Introduction

The California Shine the Light Law CA Civil Code § 1798.83 (the “Shine the Light Law”) is a state statutory law that was adopted as a part of the Consumer Records Act. The Shine the Light Law is intended to protect the personal information of California residents by requiring businesses to identify the third parties that received disclosures of personal information.

Applicability

The Shine the Light Law applies to businesses that disclosed customers’ personal information within the preceding year. Personal information means any information that, when it was disclosed, identified, described, or was able to be associated with an individual.

Requirements

Businesses are required to, upon written request from a customer, furnish details about disclosures of the customer’s personal information to third parties and identify the third parties that received the data. The business must know that the third party used the personal information for direct marketing purposes. And a data subject is a “customer” when they provide their personal information to the business during a business relationship with the business.

Designate a mailing address, electronic mail address, toll-free telephone, or facsimile number as a “means of contact” to which customers may submit requests. Businesses must make the means of contact known to customers through one of the following methods: (1) notify customer service managers of the means of contact and instruct them to provide the means of contact to customers that inquire about the business’ privacy practices; (2) provide the means of contact on the business’ website homepage; or (3) make the means of contact readily available for customer requests at every place of business in California.

A customer request must be fulfilled within 30 day when it is submitted directly to the means of contact, but should be provided within a reasonable period, not exceeding 150 days, when otherwise submitted.

Exempted from these requirements are businesses (1) with less than twenty employees; and (2) that adopt an opt-in or opt-out policy regarding disclosures to third parties and notifies the customer of their options.

Enforcement & Liability

The California Attorney General is authorized to enforce compliance with the law. Customers harmed by a violation of this law have a private right of action to recover damages in California state courts. Injunctive relief is available to plaintiffs and the Attorney General to enjoin a business in violation of the law. Reasonable attorney’s fees and costs are available to prevailing plaintiffs.

Penalties

Businesses in violation of the law may be subject to civil fines of $500 each, and $3,000 for willful violations.