Overview
Class action litigation, like fashion, often follows fads. Ten years ago, hundreds of retailers, chain restaurants, and others were targeted nationwide in class action suits under the Fair and Accurate Credit Transactions Act (FACTA) for violating the so-called “truncation” provision of FACTA. In 2011, the California Supreme Court’s decision in Pineda v. Williams-Sonoma, which held that California’s Song-Beverly Credit Card Act applied to ZIP Codes, sparked another wave of litigation. And over the last few years, plaintiffs have filed hundreds of website accessibility cases against e-commerce retailers. Now, California’s “Shine the Light” Law (Civil Code § 1798.83) may furnish the new claim du jour.
For those unfamiliar with this regulation, the “Shine the Light” Law is part of California’s Consumer Records Act, which requires companies doing business with California residents to take certain steps to protect customers’ personal information, including providing notice if personal information is compromised. The “Shine the Light” Law provides consumers with a way to contact companies they believe have disclosed their personal information for direct marketing purposes, so they may obtain information about those disclosures and opt out of them.
Over the last 10 days, several “Shine the Light” suits have been filed in California against online retailers (including some with brick-and-mortar presences). More are likely. Retailers should review their own practices to ensure compliance before they receive a summons and complaint.
The Law’s Requirements
The “Shine the Light” Law applies to most companies that, during the last year, “disclosed” the “personal information” of “customers” to a “third party” that the company knows or has reason to know used that information for “direct marketing purposes.”
The statute provides expansive definitions for most of the quoted terms:
“Disclose” means to “transfer” – whether orally, in writing, electronically, “or by any other means.” The statute provides limited exceptions, such as disclosures for account administration or customer service purposes.
“Personal information” means any information that identifies, describes, or is even associated with an individual. The statute includes an extensive list of information that fits within this definition, including name, address, email address, telephone number, date of birth, medical and financial information, information about children, race, religion, occupation and education, as well as information about the transaction. Crucially, the law is not limited to personal information collected online, meaning that companies should also consider their data sharing practices with respect to customer data collected offline, as well as online.
“Customer” means an individual, resident of California, who provides personal information to a business pursuant to an “established business relationship.” “Established business relationship,” in turn, means an ongoing relationship between a business and a consumer, formed by a voluntary two-way communication, for the purpose of purchasing, renting, or leasing a product or service or a relationship which was ongoing within the last 18 months.
“Third party” means a legal entity separate from the business that has access to a shared database used for direct marketing purposes; third parties include both affiliates and separate third parties, but do not include businesses affiliated by common ownership or corporate control.
“Direct marketing purposes” means the use of personal information to “solicit or induce” a purchase, rental, lease, or exchange of products, goods, property, or services “directly to individuals” using the mail, telephone, or email. Certain exemptions apply.
Businesses that fall within the definition above have three options for compliance:
- Provide an accounting to customers upon request of the categories of personal information disclosed to third parties and identities of those third-party entities (an “accounting”), as discussed below.
- Develop and implement an opt-in or opt-out policy allowing customers to control whether their information will be shared with third parties for marketing purposes.
- Companies subject to the Gramm-Leach Bliley Act (which requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data), may satisfy the “Shine the Light’s” requirements by complying with that act’s disclosure requirements.
The new litigation is brought pursuant to the “Shine the Light” Law’s accounting requirement, requiring companies to disclose, upon request, the names and addresses of third parties with whom personal information was shared, as well as a list of all categories of personal information provided. This information may be provided in a standardized format – it does not need to be specific to the individual. If the customer’s request is made through the designated channels, the company must provide a response within 30 days. If made through other channels, the response should be made within a reasonable time, but no more than 150 days. Customers may request an accounting once per year.
Businesses going the “accounting” route must designate a specific postal address, email address, or toll-free phone or fax number that customers may use to request an accounting. This method of contact must be communicated to customers through at least one of the following:
- Managers and Agents: Businesses can comply by having managers and agents who directly supervise customer-contact employees (including cashiers, clerks, customer service, sales or promotions agents), educate those employees on where to direct customers who ask for an accounting.
- Websites: A second option is to add a link to the homepage of the company’s website titled “Your Privacy Rights,” or to add the same words to the homepage’s link to its privacy policy. The first page of the link should describe the customer’s rights under Section 1798.83 and provide the designated mailing or email address, as required, or toll-free telephone or facsimile number, as appropriate.
- Brick-and-Mortar Stores: Businesses can also make the designated method of receiving customer requests, or the means to find that designated address, available at every California place of business where the company or its agents have regular contact with customers.
Although businesses have three options to comply with the disclosure requirement, online retailers and other e-commerce sites should, at a minimum, comply with (2) above by adding a hyperlink and disclosures on their websites. This is essential because plaintiffs in past “Shine the Light” cases alleged businesses that operate primarily online do not qualify to satisfy the disclosure requirements through the other two options.
Penalties
Here is why compliance matters. Like many privacy-related consumer protection laws, the “Shine the Light” Law does not require plaintiffs to prove any actual damages (there rarely are any). However, under Section 1789.84(b), a customer must be “injured” by a violation to file a civil action to recover civil penalties of $500 ($3,000 for willful, intentional, or reckless violations), for each instance in which the company did not adequately respond to a customer request, provided there is a limit of one violation per customer per year. In addition, prevailing plaintiffs may recover their reasonable attorney’s fees and costs.
Previous ‘Shine the Light’ Litigation
The statute has been in effect since 2005 but received little attention until late 2011, when several putative class actions were filed in California state and federal courts. Those lawsuits were primarily filed against prominent media and technology companies with significant (if not exclusive), online presences. That spurt of lawsuits dissipated in December 2013 and February 2014, when the California Court of Appeal and then the Ninth Circuit affirmed the dismissal of “Shine the Light” cases for lack of injury. The plaintiffs in the new suits have tried to plead their way around the Ninth Circuit and California Court of Appeal decisions by expressly alleging they submitted written requests but the companies failed to timely respond.
Conclusion
Defendants facing these claims should have several strong defenses to liability and class certification, but as always, it is best not to be sued at all. Careful compliance with the technical requirements of the law are incredibly important as plaintiffs’ lawyers will look for any opportunity to sue regardless of how well-intentioned and proactive companies have been about their privacy policies and efforts.
Indeed, in each of the new suits, the defendant’s privacy policy disclosed the defendant’s practice of sharing information with third parties (as it should), and also included an online disclosure notifying customers of where to submit “Shine the Light” requests (as required under the law). Because online retailers are required to disclose such information, it would be easy for plaintiffs, or lawyers, trolling for lawsuits to find potential targets via their privacy policies, send requests for accountings to each website, and file suit for any that fail to timely respond. In-house counsel should consider touching base with those in charge of their company’s designated “Shine the Light” contact information to ensure that timely and compliant responses are sent to each accounting request.