Key point: Plaintiffs’ attorneys have started sending a wave of letters asserting opt-out and access rights under California’s Shine the Light law.
Over the last three months, businesses have been receiving requests from California residents seeking to exercise their rights under California’s Shine the Light law, Cal. Civ. Code § 1798.83. These requests are sent by attorneys who purport to represent a California resident who is a “customer” of, and has an “established business relationship” with, the business receiving the request. The requests seek an accounting of the customer’s personal information disclosed to third parties for direct marketing purposes within the past year.
While innocuous on their face because they do not threaten litigation, the requests are a potential trap for those who lack mechanisms to ensure compliance. Entities doing business with California residents should take heed of the law and implement appropriate policies and procedures to avoid claims of noncompliance and potential civil penalties that may be recovered.
Who Is Subject to the Law?
Passed by the California legislature more than 20 years ago and a predecessor to the California Consumer Privacy Act, the law applies to for-profit businesses with 20 or more full-time or part-time employees that collect “personal information” from California residents during the creation or throughout the duration of an “established business relationship” that is primarily for personal, family, or household uses, and disclose that “personal information” to third parties for the third parties’ direct marketing purposes. The law applies to online and offline businesses, including those with no physical location in the state of California. The law exempts, among others, financial institutions that are subject to, and in compliance with, the California Financial Information Privacy Act.
What Does the Law Require?
Under the law, a customer has the right to request from a covered business, once per calendar year, an accounting of the categories of personal information about the customer that the business has disclosed to third parties for direct marketing purposes, along with the names and addresses of those third parties. If the covered business cannot reasonably determine the nature of the third party’s business from its name, the covered business must provide examples of the products or services marketed by the third party, if known to the covered business, to clarify the nature of the third party’s business.
Covered businesses are required to establish a method of receiving such requests and take steps to ensure that information is made available. A covered business that receives a request for an accounting under the law has 30 days to respond, provided the request was received by the method(s) dictated by the business (e.g., by mail, email, or a toll-free telephone or facsimile number). If the request is received through another method, the business must respond within a reasonable time not to exceed 150 days.
A business can comply with the law by providing the requested accounting free of charge within the time prescribed under the law, or by adopting and publicly disclosing a privacy policy that (i) includes language that the business does not disclose a customer’s personal information to third parties for the third parties’ direct marketing purposes unless the customer first affirmatively agrees to such disclosure, or (ii) includes a policy of not disclosing a California customer’s personal information to third parties for the third parties’ direct marketing purposes if the customer has exercised an option that prevents the disclosure. For the latter, the business must notify the customer of his or her right to prevent the disclosure of personal information and provide a cost-free means of doing so.
Key Definitions for Interpreting the Law
Under the law, a “customer” is defined as an individual who is a resident of California and provides personal information to a business during the creation of, or throughout the duration of, an established business relationship if the business relationship is primarily for personal, family, or household purposes.
An “established business relationship” under the law is a relationship formed by voluntary, two-way communication between a business and a customer, with or without consideration, for the purpose of purchasing, renting, or leasing property or obtaining a product or service that is (i) ongoing and has not been expressly terminated, or (ii) is not ongoing and was established solely by the purchase, rental, or lease of property or the purchase of a product or service, provided that the purchase, rental, or lease occurred within the last 18 months.
The law defines “personal information” broadly to encompass numerous data elements including, but not limited to, a name and address, phone number, email address, age or date of birth, height, weight, names, number, age, and gender of children, occupation, race, religion, education, political party affiliation, medical information, financial account information, information regarding the products or services purchased, leased or rented, payment history, and information related to creditworthiness, assets, income, or liabilities.
The law defines “direct marketing purposes” as the use of personal information to market products or services directly to individuals for personal, family, or household uses. Direct marketing purposes do not include, however, the use of personal information in certain circumstances, such as to raise funds from and communicate with individuals regarding politics and government, use by a third party when the third party receives the personal information as a result of acquiring ownership of accounts that may contain personal information, and use by a tax-exempt charitable or religious organization to solicit charitable contributions.
Moreover, the law provides for a number of disclosures to a third party that are not deemed to be disclosures of personal information for the third party’s direct marketing purposes when made pursuant to certain contracts or arrangements, some of which are disclosures made in connection with the joint marketing of a product or service provided certain conditions are met, and disclosures made for the purpose of maintaining or servicing accounts.
Remedies Available Under the Law
The law provides for a private right of action and the ability to recover a civil penalty of up to $500 per incident of noncompliance and $3,000 per incident of willful, intentional, or reckless noncompliance, along with reasonable attorneys’ fees and costs. Importantly, a failure to timely, accurately, or completely respond to a request for an accounting is considered a discrete event such that a court can calculate a civil penalty for each failure by counting the number of disclosure requests to which the defendant did not appropriately respond. Boorstein v. CBS Interactive, Inc., 222 Cal.App.4th 456, 472 (2013). In contrast, a failure to post information on a website or in a privacy policy, without more, has been found not to be quantifiable and not actionable under the law. Id., at 473.
Notably, unless an alleged violation is found to be willful, intentional, or reckless, the law provides covered businesses with a 90-day cure period running from the date the business learns of its noncompliance.
Responding to a Request for an Accounting
If a business receives a request, it should consider and discuss with counsel the following questions to determine the most appropriate response:
- Does the law apply to the business?
- Is the individual a California resident who is a customer of, and has an established business relationship with, the covered business?
- Does the law apply to any disclosures of the customer’s personal information?
- Has the covered business received a previous request from the same individual within the same calendar year?
- Does the privacy policy of the covered business disclose that the business does not share a customer’s personal information with third parties for direct marketing purposes without the customer’s affirmative consent? If so, how is that consent obtained (if applicable)?
- Does the privacy policy of the covered business contain a provision that the business does not share a customer’s personal information with third parties for direct marketing purposes if the customer has exercised an option that prevents disclosure? If so, has the business notified the customer of his or her rights and provided a cost-free method of making such an election, such as an opt-out link on the home page of the business’s website?
Takeaways
The civil penalties available under the law make it fertile ground for plaintiffs seeking to exercise their rights with the hope of establishing noncompliance and a path to recovery. To reduce the risk of noncompliance, a business that has not already done so should work with counsel to review its policies and procedures to determine whether and to what extent it is subject to the law and, if so, that it has taken the necessary steps to reduce the risk of private and regulatory actions under the law and other state laws that provide individuals with opt-out and information access rights.
