Plaintiffs' lawyers recently have filed several putative class actions against some large companies, seeking millions of dollars in damages for violations of a little-known California consumer protection law. These suits have targeted companies including Microsoft, Conde Nast, and Time, Inc., among others, alleging they have violated California's "Shine the Light" law (California Civil Code section 1798.83), which imposes specific disclosure requirements on companies that do business with customers in California and share their customers' personal information with other businesses for direct-marketing purposes. Among other things, the law requires companies to disclose, at the customer's request, how and with which entities consumer personal information was shared, and to notify consumer about how to exercise their rights under the law. Businesses that fail to comply with the law may be subject to penalties of up $500 per violation, and up to $3,000 if the violation is deemed willful, intentional or reckless.
What businesses must comply?
The "Shine the Light" Law, enacted in 2005, applies to businesses that have:
- 20 or more employees (full or part time);
- An "established business relationship" with a customer who is a California resident (defined as a relationship formed by voluntary, two-way communication, with or without consideration, between the business and the customer, for the purpose of purchasing, renting, or leasing property or obtaining a product or service. The relationship must be ongoing and not expressly terminated by either party, or if not ongoing, no more than 18 months may have elapsed since the transaction.);
- Shared customer personal information with other companies (unaffiliated third parties) for their direct-marketing use within the past calendar year. (Direct-marketing use means using consumers' personal information to contact individuals directly, by mail, telephone or e-mail, to solicit or induce a purchase, rental, lease or exchange of property, products, goods or services.)
The statute exempts financial institutions that are subject to certain provisions of the California Financial Information Privacy Act.
What information is covered?
The law only applies to customers who are "natural persons" and California residents, and who provide personal information during the course of the transaction. Personal information includes any information that, when it was disclosed by the customer, identified, described, or was able to be associated with an individual. The statute includes an extensive list of information that fits within the category of personal information, including name, address, e-mail address, telephone number, date of birth, medical and financial information, information about children, race, religion, occupation and education, as well as information about the transaction.
Specific types of business-related disclosures to unaffiliated third parties, including those for account administration or customer service, are exempt, as long as those third parties do not use the information for their own direct-marketing purposes.
What information must be disclosed to the consumer?
Covered businesses must designate a mailing address, e-mail address or toll-free phone or fax number to receive customer requests for information-sharing disclosures.
In response to a request from a customer to the designated point of contact, a business must, within 30 days, provide the names and addresses of third parties with which personal information was shared, as well as a list of the type of information provided to those entities. Businesses that have published privacy policies that include a mechanism for either opting in or out of the disclosure of personal information, may reply to customer information-sharing disclosure requests by notifying customers of their rights with respect to disclosure of personal information, and providing the customer with a cost-free means to exercise that right.
In addition, businesses must notify California customers of their rights under the statute by publicizing the designated point of contact that customers can use to make an information-sharing disclosure request. Business must provide information to consumers in at least one of three ways:
- Managers and agents - businesses can comply by notifying all managers and agents who directly supervise customer-contact employees (including cashiers, clerks, customer service, sales or promotions agents) of the point of contact information (address, e-mail or numbers) and have them instruct those employees to advise customers who inquire about information-sharing disclosures of either the contact information or where consumers can obtain the contact information.
- Websites - businesses can comply by adding a link to the homepage of their websites titled "Your Privacy Rights" or adding those words to the link on the homepage to their privacy policy page. The first page the customer reaches by using the link must describe consumers' information-sharing disclosure rights under the law and must provide the designated contact information and options (opt-in or opt-out) for preventing disclosures. The statute provides that the information comply with specific font and formatting requirements.
- Physical "brick and mortar" store locations - businesses can comply by making readily available their designated contact information or information about how to obtain the designated contact information at every place of business within the state where the businesses or their agents regularly have contact with their customers.
What if businesses fail to comply?
The law provides that any customer injured by a violation of its provisions bring a civil suit to recover damages of up to $500 per violation, up to $3000 for willful, intentional, or reckless violations, as well as injunctive relief, costs and attorneys' fees.
The statute provides a defense for violations that are not deemed willful, intentional, or reckless. If a business is alleged to have failed to provide all the information required by in response to a customer request, to have failed to provide information within the required time period, or to have provided inaccurate information, it may assert as a complete defense to a consumer action that it provided the correct information to all customers who were provided inaccurate or incomplete information within 90 days of the date that it knew it had failed to properly provide the information.
This client alert is a publication of Loeb & Loeb LLP and is intended to provide information on recent legal developments. This client alert does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations.
Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.