California Shine the Light law
California's "Shine the Light" law (CA Civil Code § 1798.83[1][2]) is a privacy law passed by the California State Legislature in 2003. It became an active part of the California Civil Code on January 1, 2005. It is considered one of the first attempts by a state legislature in the United States to address the practice of sharing customers' personal information for marketing purposes, also known as "list brokerage."[3] The law outlines procedures requiring companies to disclose upon the request of a California resident what personal information has been shared with third parties, as well as the parties with which the information has been shared. The law also outlines specific language that companies who do business with California residents must include in their online privacy policies.[4]
Shine the Light Law | |
---|---|
California State Legislature, 2003–2004 session | |
| |
Citation | CA Civil Code § 1798.83 |
Enacted by | California State Legislature, 2003–2004 session |
Enacted | Senate: September 24, 2003; Assembly: September 8, 2003 |
Signed | September 23, 2003 |
Commenced | January 1, 2005 |
Legislative history | |
Bill title | Personal information: disclosure to direct marketers. |
Bill citation | CA S.B. 27 |
Introduced by | Liz Figueroa |
Introduced | December 2, 2002 |
Keywords | |
privacy, personal information, disclosure, list brokerage |
History
editThe original bill, California S.B. 27, was introduced to the California State Senate by Liz Figueroa in December 2002.[5] The bill's co-authors included State Senators Dede Alpert, Sheila Kuehl, Gloria Romero, and Nell Soto.[5]
The bill arose out of increasing concern with business practices in which consumers' personal information, collected by the company with which a consumer engaged in business, was sold to other third-party companies without the knowledge of the consumer. In support of the bill, Figueroa's office offered the State Senate numerous examples of lists of personal information available for purchase on the Internet. Figueroa's office wrote:
Transparency is the touchstone of consumer confidence in information handling... Because privacy is, by definition, so intensely personal, for a consumer to make a rational and informed and personal choice to opt-in, opt-out, or simply take their business elsewhere, the consumer must know the 'who, what, where and when' of how a business handles personal information.[6]
After approval in the Senate, the bill went to the California State Assembly, where a number of concerns arose regarding "undue burden" placed on businesses.[6] The authors made several changes to address business interests, including the addition of a provision granting a business 90 days to "cure a violation" and an exemption for small businesses. Revisions also provided businesses the option to either respond to incoming requests from consumers who want to know how their information is being used or to allow users to opt out and "stop their information from being shared for marketing purposes."[6]
The bill was amended three times in the State Senate and five times in the State Assembly. It passed the Assembly on September 8, 2003, and the Senate on September 12, 2003. On September 24, 2003, Governor Gray Davis signed it into law. The bill became operative on January 1, 2005.[7]
Requirements
editThe law applies to all for-profit businesses that conduct business with any resident of California and have "shared customer personal information with other companies for their direct marketing use within the immediately preceding calendar year,"[3] with the exception of businesses with fewer than 20 employees, federal financial institutions, non-profit organizations, political groups and politicians, providers of public real estate records, and credit reporting bureaus.[8] Businesses that maintain a free and public privacy policy that allows users to opt into or opt out of information sharing are also exempt. The law defines "customer" as "an individual who is a resident of California who provides personal information to a business during the creation of, or throughout the duration of, an established business relationship if the business relationship is primarily for personal, family, or household purposes."[2] A business does not need to be located in California, it simply needs to have a single customer who resides in the state.
