Smart Business spoke to Jon J. Janecek of Newmeyer & Dillion LLP to discuss what companies are affected by this law and the steps they must take to comply.
Who must comply?
All three of the following must exist for a business to be covered by the law:
- Must have 20 or more employees
- Must have an established relationship with California residents
- Must have shared personal consumer information with third parties for marketing purposes within the last 12 months
Many organizations are exempt from the law: nonprofits (including charities and religious organizations asking for donations); politicians and other political groups that are fundraising; banks and financial institutions; and credit reporting bureaus.
What does the law require businesses to do?
Under the law, a business must first provide contact points to allow consumers to request a business’ disclosure regarding how it shares personal information with other businesses for direct marketing purposes.
Therefore, you must designate a mailing address, e-mail address, or a toll-free telephone or fax number to which customers may make disclosure requests. The customers should also be allowed to view this contact information at all of a company’s California locations that have regular customer contact.
What happens if the customer makes a disclosure request?
The business must respond within 30 days, and the response must contain the categories of personal information disclosed to third parties. This includes information such as name, address, e-mail address, phone number, Social Security number, payment history, debit or credit card information, and other personal information.
What is the most cost-effective way to comply?
There is a provision in the law that allows businesses to comply without building expensive new databases or business processes. A business is in compliance as long as it gives customers the ability to prevent their personal information from being shared with third parties. If a business allows customers to exclude themselves, the law says that their requests for disclosure can simply be answered with a stock response on how to go about removing their names from future third-party marketing exchanges.
What are the penalties for noncompliance?
The customer may be entitled to recover a civil penalty of up to $500 per violation, and up to $3,000 per willful, intentional or reckless violation, as well as attorneys’ fees and costs. After learning of a violation, a business may be able to argue that it complied within 90 days of learning of the violation.
What can company owners do to be sure their company is in compliance?
JON J. JANECEK is a partner in the Newport Beach office of Newmeyer & Dillion LLP, a law firm that focuses on corporate, finance, real estate, general corporate and construction law. Reach him at (949) 854-7000.