California's "Shine the Light" Law Goes into Effect Jan. 1, 2005

Posted: Jul 31 2019

San Diego, CA -- In 2003, Senate Bill 27 introduced by California State Senator Liz Figueroa passed into law. The 'Shine the Light' law (CA Civil Code 1798.83) goes into effect for California residents on January 1, 2005.

When you’ve received junk mail, have you ever wondered which company provided your name and address to the marketer? Now you can find out. The “Shine the Light” law requires certain businesses to disclose their information-sharing practices with their customers. Upon request, companies must tell you with whom they have shared your personal information for marketing purposes within the last twelve months.

What businesses must comply with the law?

  • Businesses with 20 or more employees.
  • Businesses that have an established business relationship with a California resident. In other words, your request can be made to companies with which you have an account or from which you have purchased a product or service.
  • Businesses that have shared your information with third parties for marketing purposes within the last twelve months.

What businesses are exempt from the law?

  • Any business that offers its California customers the ability to say “no” to selling their personal information, either through an opt-in or opt-out.
  • Nonprofit organizations including charities and religious organizations asking for donations.
  • Politicians and other political groups that are fundraising.
  • Banks and financial institutions.
  • Any business that provides public real estate records information where information was not directly provided by a customer.
  • Credit reporting bureaus.

What does the law require businesses to do?

  • Businesses that are covered by the law must provide instructions about how to make your disclosure request. A company must offer you one of these three options:
    • It must tell you how to make your request when you ask one of its customer service representatives.
    • Or, it must make written information available to customers at all California business locations with regular customer contact.
    • Or, the company can post information on its web site. If a business chooses to provide instructions about how to make your disclosure request on its web site, look for terms like "Your Privacy Rights" or "Your California Privacy Rights."
  • For each of these methods, the company must provide a mailing address, email address, toll-free number or toll-free fax number for customers to make their disclosure request.

What must be included in the disclosure?

  • A business' response must disclose the categories of personal information disclosed to third parties. This includes information such as: name, address, email address, phone number, Social Security number, payment history, debit or credit card information, occupation, banking information, and profile information such as hobbies and interests, marital status, height, weight, religion, age, gender, and household income level. (See the text of Civil Code 1798.83 below for full details of categories).
  • They must provide the list of companies to which your personal information was disclosed for marketing purposes within the last calendar year.
  • However, companies that have a Privacy Policy or Privacy Notice that allows you to opt-in or opt-out of the sharing of your personal information, do not need to provide you with disclosure about the categories of personal information that were shared and with whom. Instead, the company must simply provide a copy of its opt-in or opt-out policy so you can minimize the sharing of your personal information.

What are my rights under the law?

  • A company must respond to your Information-Sharing Disclosure request within 30 days.
  • If you make your request in a manner not noted in the company's disclosure policy (to an email address, mailing address, toll-free number or fax number different from those designated for making a disclosure request), the company has 150 days to respond instead of 30 days.
  • A company does not need to respond to a second request within a one year time frame.
  • If the business fails to respond to a disclosure request, the customer may collect a civil penalty of up to $500. If a company willfully or intentionally does not comply with a disclosure request, the customer can recover a civil penalty of up to $3,000. Plaintiffs may also be entitled to attorneys fees.

What can I do once I receive disclosure information from the company?

  • Knowing which companies sell or share personal information with third parties helps you make better choices about the companies with which you decide to do business. If privacy is important to you, you can use your buying power to support companies that protect your personal information by not selling or sharing it with others.
  • You can also help us at the Privacy Rights Clearinghouse learn more about the information sharing practices of businesses. Here’s how:
    • We are compiling a list of companies' designated email addresses, mailing addresses, phone and fax numbers to which consumers can make their disclosure requests. Please notify us of companies’ contact information so we can post this information on our web site.
    • Because we are interested in better tracking the flow of personal information between companies, the PRC also would like to receive copies of companies’ disclosure statements. This will enable us to keep track of who is sharing personal information and with whom.
    • If you have made a disclosure request but have not received a response within 30 days, please let us know which company is not in compliance with the law. We will alert you to ways you can complain about the company, and we ourselves can notify authorities.
    • Feel free to contact us by mail, fax, email or phone. Our contact information is at the top of this page.

Where can I find more information?