Fact Sheet 4a:
"Shine the Light" on Marketers:
Find Out How They Know Your Name


Send to PrinterSend to Printer


Copyright © 2005 - 2014
Privacy Rights Clearinghouse
Posted July 2005
Revised November 2013

  1. Introduction
  2. How can I find out who has accessed my personal information?
  3. How can I make a request for disclosure?
  4. How soon can I expect the business to respond?
  5. What if I do not recognize the company that received or bought my information?
  6. Are any businesses exempt from this law?
  7. Are there any situations where a business can share or sell my information and not disclose under this law?
  8. How do I know if I can opt-out of future sharing of my personal information?
  9. What are my rights if the business refuses to comply with this law?
  10. If I do not live in California, does my state have a similar law?
  11. Resources

1. Introduction

These days you realize that it is no coincidence that junk mail and solicitations come tailored to your individual interests. What you may be in the dark about is whether it is your magazine subscription, gym, or bank that is responsible for sharing your information with other companies.

If you are a California resident, the "Shine the Light" law, implemented January 1, 2005, requires businesses to tell you with whom they have shared your information. (CA Civil Code 1798.83)

2. How can I find out who has accessed my personal information?

If you suspect that a company you've done business with has sold or shared your personal information with another company for marketing purposes in the last calendar year, you can request that they tell you what they have shared. The business must give you a list of the names and addresses of the companies that received your personal information. The list will also include the categories of information shared (such as name and address, e-mail address, date of birth, race, religion, occupation, telephone number, education, etc.). Please note that businesses are only required by law to respond to one request per year.

This list is free, but you should know that the information does not have to be customer specific, and can be a standardized form. The resulting list thus might be overinclusive.

For example, you may be receiving brochures, marketing calls, or emails all offering exciting vacations. If you want to find out if the cruise company you vacationed with six months ago is responsible, you can send them a letter asking if they shared your information. Under the law, the cruise company now has two options - give you an opportunity to opt-out of future information sharing or provide you with a list of all companies with whom your information was shared. If they take the first option they must provide you with a free way to opt-out. If they take the second option the company may send a standardized list of all companies with whom it shared customer information.

3. How can I make a request for disclosure?

Your request can be made by either postal or electronic mail. A sample letter is available on our website at www.privacyrights.org/Letters/jm3.htm. You can also check to see if the business offers a toll-free request line or fax option.

The law requires businesses to provide the contact information for making a request in at least one of the following places: their website, the physical location(s) of the business, or with managers of employees who handle your personal information.

The business' website is one of the easiest places to locate the contact information. If posting the contact information on the Internet, the law requires businesses to include a link on their homepage, entitled "Your Privacy Rights" or "Your California Privacy Rights," which details your rights under this law and provides mailing and e-mail addresses. If the link on the homepage says "Your California Privacy Rights," then you must make your request to the address given on the linked page. This link is often found at the bottom of a company's home page. A partial list of companies with this information can be found at www.privacyrights.org/ar/ShineLight.htm.

In addition, a business might have its own privacy policy on its website, which may offer additional information and protections.

Other options include every physical location in California where the business regularly has contact with customers. If you cannot find the information on a company's homepage, another option is to go into the closest store and ask the clerk for the contact information.

You should also be aware that the law requires all managers or supervisors of employees with actual or potential access to your personal information to provide you with the contact information as well. If the above two options do not work, the customer representative should be able to provide you with the contact information.

4. How soon can I expect the business to respond?

The business must respond within 30 days if the request was made to one of the designated contact places. If the request was sent to a general office address, the business has a reasonable time to respond, not exceeding 150 days.

5. What if I do not recognize the company that received or bought my information?

If the nature of the company is not clear, the business must also disclose examples of the products or services that are being marketed.

6. Are any businesses exempt from this law?

Yes, several groups are categorically shielded from the law, including:

  • Tax-exempt charitable institutions (nonprofit organizations)
  • Religious organizations
  • Survey companies
  • Political groups
  • Financial companies that are in compliance with the California Financial Information Privacy Act
  • Consumer reporting agencies - Equifax, Experian, TransUnion
  • Businesses with fewer than 20 employees
  • Businesses that only share with permission (opt-in) or that allow you to opt-out.

Note: CA Civil Code 1798.83(e)(2), defining "Direct Marketing Purposes," lists exempt businesses

7. Are there any situations where a business can share or sell my information and not disclose under this law?

Yes, a business is not required to disclose personal information it has shared with companies that provide non-marketing services, such as storage of paperwork and processing of credit transactions. Certain other business relationships are exempt as well, including affiliates, licensed agents, and debt collection agents.

8. How do I know if I can opt-out of future sharing of my personal information?

A business is required to notify you of its existing policies that allow you to choose to share your information (opt-in) or that allow you to stop the sharing of your information (opt-out) for marketing purposes. If the company has such a policy, then it must provide you with a free method to opt-in or opt-out.

Businesses that consistently maintain opt-in or opt-out policies are exempt from the disclosure requirements. If a company has given you the opportunity to opt-out and you decline, you will be unable to discover which additional companies may have received your personal information.

9. What are my rights if the business refuses to comply with this law?

If you feel you were harmed because a company did not disclose this information as required, you can file a civil lawsuit to recover damages. Damages are limited to $500. If the court finds the violation willful, intentional or reckless, you can recover up to $3,000. This situation might arise if a company refuses to track how information is shared or has been repeatedly fined $500 and is making no effort to comply with the law. The plaintiff is also entitled to reasonable attorney fees and expenses.

If the violation is not willful, intentional or reckless, the law gives companies a 90-day grace period. A business will not have to pay the $500 if it provides the information within 90 days of notification of failure to comply with the law.

In Regueiro v. XO Group, Inc. (July 3, 2012), a court issued a ruling dismissing a case brought under the "Shine the Light" law, making it the first case to come to a final decision in a trial court.  The plaintiff alleged that XO Group had failed to include required information about the law in its privacy policy.  However, the plaintiff had never actually requested the information from XO Group.  You can read an analysis of the decision at http://privacylaw.proskauer.com/2012/07/articles/california/court-shines-light-on-california-datasharing-law-proskauer-litigators-obtain-dismissal/.

10. If I do not live in California, does my state have a similar law?

To the best of our knowledge, no other state has a similar "Shine the Light" law.

11. Resources

We acknowledge the assistance of Leslie Flint, Legal Intern,
in researching and writing this guide (June 2005)

 

 

Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.


X

Sign In!

Loading