emphasized the “need to move commercial data practices into the sunlight” in order to “empower consumers to make sure they are being treated fairly.” More needs to be done, and our study of California’s Shine the Light law seeks to help chart a path forward.
Click on the link in the right-hand column to read the full report and for more information and resources about California’s Shine the Light law.