- How can I find out who has accessed my personal information?
- How can I make a request for disclosure?
- How soon can I expect the business to respond?
- What if I do not recognize the company that received or bought my information?
- Are any businesses exempt from this law?
- Are there any situations where a business can share or sell my information and not disclose under this law?
- How do I know if I can opt-out of future sharing of my personal information?
- What are my rights if the business refuses to comply with this law?
- I do not live in California. Does my state have a similar law?
These days you realize that it is no coincidence that junk mail and solicitations come tailored to your individual interests. What you may be in the dark about is whether it is your magazine subscription, gym, or bank that is responsible for sharing your information with other companies.
If you are a California resident, the "Shine the Light" law requires businesses to tell you with whom they have shared your information. (CA Civil Code 1798.83)
If you suspect that a company you've done business with has sold or shared your personal information with another company for marketing purposes in the last calendar year, you can request that they tell you what they have shared. The business must give you a list of the names and addresses of the companies that received your personal information. The list will also include the categories of information shared (such as name and address, e-mail address, date of birth, race, religion, occupation, telephone number, education, etc.). Please note that businesses are only required by law to respond to one request per year.
This list is free, but you should know that the information does not have to be customer specific, and can be a standardized form. The resulting list thus might be overinclusive.
For example, you may be receiving brochures, marketing calls, or emails all offering exciting vacations. If you want to find out if the cruise company you vacationed with six months ago is responsible, you can send them a letter asking if they shared your information. Under the law, the cruise company now has two options - give you an opportunity to opt-out of future information sharing or provide you with a list of all companies with whom your information was shared. If they take the first option they must provide you with a free way to opt-out. If they take the second option the company may send a standardized list of all companies with whom it shared customer information.
Your request can be made by either postal or electronic mail. A sample letter is available on our website. You can also check to see if the business offers a toll-free request line or fax option.
The law requires businesses to provide the contact information for making a request in at least one of the following places: their website, the physical location(s) of the business, or with managers of employees who handle your personal information.
The business' website is one of the easiest places to locate the contact information. If posting the contact information on the Internet, the law requires businesses to include a link on their homepage, entitled "Your Privacy Rights" or "Your California Privacy Rights," which details your rights under this law and provides mailing and e-mail addresses. If the link on the homepage says "Your California Privacy Rights," then you must make your request to the address given on the linked page. This link is often found at the bottom of a company's home page.
Other options include every physical location in California where the business regularly has contact with customers. If you cannot find the information on a company's homepage, another option is to go into the closest store and ask the clerk for the contact information.
You should also be aware that the law requires all managers or supervisors of employees with actual or potential access to your personal information to provide you with the contact information as well. If the above two options do not work, the customer representative should be able to provide you with the contact information.
The business must respond within 30 days if the request was made to one of the designated contact places. If the request was sent to a general office address, the business has a reasonable time to respond, not exceeding 150 days.
If the nature of the company is not clear, the business must also disclose examples of the products or services that are being marketed.
Yes, several groups are categorically shielded from the law, including:
- Tax-exempt charitable institutions (nonprofit organizations)
- Religious organizations
- Survey companies
- Political groups
- Financial companies that are in compliance with the California Financial Information Privacy Act
- Consumer reporting agencies - Equifax, Experian, TransUnion
- Businesses with fewer than 20 employees
- Businesses that only share with permission (opt-in) or that allow you to opt-out.
CA Civil Code 1798.83(e)(2), defining "Direct Marketing Purposes," lists exempt businesses.
Yes, a business is not required to disclose personal information it has shared with companies that provide non-marketing services, such as storage of paperwork and processing of credit transactions. Certain other business relationships are exempt as well, including affiliates, licensed agents, and debt collection agents.
A business is required to notify you of its existing policies that allow you to choose to share your information (opt-in) or that allow you to stop the sharing of your information (opt-out) for marketing purposes. If the company has such a policy, then it must provide you with a free method to opt-in or opt-out.
Businesses that consistently maintain opt-in or opt-out policies are exempt from the disclosure requirements. If a company has given you the opportunity to opt-out and you decline, you will be unable to discover which additional companies may have received your personal information.
If you feel you were harmed because a company did not disclose this information as required, you can file a civil lawsuit to recover damages. Damages are limited to $500. If the court finds the violation willful, intentional or reckless, you can recover up to $3,000. This situation might arise if a company refuses to track how information is shared or has been repeatedly fined $500 and is making no effort to comply with the law. The plaintiff is also entitled to reasonable attorney fees and expenses.
If the violation is not willful, intentional or reckless, the law gives companies a 90-day grace period. A business will not have to pay the $500 if it provides the information within 90 days of notification of failure to comply with the law.
To the best of our knowledge, no other state has a similar "Shine the Light" law.
- Full Text of the "Shine the Light" law (CA Civil Code 1798.83)
- Form Letter to Request Disclosure of Information Sharing
- For a discussion of the shortcomings of the California Shine the Light Law, read: Hoofnagle, Chris Jay and King, Jennifer, Consumer Information Sharing: Where the Sun Still Don't Shine (December 17, 2007). Available at SSRN: http://ssrn.com/abstract=1137990. See also: Thomas, Lauren and Hoofnagle, Chris Jay, Exploring Information Sharing through California’s 'Shine the Light' Law (August 13, 2009). Available at SSRN: http://ssrn.com/abstract=1448365
- ACLU of Northern California, Losing the Spotlight: A Study of California's Shine the Light Law (November 2013)
in researching and writing this guide (June 2005)