Eight years after California's "Shine the Light" privacy-related law (S.B. 27) went into effect, five putative class actions alleging violations of Civil Code Section 1798.83 have been filed. The law regulates businesses that disclose customers' personal information to third parties for direct marketing purposes, requiring that customers be informed of the disclosures. Each violation can mean a $3,000 civil penalty.
The putative class action lawsuits started on December 22, 2011 with Boorstein v. Men's Journal LLC and Murray v. Time Inc., followed within days by Boorstein v. CBS Interactive Inc. In 2012, so far, two more actions have been filed, Smith v. Microsoft Corp. (1/9/12) and Miller v. Hearst Communications (1/27/12). Each complaint alleges that the defendant shares information about its customers with third parties for direct marketing purposes and fails to provide its customers with the required Section 1798.83 disclosures or the means to obtain the information.
The plaintiffs contend that the defendants deny their California customers their legal rights to learn what personal information is being disclosed and who is receiving it. If certified, the classes could include "[a]ll California residents who have provided personal information to the [defendant]," and damages could include civil penalties of $3,000 per violation as well as attorney fees and costs. For now, the putative class actions are targeting companies that do not have "brick and mortar" locations because these companies may be unable to use the notice options available under Section 1798.83(b)(1)(A) and (C).
Who is Subject to Section 1798.83?
Generally, if a business has an established relationship with a customer and has within the immediately preceding calendar year disclosed "personal information" (as defined in Section 1798.83(e)(6)) to third parties, and if the business knows or reasonably should know that the third parties used the personal information for direct marketing purposes, that business is subject to Section 1798.83. The law does not apply to a financial institution that is subject to the California Financial Information Privacy Act, Financial Code Sections 4050, et seq., if the financial institution is in compliance with Financial Code Sections 4052, 4052.5, 4053, 4053.5, and 4054.6, or to a business with fewer than 20 full-time or part-time employees.
What Is a Business Subject to Section 1798.83 Required to Do?
Alternative 1 – Let Customers Opt-in or Opt-out of Information Sharing With Third Parties for Use in Direct Marketing
Alternative 2 – Tell Customers How to Request Information About What Information Is Shared With Third Parties for Use in Direct Marketing, Who They Are, and What They Do
As an alternative to providing customers a chance to opt-in or opt-out of information sharing, the business can comply with Section 1798.83 by designating a mailing address, electronic mail address, a toll-free telephone or facsimile number, to which customers may deliver a request for information concerning personal information collected and third parties that received the personal information for the third parties' direct marketing purposes during the preceding calendar year (a "Request"). It must do at least one of the following:
- Notify all agents and managers who directly supervise employees who regularly have contact with customers of the designated addresses or numbers or the means to obtain those addresses or numbers and instruct those employees that customers who inquire about the business's privacy practices or the business's compliance with Section 1798.83 are to be informed of the designated addresses or numbers or the means to obtain the addresses or numbers.
- Make the designated addresses or numbers or means to obtain the designated addresses or numbers readily available upon request of a customer at every place of business in California where the business or its agents regularly have contact with customers.
After receiving a Request, the business is required to provide all of the following information to the customer free of charge, in writing or by electronic mail:
- a list of the categories of personal information disclosed by the business to third parties for the third parties' direct marketing purposes during the immediately preceding calendar year; and
- the names and addresses of third parties that received personal information from the business for the third parties' direct marketing purposes during the preceding calendar year and, if the nature of the third parties' business cannot reasonably be determined from the third parties' name, examples of the products or services marketed, if known to the business, sufficient to give the customer a reasonable indication of the nature of the third parties' business.
The Premise of the Five Class Actions
The complaints allege that the defendants willfully violated Section 1798.83 by, among other things, (i) failing to add a hyperlink titled "Your Privacy Rights" to their website homepages, (ii) failing to add a hyperlink to their webpage titled "Your Privacy Rights," (iii) failing to designate a mailing address, e-mail address, telephone number or facsimile number for customers to deliver requests, and/or (iv) failing to describe their California customers' rights under Section 1798.83.
Each of the Plaintiffs contend that, because the defendants have no "brick and mortar" locations, none of them can utilize the notice options available under Section 1798.83(b)(1)(A) or (C) "because, as a business operating almost exclusively online, it does not have ‘employees who regularly have contact with customers,' as that term is defined by Cal. Civ. Code § 1798.83(e)(4)." The Plaintiffs further contend that "[i]n any event, and upon information and belief, [the defendant] does not instruct or otherwise train its employees to respond to customer inquiries about obtaining [the defendant's] Shine the Light Disclosures as required by Cal. Civ. Code § 1798.83(b)(1)(A)."
If your business has not recently reviewed its privacy and employee training policies for compliance with the "Shine the Light" privacy law, it may want to consider this recent class action trend