March 14, 2012

A New Dawn: California's "Shine the Light" Law Suddenly Illuminating California Courts

Consumer Advertising Law Blog

It's time for companies to dust off their privacy and employee training policies. In the last 3 months, the same plaintiff's counsel has filed 10 nearly-identical class action lawsuits against various corporations alleging violations of California's "Shine the Light" law, Cal. Civ. Code § 1798.83 ("Act"). And there is no indication that this trend is abating: the last case was filed only two weeks ago. The decisions in these cases will make for particularly interesting studies, because since the Act became effective seven years ago, no court has issued an opinion interpreting any of its provisions.

The Act applies to companies with more than 20 employees that have, within the past year, disclosed the personal information of California customers to third parties for direct marking purposes. The Act does not restrain this sharing, but instead requires companies to disclose certain information about it. If a company fails to comply, and a customer is injured, the customer may recover a civil penalty of up to $500 per violation, and up to $3,000 per willful, intentional, or reckless violation. The Act does not define what constitutes consumer injury, and this is a central point of disagreement in the suits that have been filed. Finally, the Act contains a safe harbor provision shielding businesses from liability if they cure a non-willful violation within 90 days of notice.

A business has two ways of complying with the Act. First, it can provide customers, upon their request, with a description of the categories of personal information it has shared with third party marketers, along with the names of those third parties. To facilitate requests for these disclosures, the business must provide customers a mailing address, email address, toll-free number, or fax number where a request for this information should be directed. To convey this contact information to the customer, a business must do at least one of the following: (1) train employees who "regularly have contact with customers" to provide the contact information if asked; (2) include the contact information in its web site's privacy policy, subject to specific emphasis and wording requirements; or (3) make the contact information "readily available upon request of a customer" at the business's physical locations.

A second, alternative way a business may comply is to provide, and to disclose in its privacy policy, a free method by which the customer may opt-in or opt-out of such information-sharing altogether.

The 10 class action complaints filed throughout California allege nearly-identical facts: a customer purchased goods or signed up for a service through a company's website, but the company did not include the appropriate information in its web site's privacy policy or otherwise provide information about a customer's rights under the Act. In three of the actions, the defendant companies have filed motions to dismiss. Among other things, the companies argue that plaintiffs misunderstand that there are alternative ways of complying with the statute (which the companies have done), that plaintiffs have not suffered damages, and/or that the plaintiffs lack standing.

In light of these recent suits, companies operating in California should consider reviewing their privacy and training policies. The decisions on these cases will be the first decisions to interpret the Act and could set the stage for other actions, while hopefully providing meaningful guidance on how companies can avoid liability.

© Arnold & Porter Kaye Scholer LLP 2012 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.


Subscribe Link

Email Disclaimer