Direct marketers can breathe a sigh of relief that a California privacy bill was watered down before passing the state Assembly this week.
As introduced by state Sen. Liz Figueroa, S.B. 27 would have required companies to keep records of all customer data that is shared with third parties offline or online for direct marketing purposes. The bill would require companies to provide a consumer with all the data that was shared and the names of the third-party data users within 30 days of a request by the consumer. It would affect any company doing business in California.
The bill, dubbed “Shine the Light” and introduced Dec. 2, passed the California Senate 26-13 on May 29. It has been working its way through the Assembly since June and was defeated 38-12 Aug. 21, though 30 members did not vote. However, a key amendment was added Sept. 5 that seemingly helped facilitate the 75-2 passage of the bill, with only three absent or abstaining from the vote.
Under the amended bill, if a business has a privacy policy that gives consumers a choice not to have their personal information disclosed to third parties for marketing purposes, then it does not need to provide the consumer with the details of what data has been shared and with whom. In that case, it must notify the consumer of his ability to opt out for free.
It’s unclear whether pressure from businesses prompted the changes.
Though the amended bill seemed to be good news for DMers, the Direct Marketing Association’s only comment was that it opposed the legislation.
“Generally speaking, the DMA still opposes the bill and does not believe that there is any reason to have such legislation enacted,” DMA spokesman Louis Mastria said.
Yet, based on the contents of the DMA’s Privacy Promise, which became effective July 1, 1999, all member companies should already be in compliance with S.B. 27. Under the Privacy Promise, DMA members must:
* Provide customers with annual notice of their ability to opt out of information exchanges.
* Honor customer opt-out requests not to have their contact information transferred to others for marketing purposes.
* Accept and maintain consumer requests to be on an in-house suppress file to stop receiving solicitations from your company.
* Use the DMA Preference Service suppression files for mail, telephone and e-mail lists.
If a DMA member does not follow the Privacy Promise, it faces censure, suspension or expulsion.
Figueroa’s office had no official comment yesterday on S.B. 27 except to confirm that it passed. It is unclear whether the amended bill needs to go back to the Senate. In addition, California Gov. Gray Davis’ stance was unknown. If signed by Davis and uncontested, the bill would take effect Jan. 1, 2005.
“It’s a bizarre statute that gives a great reward for adopting a privacy policy by allowing you to deny consumers any information as long as you have a compliant policy,” said Douglas J. Wood, an advertising and marketing attorney.
Wood cited Section 1 of the bill, which said in part, “For free market forces to have a role in shaping the privacy practices of California businesses and for ‘opt-in’ and ‘opt-out’ remedies to be effective, Californians must be more than vaguely informed that a business might share personal information with third parties. Consumers must, for these reasons and pursuant to Section 1 of Article 1 of the California Constitution, be better informed about what kinds of personal information are purchased by businesses for direct marketing purposes.”
“Well, consumers are not going to get that if businesses adopt a privacy policy,” said Wood, a partner at Hall Dickler Kent Goldstein & Wood LLP, New York. “They certainly haven’t accomplished what they claimed to be the purpose, but maybe they do feel that at least if you offer people this as opposed to the current law that doesn’t require you to give a person an opt out it’s better than what we have now. It’s just a strange way to do it.”
