Warning: “Shine the Light” Privacy Request Activity Sets a Trap for the Unwary, and It Does Not Matter if Your Business is in California or Not

While the recent spotlight has been on California’s new Consumer Privacy Act, set to take effect in 2020, would-be plaintiffs and their attorneys have been busy laying traps for businesses using an older California consumer privacy statute known as the “Shine the Light” law. Regardless of where your business is located, be on the lookout for Shine the Light requests from California residents asking to know whether their personal information has been transferred to a third party for direct marketing purposes. If your business does not respond quickly and appropriately to these requests, it may find itself in the litigation crosshairs — facing claims for damages, statutory penalties, injunctive relief, attorneys’ fees and class action claims.

First, a bit about the law, then an explanation of how plaintiffs are attempting to take advantage of it.

Separate from and narrower than the recently passed GDPR-like California Consumer Privacy Act, California’s “Shine the Light” law (California Civil Code section §§ 1798.83 et seq.) gives California residents the right to request and receive information about whether and how businesses transfer their personal information to other businesses for direct marketing. It also requires businesses to publicly designate a contact point for such requests.[1] Many categories of personal information are covered, including things like name and email address. The law gives consumers a private right of action for actual damages, civil penalties, injunctive relief, and attorneys’ fees and costs. The civil penalties are up to $500 per violation, or $3,000 if the violation is intentional, willful or reckless.[2] Again, it does not matter if the business receiving the request is in California; what matters is that the customer making the request is a California resident.

The Shine the Light law took effect in 2005, but it took some time before plaintiffs began taking advantage of the private right of action in a systematic way. The first significant phase of Shine the Light litigation came with a series of cases filed in 2011 and 2012, typically brought against media companies. Those plaintiffs asserted claims based on defendants’ failure to designate a publicly available contact point for Shine the Light requests, a purely technical violation. None of the plaintiffs, however, had actually made a request for the information to which they were entitled under the law, and both state and federal appellate courts held that plaintiffs could not bring claims based on mere procedural violations.[3] With those decisions, Shine the Light litigation came to an end, until now.

Based on observations in the field, it appears that certain plaintiffs’ attorneys are methodically laying traps for the unwary by making requests under the Shine the Light law on behalf of a client (who is a California resident and a customer of the business) and then filing suit when the businesses do not respond. By laying the groundwork of a consumer request, and then waiting to see if businesses respond in the required time period, these plaintiffs are trying a new formula where the last round of Shine the Light plaintiffs failed. And if a business fails to respond, the plaintiff will plead an intentional violation of the law and seek the higher statutory penalty available for willful violations.

A complaint recently filed in the Federal District Court for the Central District of California, Gamez v. Petco,[4] illustrates the “request, wait and sue” methodology. The complaint alleges that the plaintiff shared information with Petco on May 9, 2018, and made written Shine the Light requests on May 15 and 18, 2018; the complaint was filed just over one month later, on June 21, 2018. Notably, the Petco complaint also includes class action claims. Regardless of their merit, the combination of class action claims, along with a range of individual claims, appears designed to increase pressure on defendants. Businesses outside of California may be particularly vulnerable given the added burden of defending claims at a distance.

Luckily, businesses generally will be able to avoid claims by simply responding to the request. The Shine the Light law gives businesses 30 days to respond, or 150 days in certain limited circumstances. In almost all instances, businesses should respond to these requests with carefully crafted language that demonstrates compliance with the statute. Some exceptions to the law apply based on the size of the business, availability of opt-out mechanisms, whether the business has the right kind of business relationship with the consumer, and other factors. If your company receives a Shine the Light request, it is best to consult with legal counsel promptly regarding how to respond in order to avoid future risks and complications.

How Do I Watch Out for These Requests?

Part of the problem is making sure that these requests are caught and handled correctly when received. Shine the Light requests can be made by email, and as such, could be easily overlooked or caught in spam filters. Be on the lookout for email and other contacts from California residents that mention “Shine the Light,” California Civil Code sections 1798.83 or 1798.84, or direct marketing in connection with privacy or personal information. If you are contacted by an attorney who is representing a California resident in order to make one of these requests, that should be a significant red flag.

Can I Do Anything to Prevent This?

As with many aspects of consumer privacy, a robust privacy policy and thorough internal practices will go a long way in preventing problems. Organizations’ privacy policies should, as a general matter, list contact information for inquiries about privacy, and businesses should be sure that those contact points are monitored.

Shine the Light violations can be avoided if a business has a policy of not transferring information to third parties for direct marketing without the consumer’s affirmative consent, or by providing consumers the ability to opt in and out of personal information transfers for third-party marketing. However, under the Shine the Light law, opting out must be at no cost to the consumer, and it is still necessary to reply to Shine the Light requests with a notification of the ability to opt in and out.

With developments in law and policy such as the European Union’s General Data Protection Regulation (GDPR), and the new California Consumer Privacy Act coming in 2020, many companies have been adding or considering mechanisms to allow users to opt out of personal data collection or sharing. Shine the Light is just one more factor to consider. Privacy is currently an extremely dynamic area, and it is wise to regularly revisit privacy policies and practices to be sure that public-facing privacy policies both comport with the law and accurately describe actual practices of the organization.

As has been widely reported, on June 28, California’s state legislature passed the California Consumer Privacy Act of 2018, a significant and wide-ranging privacy bill that expands California residents’ rights to know and control how their personal information is collected and used. The new Act will take effect in January 2020, but may see amendments before then to adjust its breadth, depth and enforcement mechanisms, as well as to improve cohesion with existing law such as Shine the Light. Whatever form that finally takes, businesses should plan to get used to fielding more privacy-related requests from consumers and managing the risks of private and public enforcement of privacy rights.