In the last several weeks, plaintiffs’ lawyers have filed a number of class action lawsuits against businesses for allegedly violating California’s “Shine the Light” privacy law (the “Law”). According to one report, targets include nearly a dozen publishers, including Men’s Journal, Reader’s Digest, and CBS Interactive. The complaints allege that each business failed to comply with its obligations under the Law by not providing California customers with a method for obtaining a disclosure regarding how they share information.
The Shine the Light privacy law, Cal. Civ. Code 1798.83, applies to businesses with twenty (20) or more employees, that have an established business relationship with a customer who is a California resident and share customer personal information with third parties for the third parties’ direct marketing purposes.
Under the Law, covered businesses have two compliance options: disclose what they share and with whom or provide an opt-out. Specifically, California residents may ask for and obtain details about what personal information covered businesses share with third parties for those third parties’ direct marketing purposes during the immediately preceding calendar year. The Law is not limited to personal information collected online, making it necessary to consider practices with respect to customer data collected offline as well as online. The detailed notice requirements include providing California customers with a designated contact point to which an information request may be directed, and then providing California customers with all required categories of information upon their submission of an appropriate request.
The other method for compliance is for companies to adopt and disclose to the public in their website privacy policies cost-free procedures for California customers to opt-out of the sharing of their personal information. The Law contains a private right of action for damages, injunctive relief, and civil penalties of up to $500 per violation (or $3,000 per violation for willful, intentional, or reckless violations). Although the Law has been effective since 1995, we are not aware of any published court decisions interpreting the Law.
These recent lawsuits serve as a reminder for advertisers to check to make sure that they are in compliance with the Law.
If you have any questions about the Shine the Light privacy law, please contact Glen Westerback at firstname.lastname@example.org or 212.826.5563, Terri Seligman at email@example.com or 212.826.5580, or any other member of Frankfurt Kurnit’s Technology, eCommerce and Privacy Group.