Personal information
editUnder the "Shine the Light" law, California defines 27 categories as "personal information" when disclosed to third parties.[2]
Categories of personal information | ||
---|---|---|
Name and address | Email address | Age or date of birth |
Names of children | Email or other addresses of children | Number of children |
Age or gender of children | Height | Weight |
Race | Religion | Occupation |
Telephone number | Education | Political party affiliation |
Medical condition | Drugs, therapies, or medical products or equipment used | Kind of product the customer purchased, leased, or rented |
Real property purchased, leased, or rented | Kind of service provided | Social Security number |
Bank account number | Credit card number | Debit card number |
Bank or investment account, debit card or credit card balance | Payment history | Information pertaining to the customer's creditworthiness, assets, income, or liabilities |
Notification and contact points
editThe law requires that a business establish designated contact point—email address, a mailing address, or a phone or fax number—where they may direct Information-Sharing Disclosure requests. In addition, a business must do at least one of the following:
- Sufficiently provide to all employees who may have contact with consumers the contact points so that if a consumer asks about privacy practices, the employee can provide the contact information;
- Add a link on its home page titled "Your Privacy Rights" or "Your California Privacy Rights", or include one of those phrases in the same style as the heading "Privacy Policy" on a business's privacy policy page (linked from the business's home page). That section or separate "Your Privacy Rights" page must describe a customer's rights as outlined by the law and provide information to the consumer regarding the designated contact point;
- Clearly post or make available the contact information everywhere a customer interacts with the business's employees in California.[2]
Disclosure and violations
editBusinesses must provide to the consumer a complete list of all personal information disclosed to third parties and the nature of that information within 30 days of the request (150 days if a request goes to another address or contact point that is not the designated contact point). However, the law requires a business to respond to requests from a single customer only once in a calendar year. The response must include the categories of information disclosed and the companies to which they were disclosed in the last calendar year.[8] Businesses with privacy policies of allowing users to opt in or opt out can respond to Information-Sharing Disclosure requests with the information on how to opt in or opt out.[8]
If a business receives notice that they have failed to comply by submitting incomplete information or not responding to the request at all, the law provides a grace period of 90 days for them to provide complete information as requested.[2] However, if a business fails to meet a consumer's request according to the law, that customer is entitled to recover civil damages of up to $500. If a company willfully fails to comply, the damages increase to up to $3,000 plus attorney's fees.[8]
Rate of Compliance
editThough the law officially went into effect on January 1, 2005, a 2009 independent study found evidence of uneven compliance. Researchers compiled a list of 112 businesses that were subject to SB 27 and did not supply an opt-out option that would exempt them from required disclosure. When these 112 businesses were served information sharing disclosure requests, only 59 of them responded as required by law.[9]
References
edit- ^ CA Government Civil Code § 1798.83 Archived 2013-08-23 at the Wayback Machine. added 2013-07-28.
- ^ a b c d e CA Civil Code § 1798.83. Retrieved on 2011-03-01.
- ^ a b Electronic Privacy Information Center (EPIC). "California S.B. 27, 'Shine the Light" Law.'
- ^ Nick Lieber. "Why Your Web Site's Privacy Policy Matters More Than You Think." BusinessWeek, August 12, 2009. Retrieved on 11-03-01.
- ^ a b California State Legislature. Senate Bill 27, Chaptered version Archived 2006-08-29 at the Wayback Machine. Filed with CA Secretary of State on September 25, 2003. Retrieved on 11-03-01.
- ^ a b c California Senate Judiciary Committee.Bill Analysis, SB 27 Senate Bill Archived 2008-12-26 at the Wayback Machine, 2003. Retrieved on 2011-03-01.
- ^ "SB 27 Complete Bill History". California State Senate. Archived from the original on 2006-08-29. Retrieved 2 March 2011.
- ^ a b c d Privacy Rights Clearinghouse. "California's "Shine the Light" Law Goes into Effect Jan. 1, 2005 Archived 2011-05-24 at the Wayback Machine." Press Release. Posted December 29, 2004. Retrieved on 11-03-01.
- ^ Lauren Thomas and Chris Jay Hoofnagle. Exploring Information Sharing Through California's 'Shine the Light' Law. August 13, 2009
External links
edit- SB 27 (2003-2004): California State Senate
- California Civil Code § 1798.83
- Chris Hoofnagle & Jennifer King. "Consumer Information Sharing: Where the Sun Still Don't Shine". December 17, 2007. Study of information sharing practices from disclosures requested under SB 27.
- International Association of Privacy Professionals. "California Privacy Laws Reach Beyond California." York, Maine: December 7, 2004.
- Anthony D. Milewski Jr. "Compliance with California Privacy Laws: Federal Law Also Provides Guidance to Businesses Nationwide." University of Washington, Shidler School of Law. 2 Shidler J. L. Com. & Tech. 19 (Apr. 14, 2006).
- ReedSmith. "Ramifications of California's "Shine the Light" Law." Client Alert, July 1, 2005.
- White & Case. "Burgeoning Privacy Developments in the US." Presentation. Fifth Annual Global Privacy Symposium, April 12, 2005