At Password Protected we strive to inform readers of recent developments in data privacy law.  While California Consumer Privacy Act (CCPA) is forcing new changes to data privacy policies, procedures and practices, we want to remind you of an older California data privacy statute, called Shine the Light Law (STL), which still remains in effect following passage of the CCPA.  The STL may have fallen to the wayside in your compliance program with all the fervor surrounding the CCPA, and before that, the European Union’s General Data Protection Regulation.  However, with a significant uptick in STL class action lawsuits in California, we felt it was noteworthy to bring this to your attention.

The STL is a disclosure statute enacted in 2005, which is designed to “shine the light” on businesses’ information sharing practices.  The STL requires businesses to establish procedures that will allow customers to learn if businesses have shared their personal information with third parties for direct marketing purposes.  In short, “[t]he STL law requires businesses that share customers’ personal information with third parties for direct marketing to disclose, upon a customer’s request, the names and addresses of third parties who have received personal information and the categories of personal information revealed.  Boorstein v. CBS Interactive, Inc., 222 Cal. App. 4th 456, 460 (2013); Cal. Civ. Code § 1798.83(a).

“The STL law also requires businesses to make their contact information available to customers in one of three statutorily prescribed ways, and it provides that businesses need not make the disclosures required by section 1798.83, subdivision (a), if they instead give customers the opportunity to opt in or opt out of the disclosure of their personal information.”  Boorstein, 222 Cal. App. 4th at 460-61.  “If a plaintiff’s personal information was never shared or the plaintiff did not request (or want to, try to, or was unable to request any STL disclosures), the business has no obligation to provide any disclosures in the first instance.”  Id. at 462.

The STL includes 27 categories of “personal information” under the statute, including name, address, electronic mail address, age or date of birth, and telephone number.  See Cal. Civ. Code § 1798.83(e)(6)(A).  The definition of “personal information” is very broad in scope, and potentially encompasses nearly all forms of personal identifiable information.

The STL, however, does not apply to all businesses and all information sharing practices.  Below is a check list to determine whether your business and data sharing are subject to the statute.

(1) How many employees do you have? The STL only applies to businesses with 20 or more full-time or part-time employees.  Businesses with fewer than 20 employees are exempt.  See Civ. Code § 1798.83(c)(1).

(2) Do you have an established business relationship with customers? The STL applies to businesses that have an ongoing relationship with California customers, and the business relationship is primarily for personal, family, or household purposes.  See Civ. Code § 1798.83(e)(1)&(5).

(3) Do you share customers’ personal information with third parties? If your business only collects customers’ personal information, but does not share it with third parties, the STL’s disclosure requirements do not apply to you.  See Civ. Code § 1798.83(a).

(4) If you share personal information with third parties, is the purpose of the disclosure for the third parties’ direct marketing purposes? The STL’s disclosure requirements apply if your business shares customers’ personal information with third parties so that they may “solicit or induce a purchase, rental, lease, or exchange of products, goods, property, or services directly to individuals by means of the mail, telephone, or electronic mail for their personal, family, or household purposes.”  Civ. Code § 1798.83(e)(2).  The STL, however, lists a number of circumstances where the business’s sharing of information with third parties is not considered for “direct marketing purposes.”  See Cal. Civ. Code § 1798.83(d).  Most of these situations involve the business sharing information to third parties to carry out an essential function of the business (e.g., a third party maintaining customers’ information, marketing for the business, or servicing the customers’ accounts), or sharing customers’ information with financial institutions involved in the transaction.  In other words, the STL’s disclosure requirements apply if you share your customers’ personal information with third parties for them to simply market their own products, instead of assisting your business.

In sum, if your business and information sharing practices fall within the scope of the STL, take heed of this statute and ensure you have protocols in place to respond to customer inquiries and/or give customers an opportunity to either opt-in or opt-out of your business sharing personal information.  Plan ahead because you only have 30 days to respond to customer requests if the request is received at one of your designated addresses or numbers.  Failure to comply with the STL could subject businesses to civil lawsuits and statutory damages ranging from $500 to $3,000 per violation.  As you can imagine, when these statutory damages are aggregated in a class action lawsuit, a business’s potential exposure could be significant.