California's Shine the Light Law: Latest Class Action Threat for Online Retailers and Electronic Commerce Companies
Retail Industry Alert
The coming of a new year brings many things, not the least of which for companies doing business in California is the emergence of new legal threats. In the last several weeks, plaintiffs' lawyers have filed several class action lawsuits under a relatively obscure California law known as the "Shine the Light" Law, California Civil Code § 1798.83. The purpose of the law is to provide consumers a way to contact companies they believe are disclosing their personal information for direct marketing purposes so that they may obtain information about (and opt out of if they so choose) those disclosures. Although the law has been around since 2005, recent audits suggest that compliance has not been uniform, which may partially explain the recent class action filings. The lawsuits to date have been filed against prominent media and technology companies with significant (if not exclusive) online presences. The suits generally allege that defendants violated the Shine the Light law, as well as California's Unfair Competition Law, which prohibits unlawful, unfair or fraudulent business acts or practices by not providing California residents with necessary information to make disclosure requests.
By way of brief background, the "Shine the Light" Law is part of California's Consumer Records Act that, generally speaking, requires companies dealing with California residents to take certain steps to protect personal information, including providing notice if personal information is compromised. Section 1798.83 is intended to provide transparency to the manners in which personal information is collected, stored, accessed and disclosed (the thought being that transparency leads to consumer confidence in information handling). This law applies to most companies, even those with as few as 20 employees. Companies must either provide customers an opt-out mechanism to avoid having their information shared or make a detailed disclosure of how their personal information was used (i.e., disclosed to a third party) for direct marketing purposes in the past calendar year. Under the law, a customer has the right to request (and receive within 30 days) the names and addresses of third parties with which personal information was shared, as well as a list of the type(s) of personal information provided.
The "Shine the Light" Law requires businesses to designate a dedicated mailing or email address or toll-free phone number where customers can request disclosures. While traditional "brick and mortar" locations may display "Shine the Light" disclosures in their storefronts, the Act requires those companies with no physical locations to either provide the disclosures on their websites or to train their managers and employees to notify customers of the addresses and phone numbers where the "Shine the Light" disclosures may be obtained.
The most popular target to date appears to be businesses that operate almost exclusively online. Because those companies do not have "employees who regularly have contact with customers," they cannot assert that they instructed managers to inform employees who regularly have contact with customers about how to obtain the disclosures. Nor can e-businesses claim that they made the contact information available at every place of business that regularly has customer interaction.
In short, the complaints allege that defendants (i) do not maintain a physical storefront location; (ii) collect and store a wealth of information about their subscribers; (iii) profit by sharing or selling customers' personal information and (iv) intentionally keep their users in the dark on their information sharing practices by failing to make appropriate "Shine the Light" disclosures on their websites. As a result, plaintiffs contend that they cannot exercise their legally prescribed rights to demand information and/or to opt out of information sharing.
Notably, as with most privacy-related consumer protection laws, the "Shine the Light" law does not require plaintiffs to prove any actual damages (there rarely are any). Rather, the law provides that a customer may be awarded up to $3,000 per willful, intentional or reckless violation, as well as recover reasonable attorneys' fees and costs. Also, further to the unfair competition claims, plaintiffs seek "full restitution of all funds wrongfully obtained by sharing and/or selling plaintiff's and the class's personal information."
While there are several bases to defeat the claims, the best defense with these cases – as with most – is to avoid litigation to the extent possible. Although businesses have three options to comply with the disclosure requirement, online retailers and other e-commerce sites should designate a mailing or email address, as well as a toll-free number to receive disclosure requests, and provide the required hyperlink and disclosures on their websites. Precise compliance with the technical requirements of the law are vitally important as plaintiffs' lawyers will look for any opportunity to sue regardless of how well-intentioned and proactive companies have been about their privacy policies and efforts.