Posted: Jun 30 2005 | Revised: Jun 30 2014
- How can I find out who has accessed my personal information?
- How can I make a request for disclosure?
- How soon can I expect the business to respond?
- Are any businesses exempt from this law?
- What are my rights if the business refuses to comply with this law?
These days you realize that it is no coincidence that junk mail and solicitations come tailored to your individual interests. What you may be in the dark about is whether it is your magazine subscription, gym, or bank that is responsible for sharing your information with other companies.
If you are a California resident, the "Shine the Light" law requires businesses to tell you with whom they have shared your information. (CA Civil Code 1798.83)
2. How can I find out who has accessed my personal information?
If you suspect that a company you've done business with has sold or shared your personal information with another company for marketing purposes in the last calendar year, you can request that they tell you what they have shared. The business must give you a list of the names and addresses of the companies that received your personal information. The list will also include the categories of information shared (such as name and address, e-mail address, date of birth, race, religion, occupation, telephone number, education, etc.). Please note that businesses are only required by law to respond to one request per year.
This list is free, but you should know that the information does not have to be customer specific, and can be a standardized form. The resulting list thus might be overinclusive.
For example, you may be receiving brochures, marketing calls, or emails all offering exciting vacations. If you want to find out if the cruise company you vacationed with six months ago is responsible, you can send them a letter asking if they shared your information. Under the law, the cruise company now has two options - give you an opportunity to opt-out of future information sharing or provide you with a list of all companies with whom your information was shared. If they take the first option they must provide you with a free way to opt-out. If they take the second option the company may send a standardized list of all companies with whom it shared customer information.
3. How can I make a request for disclosure?
The law requires businesses to provide the contact information for making a request in at least one of the following places: their website, the physical location(s) of the business, or with managers of employees who handle your personal information.
The business' website is one of the easiest places to locate the contact information. If posting the contact information on the Internet, the law requires businesses to include a link on their homepage, entitled "Your Privacy Rights" or "Your California Privacy Rights," which details your rights under this law and provides mailing and e-mail addresses. If the link on the homepage says "Your California Privacy Rights," then you must make your request to the address given on the linked page. This link is often found at the bottom of a company's home page.
The business must respond within 30 days if the request was made to one of the designated contact places. If the request was sent to a general office address, the business has a reasonable time to respond, not exceeding 150 days.
5. Are any businesses exempt from this law?
Yes, several groups are categorically shielded from the law, including:
- Tax-exempt charitable institutions (nonprofit organizations)
- Religious organizations
- Survey companies
- Political groups
- Financial companies that are in compliance with the California Financial Information Privacy Act
- Consumer reporting agencies - Equifax, Experian, TransUnion
- Businesses with fewer than 20 employees
- Businesses that only share with permission (opt-in) or that allow you to opt-out.
CA Civil Code 1798.83(e)(2), defining "Direct Marketing Purposes," lists exempt businesses.
6. What are my rights if the business refuses to comply with this law?
If you feel you were harmed because a company did not disclose this information as required, you can file a civil lawsuit to recover damages. Damages are limited to $500. If the court finds the violation willful, intentional or reckless, you can recover up to $3,000. This situation might arise if a company refuses to track how information is shared or has been repeatedly fined $500 and is making no effort to comply with the law. The plaintiff is also entitled to reasonable attorney fees and expenses.
If the violation is not willful, intentional or reckless, the law gives companies a 90-day grace period. A business will not have to pay the $500 if it provides the information within 90 days of notification of failure to comply with the law.
We acknowledge the assistance of Leslie Flint, Legal Intern,
in researching and writing this guide (June 2005)