Disclaimer: This blog is for general information purposes only and does not constitute legal advice and does not create or intend to create an attorney-client relationship. This blog post should never be used to replace the advice of your personal attorney.
California Civil Code section 1798.83, which was passed by the California State Legislature in 2003, is commonly called the “Shine the Light Law” (the “SLL”). The SLL arose from concern about the practice in which a company a customer did business with sold the customer’s personal information to other companies without the customer’s knowledge; this practice is called “list brokerage.” The SLL requires companies to disclose upon the request of California residents what personal information has been shared and the companies the information was shared with.
The SLL applies only to transactions for household (personal) purposes and does not apply to business-to-business transactions.
The SLL also governs companies’ privacy policies. These requirements extend to both California businesses and out-of-state businesses that do business in California or provide services to California residents.
For financial institutions, the federal GLBA (Graham-Leach-Bailey Act) has disclosure requirements that somewhat overlap with SLL requirements. Financial institutions must provide customers with written information explaining what information is collected about them, how that information is used, where and with whom the information is shared, and how the information is protected.
Does the California Shine the Light Law Apply to Your Business?
To determine if the SLL applies to your business several basic questions must be answered, which are the following:
- Does your business have 20 or more employees?
- Are you located in California or do you have at least one customer that is a California resident?
- If any of your customers are California residents, do they fall within or meet the SLL definition of a “customer”? That definition is “an individual who is a resident of California who provides personal information to a business during the creation of, or throughout the duration of, an established business relationship if the business relationship is primarily for personal, family or household purposes.” You must also have provided a service or product to the customer within the past 18 months.
- Has your business engaged in information sharing with (sale to) third parties? A third party, of course, is an entity separate from your business. The sharing of information is the process of passing on customer “personal information,” and the SLL specifies 27 categories of what constitutes “personal information.”
Exceptions to the Shine the Light Law
A threshold exception is when the information sharing is not for commercial purposes.Beyond that, the other exceptions arise when your business or the third party to which your business is providing customer information is one of the following:
- A business that only shares information after customers have opted in to sharing or that provides an opt-out function allowing customers to opt-out of having their information shared
- Financial institutions servicing credit card and debit card accounts;
- Non-profit organizations
- Religious organizations
- Political organizations
- Credit card bureaus
- Consumer reporting agencies
- Public records request management businesses
- Government funding agencies
- Religious organizations or
- Healthcare providers looking for information on medical conditions
What to Do to Ensure Shine the Light Compliance?
As a business, if you do not fall within one of the exceptions to the SLL and you disclose personal information, you must stay compliant. Your customers must be able to see how their private data gets used. In this regard, disclose how you used customers’ personal information as well as the name and address of third parties that received their personal information.
Implement a working opt-in policy for customers. Do not share personal information for direct marketing purposes without consent. To do so before there is consent is problematic and could be expensive for your business. Similarly, offer an opt-out method. Both the opt-in and opt-out methods must be free for the customer.
Provide customers who wish to request SLL information with your mailing address and your e-mail address. If your business chooses to receive such requests by telephone or facsimile, provide a toll-free telephone or facsimile number.
Create a conspicuous “Your Privacy Rights” section or link on your web page. Use that space to outline your procedures concerning consumer rights. .
When a customer requests information, generally you must respond within 30 days. If the request is made outside the methods you have designated, you have a “reasonable time” to reply, but that period may not exceed 150 days.
Penalties for Non-Compliance
Failure to comply with the SLL leads to civil penalties. This means if you fail to comply your customers are entitled to damages of up to $500. However, if a business intentionally or egregiously is non-compliant, the fines can increase up to $3000, plus attorneys’ fees.
Handling customer information requires both care plus knowledge of the numerous legal requirements. The experts at TCPA Protect are ready to assist and inform.