California Shine the Light law

California's "Shine the Light" law (CA Civil Code § 1798.83 ) is a privacy law passed by the California State Legislature in 2003. It became an active part of the California Civil Code on January 1, 2005. It is considered one of the first attempts by a state legislature in the United States to address the practice of sharing customers' personal information for marketing purposes, also known as "list brokerage." The law outlines procedures requiring companies to disclose upon the request of a California resident what personal information has been shared with third parties, as well as the parties with which the information has been shared. The law also outlines specific language that companies who do business with California residents must include in their online privacy policies.

History
The original bill, California S.B. 27, was introduced to the California State Senate by Liz Figueroa in December 2002. The bill's co-authors included State Senators Dede Alpert, Sheila Kuehl, Gloria Romero, and Nell Soto.

The bill arose out of increasing concern with business practices in which consumers' personal information, collected by the company with which a consumer engaged in business, was sold to other third-party companies without the knowledge of the consumer. In support of the bill, Figueroa's office offered the State Senate numerous examples of lists of personal information available for purchase on the Internet. Figueroa's office wrote:

After approval in the Senate, the bill went to the California State Assembly, where a number of concerns arose regarding "undue burden" placed on businesses. The authors made several changes to address business interests, including the addition of a provision granting a business 90 days to "cure a violation" and an exemption for small businesses. Revisions also provided businesses the option to either respond to incoming requests from consumers who want to know how their information is being used or to allow users to opt out and "stop their information from being shared for marketing purposes."

The bill was amended three times in the State Senate and five times in the State Assembly. It passed the Assembly on September 8, 2003, and the Senate on September 12, 2003. On September 24, 2003, Governor Gray Davis signed it into law. The bill became operative on January 1, 2005.

Requirements
The law applies to all for-profit businesses that conduct business with any resident of California and have "shared customer personal information with other companies for their direct marketing use within the immediately preceding calendar year," with the exception of businesses with fewer than 20 employees, federal financial institutions, non-profit organizations, political groups and politicians, providers of public real estate records, and credit reporting bureaus. Businesses that maintain a free and public privacy policy that allows users to opt into or opt out of information sharing are also exempt. The law defines "customer" as "an individual who is a resident of California who provides personal information to a business during the creation of, or throughout the duration of, an established business relationship if the business relationship is primarily for personal, family, or household purposes." A business does not need to be located in California, it simply needs to have a single customer who resides in the state.

Personal information
Under the "Shine the Light" law, California defines 27 categories as "personal information" when disclosed to third parties.

Notification and contact points
The law requires that a business establish designated contact point—email address, a mailing address, or a phone or fax number—where they may direct Information-Sharing Disclosure requests. In addition, a business must do at least one of the following:
 * 1) Sufficiently provide to all employees who may have contact with consumers the contact points so that if a consumer asks about privacy practices, the employee can provide the contact information;
 * 2) Add a link on its home page titled "Your Privacy Rights" or "Your California Privacy Rights", or include one of those phrases in the same style as the heading "Privacy Policy" on a business's privacy policy page (linked from the business's home page). That section or separate "Your Privacy Rights" page must describe a customer's rights as outlined by the law and provide information to the consumer regarding the designated contact point;
 * 3) Clearly post or make available the contact information everywhere a customer interacts with the business's employees in California.

Disclosure and violations
Businesses must provide to the consumer a complete list of all personal information disclosed to third parties and the nature of that information within 30 days of the request (150 days if a request goes to another address or contact point that is not the designated contact point). However, the law requires a business to respond to requests from a single customer only once in a calendar year. The response must include the categories of information disclosed and the companies to which they were disclosed in the last calendar year. Businesses with privacy policies of allowing users to opt in or opt out can respond to Information-Sharing Disclosure requests with the information on how to opt in or opt out.

If a business receives notice that they have failed to comply by submitting incomplete information or not responding to the request at all, the law provides a grace period of 90 days for them to provide complete information as requested. However, if a business fails to meet a consumer's request according to the law, that customer is entitled to recover civil damages of up to $500. If a company willfully fails to comply, the damages increase to up to $3,000 plus attorney's fees.

Rate of Compliance
Though the law officially went into effect on January 1, 2005, a 2009 independent study found evidence of uneven compliance. Researchers compiled a list of 112 businesses that were subject to SB 27 and did not supply an opt-out option that would exempt them from required disclosure. When these 112 businesses were served information sharing disclosure requests, only 59 of them responded as required by law.