Avoid Being in the Spotlight of California's 'Shine the Light' Privacy-Related Law

The putative class action lawsuits started on December 22, 2011 with Boorstein v. Men's Journal LLC and Murray v. Time Inc., followed within days by Boorstein v. CBS Interactive Inc. In 2012, so far, two more actions have been filed, Smith v. Microsoft Corp. (1/9/12) and Miller v. Hearst Communications (1/27/12). Each complaint alleges that the defendant shares information about its customers with third parties for direct marketing purposes and fails to provide its customers with the required Section 1798.83 disclosures or the means to obtain the information.

The plaintiffs contend that the defendants deny their California customers their legal rights to learn what personal information is being disclosed and who is receiving it. If certified, the classes could include "[a]ll California residents who have provided personal information to the [defendant]," and damages could include civil penalties of $3,000 per violation as well as attorney fees and costs. For now, the putative class actions are targeting companies that do not have "brick and mortar" locations because these companies may be unable to use the notice options available under Section 1798.83(b)(1)(A) and (C).

Who is Subject to Section 1798.83?

Generally, if a business has an established relationship with a customer and has within the immediately preceding calendar year disclosed "personal information" (as defined in Section 1798.83(e)(6)) to third parties, and if the business knows or reasonably should know that the third parties used the personal information for direct marketing purposes, that business is subject to Section 1798.83. The law does not apply to a financial institution that is subject to the California Financial Information Privacy Act, Financial Code Sections 4050, et seq., if the financial institution is in compliance with Financial Code Sections 4052, 4052.5, 4053, 4053.5, and 4054.6, or to a business with fewer than 20 full-time or part-time employees.

What Is a Business Subject to Section 1798.83 Required to Do?

Alternative 1 – Let Customers Opt-in or Opt-out of Information Sharing With Third Parties for Use in Direct Marketing

If the business has a published privacy policy that it will not disclose a customer's personal information to third parties for the third parties' use in direct marketing without the customer's consent (opt-in or opt-out), it can comply with Section 1798.83 by (1) notifying the customer of his or her right to prevent disclosure of personal information, and (2) providing the customer with a cost-free means to exercise that right.

Alternative 2 – Tell Customers How to Request Information About What Information Is Shared With Third Parties for Use in Direct Marketing, Who They Are, and What They Do

As an alternative to providing customers a chance to opt-in or opt-out of information sharing, the business can comply with Section 1798.83 by designating a mailing address, electronic mail address, a toll-free telephone or facsimile number, to which customers may deliver a request for information concerning personal information collected and third parties that received the personal information for the third parties' direct marketing purposes during the preceding calendar year (a "Request"). It must do

at least one of the following:

(A) Notify all agents and managers who directly supervise employees who regularly have contact with customers of the designated addresses or numbers or the means to obtain those addresses or numbers and instruct those employees that customers who inquire about the business's privacy practices or the business's compliance with Section 1798.83 are to be informed of the designated addresses or numbers or the means to obtain the addresses or numbers.

(B) Add a link on the business's homepage to a webpage titled "Your Privacy Rights" or add the words "Your Privacy Rights" to the homepage's link to its privacy policy. "Your Privacy Rights" must be in the same style and font size as the link to the business's privacy policy. If the business does not display a link to its privacy policy on its homepage, or does not have a privacy policy, the words "Your Privacy Rights" must be written in larger type than the surrounding text, or in contrasting type, font or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language. The first page of the link must describe customers' rights pursuant to Section 1798.83 and provide the designated mailing address, e-mail address, as required, or toll-free telephone number or facsimile number, as appropriate.

(C) Make the designated addresses or numbers or means to obtain the designated addresses or numbers readily available upon request of a customer at every place of business in California where the business or its agents regularly have contact with customers.

After receiving a Request, the business is required to provide all of the following information to the customer free of charge, in writing or by electronic mail:

(1) a list of the categories of personal information disclosed by the business to third parties for the third parties' direct marketing purposes during the immediately preceding calendar year; and

(2) the names and addresses of third parties that received personal information from the business for the third parties' direct marketing purposes during the preceding calendar year and, if the nature of the third parties' business cannot reasonably be determined from the third parties' name, examples of the products or services marketed, if known to the business, sufficient to give the customer a reasonable indication of the nature of the third parties' business.

The response to a customer's Request received at one of the designated addresses or numbers must be provided within 30 days. A response to a Request received by the business at an address other than one of the designated addresses or numbers must be provided within a reasonable period, but not to exceed 150 days from the date received. In turn, if the business elects to add the words "Your California Privacy Rights" to the homepage's link to the business's privacy policy, the first page of the privacy policy must describe a customer's rights under Section 1798.83, and provide the designated mailing address, electronic mailing address, or toll-free telephone or facsimile number, as appropriate, and the business need not respond to Requests that are not received at one of the designated addresses or numbers. A business is not obligated to respond to a Request from the same customer more than once during any calendar year.

The Premise of the Five Class Actions

The complaints allege that the defendants willfully violated Section 1798.83 by, among other things, (i) failing to add a hyperlink titled "Your Privacy Rights" to their website homepages, (ii) failing to add a hyperlink to their webpage titled "Your Privacy Rights," (iii) failing to designate a mailing address, e-mail address, telephone number or facsimile number for customers to deliver requests, and/or (iv) failing to describe their California customers' rights under Section 1798.83.

Each of the Plaintiffs contend that, because the defendants have no "brick and mortar" locations, none of them can utilize the notice options available under Section 1798.83(b)(1)(A) or (C) "because, as a business operating almost exclusively online, it does not have ‘employees who regularly have contact with customers,' as that term is defined by Cal. Civ. Code § 1798.83(e)(4)." The Plaintiffs further contend that "[i]n any event, and upon information and belief, [the defendant] does not instruct or otherwise train its employees to respond to customer inquiries about obtaining [the defendant's] Shine the Light Disclosures as required by Cal. Civ. Code § 1798.83(b)(1)(A)."

If your business has not recently reviewed its privacy and employee training policies for compliance with the "Shine the Light" privacy law, it may want to consider this recent class action trend.

Download: Avoid Being in the Spotlight of California's 'Shine the Light' Privacy-Related Law