There’s a new privacy and data sharing law coming into effect in the near future. Actually, S.B. 27, which is now codified in Section 1798.83 of the California Civil Code, is not really all that new. Signed by Gov. Gray Davis more than a year ago, the law takes effect in January.
Given that it will likely affect many companies that sell or trade in consumer data, I thought it might be helpful to provide an overview of the law.
First, a caveat. Though I am an attorney, this article is not designed to be construed as legal advice. I strongly encourage any organization that hasn’t undertaken the necessary steps to be in compliance with this law to contact an attorney or privacy professional.
A few definitions. There are four key terms imbedded in SB 27. An understanding of these terms will make it easier to understand the workings of the law:
· “Customer” means an individual who is a resident of California who provides personal information to a business as part of an established business relationship, and if the business relationship is primarily for personal, family or household purposes.
· “Personal information” includes name, postal and e-mail address, race, religion, height, number of children, occupation, credit card or bank account number, payment history and certain medical information.
· The law’s description of “third parties” was designed to cover many scenarios. Generally, a third party is defined as a business that is either a separate legal entity or otherwise not affiliated with the business that has the relationship with a customer.
· “Direct marketing purposes” is defined as the use of personal information to solicit or induce a purchase, rental, lease or exchange of products, goods, property or services directly to individuals by means of the mail, telephone or electronic mail for their personal, family or household purposes.
Is your company subject to S.B. 27? If your business disclosed the “personal information” of “customers” to certain “third parties” in 2004, and you know or reasonably should know that the third parties used the personal information for those third parties’ “direct marketing purposes,” then the law may apply to your business. In other words, if you sell or trade your customer data to another company, S.B. 27 probably applies to your business. However, there are a number of exemptions to the law that bear mentioning.
For example, a business that provides notice to customers of their right to prevent disclosure of their data, as well as a cost-free way to exercise that right, are generally exempt from the requirements of S.B. 27. Similarly, companies with fewer than 20 full- or part-time employees, as well as certain nonprofit, political or religious organizations that are soliciting funds, are exempt. Finally, the law does not apply to certain financial institutions.
What are the requirements? Businesses covered under S.B. 27 must designate a specific postal address, e-mail address or a toll-free phone or fax number so that customers may request a listing of all the types of personal information disclosed by the business to “third parties” during the immediately preceding calendar year. The business also must publicize the address, phone or fax number by either:
· Educating and training the employees (or their supervisors) who have regular customer contact on the procedures for customers to request a list of personal information that the business disclosed to third parties.
· Displaying the procedures prominently on the company Web site.
· Making the information available at every location in California that the business or its agents conducts business.
Covered companies are generally required to respond within 30 days to customer inquiries that arrive via the company’s designated method and within 150 days to inquiries that arrive any other way.
Covered companies are not required to customize their response to each customer inquiry. Instead, companies may develop a standardized form so long as the form includes the name(s) of all third parties that the company disclosed customer information, and a listing of the types of information disclosed to those third parties.
Moreover, if the third party’s business can’t be easily determined from its name, then the disclosure should include examples of the third party’s products or services. Finally, covered companies are not required to provide this disclosure to any single consumer more than once per calendar year.
What are the consequences for non-compliance? Like many of California’s recent privacy laws, S.B. 27 contains a private right of action. In other words, any customer injured by a violation of this title may institute a civil action to recover damages plus attorneys’ fees and costs. Moreover, in addition to damages, a customer may recover up to $500 in civil penalties for unintentional violations, and up to $3,000 for willful, intentional or reckless violations.
The bottom line. It might be a little early to predict the exact impact that the new legislation will have on direct marketing companies. Organizations that sell or trade customer lists are much more likely to be affected than those that don’t. Some companies could decide not to collect personal information from California residents. However, given that many companies are quite successful monetizing their customer lists, that approach may not be feasible.
The disclosure requirements of S.B. 27 are designed to let consumers know which companies share their data and which do not. Armed with that information, consumers will be in a position to make an informed choice regarding which companies they patronize. To what extent consumers exercise that choice remains to be seen.
Given that California residents can comprise a significant portion of company customer lists, those that fail to adequately address S.B. 27 do so at their own peril.
