"While we understand that the bill is sponsored by several consumer organizations, it is unworkable, rests on mistaken assumptions about how the Internet works, and would impose costly and unrealistic mandates on California's technology sector with minimal benefit to state residents," the chamber said in a letter to bill sponsor Lowenthal. The letter was signed by more than a dozen other organizations, including insurance, tech and banking groups.
If the bill became law, companies would have to spend more to comply, said Rick Holland, an analyst with Forrester Research. "Time and time again I talk to clients that don't know where all of their data exists, much less how it is actually being used."
For some companies, complying with the law would require auditing the use and storage of customer information across business units. While structured data such as Social Security and credit card numbers would be relatively easy to find, unstructured data, such as dates, numbers and notes stored outside a relational database, would be more difficult to gather.
"This disclosure requirement would significantly raise the cost of compliance," Holland said.
The bill does give companies a way to reduce the amount of data they would have to provide to consumers. For example, data that is altered so it can't be linked to an individual would not be covered. Companies could also become more selective in the information they do keep.
Under the bill, people could request a copy of the information kept by organizations every 12 months. Companies would have 30 days to respond.
The bill is similar to requirements in some European countries.
Privacy has become a major concern for consumers because of the massive amounts of data being collected on them each day from websites and mobile apps. In most cases, consumers do not know what is being gathered or how it is being shared with advertisers or other companies.
Read more about data privacy in CSOonline's Data Privacy section.