CA's 'Shine the Light' Data Law Dawns

California's privacy law known as “Shine the Light” takes effect Jan. 1 with many marketers being able to comply by providing consumers with notice of privacy policies containing opt-out options. This effectively makes those marketers exempt from the most onerous aspects of the law.

As introduced by state Sen. Liz Figueroa, the bill would have required companies to keep records of all customer data that are shared with third parties offline or online for direct marketing purposes. It also would have required companies to provide a consumer with all the data that were shared and the names of the third-party data users within 30 days of a request by the consumer. It would affect any company doing business in California.

However, the bill, S.B. 27, was amended before being passed by the California Senate and signed by then-Gov. Gray Davis in September 2003. Under the amended bill, if a business has a privacy policy that gives consumers a choice not to have their personal information disclosed to third parties for marketing purposes, it does not need to provide the consumer with the details of what data were shared and with whom. In that case, it must notify the consumer of his ability to opt out for free.

“Under this law, a business really has two options when a consumer requests disclosure,” said Andrew B. Lustigman, a partner at The Lustigman Firm, New York, and a contributor to DM News. “They can do the easy way, which is notice and opt out, or the other option is to provide a very detailed listing of how a consumer's data was shared during the past year. If a marketer chooses this option, they must give the name and address of everyone they shared the information with.”

The Direct Marketing Association opposed even the amended bill, claiming it was unnecessary. Based on the contents of the DMA's Privacy Promise, which became effective July 1, 1999, all member companies must provide consumers with notice and choice. Under the Privacy Promise, DMA members must:

· Provide customers with annual notice of their ability to opt out of information exchanges.

· Honor customer opt-out requests not to have their contact information transferred to others for marketing purposes.

· Accept and maintain consumer requests to be on an in-house suppress file to stop receiving solicitations from your company.

· Use the DMA Preference Service suppression files for mail, telephone and e-mail lists.

If a DMA member does not follow the Privacy Promise, it faces censure, suspension or expulsion.

However, Lustigman said that even companies offering consumer notice and choice might face snags under the law when it comes to affiliates that are separate legal entities.

“Many marketers deal with privacy issues as it relates to what we all think of as true third parties or unrelated businesses, not separate legal entities under the same umbrella,” he said. “This law applies to separate legal entities, and that's where I think people are going to get fouled up.”

Marketers must ensure privacy policies accurately reflect their data sharing in the past year, Lustigman said, and they need to pay attention to affiliates' data-sharing practices.

“It's fair to say that there are very serious repercussions for the industry,” he said. “California is a leader in developing issues for this country.”

Kristen Bremner covers privacy issues for DM To keep up with the latest privacy news subscribe to our free e-mail newsletter DM News Daily by visiting

Related Posts