Copyright © 2005-2007. |
|
|
|
| "Shine the Light" on Marketers:
These days you realize that it is no coincidence that junk mail and solicitations come tailored to your individual interests. What you may be in the dark about is whether it is your magazine subscription, gym, or bank that is responsible for sharing your information with other companies. If you are a California resident, the "Shine the Light" law, implemented January 1, 2005, requires businesses to tell you with whom they have shared your information. (CA Civil Code 1798.83) How can I find out who has accessed my personal information? If you suspect that a company you've done business with has sold or shared your personal information with another company for marketing purposes in the last calendar year, you can request that they tell you what they have shared. The business must give you a list of the names and addresses of the companies that received your personal information. The list will also include the categories of information shared (such as name and address, e-mail address, date of birth, race, religion, occupation, telephone number, education, etc.). Please note that businesses are only required by law to respond to one request per year. This list is free, but you should know that the information does not have to be customer specific, and can be a standardized form. The resulting list thus might be overinclusive. For example, you may be receiving brochures, marketing calls, or emails all offering exciting vacations. If you want to find out if the cruise company you vacationed with six months ago is responsible, you can send them a letter asking if they shared your information. Under the law, the cruise company now has two options - give you an opportunity to opt-out of future information sharing or provide you with a list of all companies with whom your information was shared. If they take the first option they must provide you with a free way to opt-out. If they take the second option the company may send a standardized list of all companies with whom it shared customer information. How can I make a request for disclosure? Your request can be made by either postal or electronic mail. A sample letter is available on our website at http://www.privacyrights.org/letters/jm3.htm. You can also check to see if the business offers a toll-free request line or fax option. The law requires businesses to provide the contact information for making a request in at least one of the following places: their website, the physical location(s) of the business, or with managers of employees who handle your personal information. The business' website is one of the easiest places to locate the contact information. If posting the contact information on the Internet, the law requires businesses to include a link on their homepage, entitled "Your Privacy Rights" or "Your California Privacy Rights," which details your rights under this law and provides mailing and e-mail addresses. If the link on the homepage says "Your California Privacy Rights," then you must make your request to the address given on the linked page. This link is often found at the bottom of a company's home page. A partial list of companies with this information can be found at http://www.privacyrights.org/ar/shinelight.htm. In addition, a business might have its own privacy policy on its website, which may offer additional information and protections. Other options include every physical location in California where the business regularly has contact with customers. If you cannot find the information on a company's homepage, another option is to go into the closest store and ask the clerk for the contact information. You should also be aware that the law requires all managers or supervisors of employees with actual or potential access to your personal information to provide you with the contact information as well. If the above two options do not work, the customer representative should be able to provide you with the contact information. How soon can I expect the business to respond? The business must respond within 30 days if the request was made to one of the designated contact places. If the request was sent to a general office address, the business has a reasonable time to respond, not exceeding 150 days. What if I do not recognize the company that received or bought my information? If the nature of the company is not clear, the business must also disclose examples of the products or services that are being marketed. Are any businesses exempt from this law? Yes, several groups are categorically shielded from the law, including:
Are there any situations where a business can share or sell my information and not disclose under this law? Yes, a business is not required to disclose personal information it has shared with companies that provide non-marketing services, such as storage of paperwork and processing of credit transactions. Certain other business relationships are exempt as well, including affiliates, licensed agents, and debt collection agents. How do I know if I can opt-out of future sharing of my personal information? A business is required to notify you of its existing policies that allow you to choose to share your information (opt-in) or that allow you to stop the sharing of your information (opt-out) for marketing purposes. If the company has such a policy, then it must provide you with a free method to opt-in or opt-out. Businesses that consistently maintain opt-in or opt-out policies are exempt from the disclosure requirements. If a company has given you the opportunity to opt-out and you decline, you will be unable to discover which additional companies may have received your personal information. What are my rights if the business refuses to comply with this law? If you feel you were harmed because a company did not disclose this information as required, you can file a civil lawsuit to recover damages. Damages are limited to $500. If the court finds the violation willful, intentional or reckless, you can recover up to $3,000. This situation might arise if a company refuses to track how information is shared or has been repeatedly fined $500 and is making no effort to comply with the law. The plaintiff is also entitled to reasonable attorney fees and expenses. If the violation is not willful, intentional or reckless, the law gives companies a 90-day grace period. A business will not have to pay the $500 if it provides the information within 90 days of notification of failure to comply with the law. If I do not live in California, does my state have a similar law? To the best of our knowledge, no other state has a similar "Shine the Light" law. Resources
We acknowledge the assistance of Leslie Flint, Legal Intern,
in researching and writing this guide (June 2005)
|
| Copyright © 2005-2007. Privacy Rights Clearinghouse/UCAN. For distribution of this fact sheet, see our copyright and reprint guidelines. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse. This fact sheet should be used as an information source and not as legal advice. PRC fact sheets contain information about federal laws as well as some California-specific information. Laws in other states may vary. Overall, our fact sheets are applicable to consumers nationwide. Privacy Rights Clearinghouse, 3100 - 5th Ave., Suite B, San Diego, CA 92103. Web: www.privacyrights.org |
