Focusing public attention on emerging privacy and civil liberties issues

California S.B. 27, "Shine the Light" Law

Introduction

In 2003, California passed a landmark privacy bill, the "Shine the Light" law, which empowers individuals to learn about how businesses sell their personal information. Under the law, companies that do business with California residents have to either allow customers to opt out of information sharing, or make a detailed disclosure of how personal information was shared for direct marketing purposes. The law applies to many businesses, but companies with fewer than twenty employees and federal financial institutions are exempt from the law's requirements.

S.B. 27 is important because it is one of the first legislative attempts to address "list brokerage," the compilation and sale of individuals' personal information. List brokerage is used to fuel privacy invasive marketing campaigns, including spamming, telemarketing, and junk mail. List brokers collect personal information from many sources, including business transactions, warranty cards, and sweepstakes entries. In many cases, businesses do not inform individuals of their information sales activities, and major companies, both online and off, sell their customer lists to list brokers. S.B. 27 will help individuals learn more about how their information is sold to others and give then an opportunity to limit the sale.

Legislative History of S.B. 27

The Shine the Light law was introduced as California Senate Bill 27 (S.B. 27). The bill was sponsored by Senator Liz Figueroa and the final draft was signed by Governor Gray Davis on September 24, 2003. It is codified in California Civil Code § 1798.83.

As originally introduced by Senator Figueroa in December 2002, the bill would have required certain companies to keep records of all consumer data that is shared with third parties for direct marketing purposes. Further, companies would have been required to provide customers with all information that was shared and the names of the third-party marketers within 30 days of a request by the consumer.

However, S.B. 27 was substantially amended before being passed by the California Senate. The final legislation exempted companies that have privacy policies giving consumers a choice to opt-out of having their personal information disclosed to third parties for marketing purposes. In such cases, the company is not required to provide the consumer with the details of what information was shared and with whom, but rather is simply required to notify consumers of a free method by which they can opt out.

Overview of S.B. 27

S.B. 27 requires certain businesses to disclose their information-sharing practices with their customers who request such information. Upon receiving such a request, companies must reveal to an individual the companies with which they have shared the individual's personal information for marketing purposes within the last twelve months.

Importantly, the law only allows consumers to make such requests when companies have not provided them with notice of privacy policies containing opt-out options. This means that companies that have created a privacy policy and opt-out right compliant with S.B. 27 are not required to give a detailed accounting of information sharing.

Who must comply?

Businesses must comply with the requirement if they meet the following characteristics:

  • have 20 or more employees;
  • an established business relationship with a customer who is a California resident; and
  • have shared customer personal information with other companies for their direct marketing use within the immediately preceding calendar year.

Certain businesses are exempt from the statute's requirements:

  • financial institutions that are subject to certain provisions of S.B. 1, the California Financial Information Privacy Act; and
  • those that administer specific types of business-related disclosures to third parties, such as those for administration or customer service, provided that the third parties do not use the information for their own direct marketing purposes.

What are individuals' rights under S.B. 27?

Under the new law, consumers have the right to be notified by businesses of their rights under the statute by using a designated contact point (mailing address, e-mail address, toll-free phone number or toll-free fax number) to request a business's disclosure regarding how it shares personal information with other businesses for direct marketing purposes.

Consumers have the right to be notified of the contact point for requesting a business's Information-Sharing Disclosure in one of the following ways:

  • by allowing consumers to receive contact point information from well-trained customer-contact staff upon request for a disclosure;
  • by allowing consumers to view readily-accessible information provided by businesses on the contact point at all California locations with regular customer contact; or
  • by allowing consumers to view information on a business's Website that provides the contact point and a description of its customers' rights. The business must provide:
    • a link on its home page using the words "Your Privacy Rights" or "Your California Privacy Rights" to another Webpage or to the page that contains the business's Privacy Policy Statement.
    • the first linked page from the "Your Privacy Rights" link must describe a customer's rights to request and receive an Information-Sharing disclosure or a cost-free means of preventing such disclosures, and must provide information on the business's contact point for making such a request.

Upon request, a consumer has the right to receive, within 30 days of receipt and once per calendar year, the following information from businesses:

  • if a business implements, publicizes and complies with a privacy policy that offers customers a free method to opt-in or opt-out of information sharing, then the business can respond to a S.B. 27 request by telling the customer about its privacy policy and how the customer can exercise his or her opt-in or opt-out rights; or
  • if a business does not provide customers a chance to opt-in or opt-out of information sharing, then it must make the following disclosure to the customer free of charge in writing or by email:
    • a list of the kinds of personal information that the business has disclosed to third parties for direct marketing purposes during the preceding calendar year; and
    • the names and addresses of all of the third parties that received personal information from the business for direct marketing purposes during the preceding calendar year. If the nature of the third parties' business cannot be reasonably determined by its name, the business must also provide examples of the products or services marketed by the third party "sufficient to give the customer a reasonable indication of the nature of the third parties' business", if known by the business.

The Privacy Rights Clearinghouse has drafted a model letter that you can use to request your personal information.

What Penalties are available to customers?

In addition to the legal remedies provided under current law, if a business fails to respond to a disclosure request, the customer may be entitled to recover a civil penalty of up to $500 per violation, and up to $3,000 per willful, intentional or reckless violation), as well as attorneys' fees and costs. Unless a violation is willful, intentional or reckless, a company may assert as a complete defense to an S.B. 27 action that its failure to provide a timely or accurate direct marketing notice was corrected within 90 days of the date that the business learned of the deficiency.

S.B. 27's effects on data policy.

Dr. Larry Ponemon of the Ponemon Institute conducted a study of 32 U.S. large and medium businesses on their response to S.B. 27.

  • 56% were limiting third-party personal information sharing
  • 34% were revising customer consent (both opt-in and opt-out) procedures
  • 6% were limiting personal information sharing with affiliates
  • 44% created new due diligence procedures with third parties
  • 41% seriously considered a "do not share" approach with all third parties.

Ponemon also found that companies' expected costs were not significant in complying with S.B. 27.

How could S.B. 27 be improved?

Despite these rights for consumers, the disclosure does not have to be specific to an individual's information. That is, companies regularly "segment" their customer lists and sell the contact information of different people to different companies. Under the law, a generalized notice may be issued, and therefore the consumer may receive a list of disclosures that is overinclusive.

Resources