Shine the light Featured

4:54pm EDT August 30, 2006
California consumers have a new level of protection for their personal information thanks to the “Shine the Light” law, which went into effect in 2005. Under the law, companies that do business with California residents have to either allow customers to opt out of information sharing, or make a detailed disclosure of how personal information was shared for direct marketing purposes. The law applies to many businesses, but companies with fewer than 20 employees and federal financial institutions are exempt from the law’s requirements.

Smart Business spoke to Jon J. Janecek of Newmeyer & Dillion LLP to discuss what companies are affected by this law and the steps they must take to comply.

Who must comply?
All three of the following must exist for a business to be covered by the law:

  • Must have 20 or more employees


  • Must have an established relationship with California residents


  • Must have shared personal consumer information with third parties for marketing purposes within the last 12 months

Many organizations are exempt from the law: nonprofits (including charities and religious organizations asking for donations); politicians and other political groups that are fundraising; banks and financial institutions; and credit reporting bureaus.

What does the law require businesses to do?
Under the law, a business must first provide contact points to allow consumers to request a business’ disclosure regarding how it shares personal information with other businesses for direct marketing purposes.

Therefore, you must designate a mailing address, e-mail address, or a toll-free telephone or fax number to which customers may make disclosure requests. The customers should also be allowed to view this contact information at all of a company’s California locations that have regular customer contact.

Finally, a business’ Web site can also be used to comply. It should provide a link on its home page using the words ‘Your Privacy Rights’ or ‘Your California Privacy Rights’ to another Web page or to the page that contains the business’ privacy policy statement.

What happens if the customer makes a disclosure request?
The business must respond within 30 days, and the response must contain the categories of personal information disclosed to third parties. This includes information such as name, address, e-mail address, phone number, Social Security number, payment history, debit or credit card information, and other personal information.

The business must also provide the list of companies to which personal information was disclosed for marketing purposes within the last calendar year. However, companies that have a privacy policy or privacy notice that allows customers the option of sharing personal information must simply provide a copy of its opt-in or opt-out policy so customers can minimize the sharing of personal information.

What is the most cost-effective way to comply?
There is a provision in the law that allows businesses to comply without building expensive new databases or business processes. A business is in compliance as long as it gives customers the ability to prevent their personal information from being shared with third parties. If a business allows customers to exclude themselves, the law says that their requests for disclosure can simply be answered with a stock response on how to go about removing their names from future third-party marketing exchanges.

What are the penalties for noncompliance?
The customer may be entitled to recover a civil penalty of up to $500 per violation, and up to $3,000 per willful, intentional or reckless violation, as well as attorneys’ fees and costs. After learning of a violation, a business may be able to argue that it complied within 90 days of learning of the violation.

What can company owners do to be sure their company is in compliance?
At the bottom of a company’s Web site home page, include a link to the privacy policy. Include a form that allows a customer to enter his or her personally identifiable information for the express purpose of excluding this information. Include an e-mail address, a toll-free telephone number, and a toll-free fax number that a customer can contact to make the same request.

You can also include a link to the privacy policy at the bottom of any promotional e-mails

If printed mail pieces include an order form, include the URL of the Web site’s privacy policy, as well as the contact point e-mail address, toll-free telephone number, and toll-free fax number.

JON J. JANECEK is a partner in the Newport Beach office of Newmeyer & Dillion LLP, a law firm that focuses on corporate, finance, real estate, general corporate and construction law. Reach him at (949) 854-7000.