Generally, the California's "Shine the Light" law requires disclosure by any "business" that has disclosed "personal information" to "third parties" and knows or reasonably should know that the third party used the information for "direct marketing purposes." Cal. Civ. Code ยง 1798.83. The "Shine the Light" law became effective on January 1, 2005, and received little notice from plaintiff's lawyers. This appears to be changing.
Numerous lawsuits have been filed against magazine publishers in the last several months alleging violations of California's "Shine the Light" law. See e.g. Brian King v. Conde Nast Publications, Case No. 2:2012cv00719 (C.D. Cal. January 26, 2012); Melissa Miller v. Hearst Communications Inc., Case No. 2:2012cv00733 (C.D. Cal. January 26, 2012). These class action lawsuits do not allege that companies are misusing personal information or even that customers have been harmed by the disclosure of their personal information. Rather, plaintiff's lawyers are claiming those magazine publishers failed to identify properly a method for people to obtain the required disclosures.
Seemingly attracted by the high statutory penalties, especially when aggregated across an entire class, the "Shine the Light" law has become an attractive statute for plaintiff's lawyers. Regardless of whether plaintiff's lawyers are ultimately successful in these lawsuits, businesses should review their disclosure policies and websites to protect themselves from becoming the next target for such litigation.
Businesses should do the following:
As an initial matter, businesses should review what customer personal information has been shared with third parties in the past calendar year and what information is likely to be shared in the next calendar year. If no personal information has been shared and the business has no plans to share such information, then the business should review its privacy policy and determine whether the business should communicate with its customers to state the fact that the business does not share personal information.
Second, if the business determines that customer personal information has been shared with third parties in the past calendar year (or will likely be shared in the next calendar year), then the business should determine whether the information will be used for direct marketing purposes. If it is not the intention of the business to allow the third party to use the customer personal information for direct marketing purposes, then the business may want to review its contracts with the third parties to ensure that the contracts prohibit the use of the customer personal information for any direct marketing purposes. If it is the intention for the third party to use the personal information for direct marketing purposes, then the business should immediately take steps to comply with the "Shine the Light" law.
Third, to comply with the "Shine the Light" law, the business should develop a policy about whether it will allow customers to opt-out or opt-in to the disclosure of personal information to third parties for direct marketing purposes. If the business decides to allow customers to opt-out or opt-in to the disclosure of personal information before that information is shared with any third party, then the business should review its privacy policy to ensure that this point is adequately disclosed to the customer. If customers are permitted to opt-out of the disclosure of personal information, then the business should ensure that customers are notified of the right to opt-out before the information is shared and provide the customer with a cost-free means to exercise the right.
Fourth, if the business determines that it is providing customer information for direct marketing purposes (and is not providing an opt-in or opt-out mechanism), then the business should implement the business practices that ensure compliance with the disclosure requirements of the "Shine the Light" law. Procedures should be established to track how the business shares customer personal information, the categories of personal information shared with third parties and to whom the information is provided (and what type of business the third party is engaged in). The business should designate an address or contact number where customers can deliver requests for the required disclosure information. A process should be developed to make customers aware of the procedures to request the required disclosure information. Systems and procedures (including standardized response forms) should be developed to respond quickly to disclosure requests. The business's privacy policies should be reviewed to ensure that the policies accurately describe how the business is using personal information. Third-party contracts should be reviewed to make them consistent with the business's policies and such contracts should have restrictions in place to appropriately limit the use of customer personal information.
Plaintiffs' lawyers are looking for new targets and a review of the policies and procedures (and taking remedial steps quickly, if necessary) may be the only way to avoid becoming the next target.