The New Wave of “Shine the Light” Demand Letters under California Law

Although the California Consumer Privacy Act, as amended by the California Privacy Rights Act, (“CCPA”) is the first thing that comes to mind when asked about privacy rights in California, there is another long-standing privacy statute commonly known as the “Shine the Light” (STL) law, codified at California Civil Code § 1798.83 that is seeking to muddy the waters around privacy compliance.

Shine the Light is a disclosure statute designed to require transparency on businesses’ information-sharing practices by requiring them to establish procedures by which customers can obtain information about those practices.  Shine the Light requires businesses that share customers’ personal information with third parties for direct marketing to disclose, upon a customer’s request, the names and addresses of third parties who have received personal information and the categories of personal information revealed.

Shine the Light also requires businesses to make their contact information available to customers in one of three statutorily prescribed ways. However, importantly, Shine the Light does not require compliance if the business gives customers the opportunity to opt-in or opt-out of the disclosure of their personal information.  Despite this carve-out for businesses that provide opt-in/opt-out mechanisms, and would appear to align with CCPA compliance, there is a new wave of pre-litigation demand letters and inquiries under the statute that seeks to create a compliance trap for businesses.

Shine the Light was not repealed when CCPA made its mainstage debut. Instead, Shine the Light remains a distinct statutory obligation with a narrower focus on third-party marketing disclosures.

While we will explore potential pitfalls in depth in further posts, for now, the case law has been instructive on when these dual privacy obligations may arise:

“[A] business’s obligation to provide STL disclosures is triggered only if it (1) discloses a customer’s information to third parties for their direct marketing purposes; and (2) a customer makes a request for information. Cal. Civ.Code § 1798.83(a). The 90–day safe harbor in Cal. Civ.Code § 1798.84(d) further underscores that the Act only applies once a customer makes a request. It’s plain language precisely describes violations for which a Shine the Light suit may be brought: the failure to provide accurate and complete Cal. Civ.Code § 1798.83(a) disclosures or timely disclosures under Cal. Civ.Code § 1798.83(b). If a plaintiff‘s personal information was never shared or the plaintiff did not request (or want to, try to, or was unable to request any STL disclosures), the business has no obligation to provide any disclosures in the first instance.” See, Boorstein v. CBS Interactive, Inc., 165 Cal. Rptr. 3d 669, 222 Cal.App.4th 456 (Cal. App. 2014)

As a first step, businesses should review their data disclosure practices to see if any personal data is disclosed to an unaffiliated third party for that party to directly solicit, induce, or market products, goods, or services to individuals via mail, telephone, or email. This would include physical mail, catalogs, promotional emails or other types of marketing by telephone, mail, or email. If the answer is yes, then your company should consider diving deeper into creating a Shine the Light policy and procedure to avoid potential litigation.

In the next post—how to mitigate the risk of Shine the Light demand letters and/or litigation.