User:Agreatnotion/sandbox

California's "Shine the Light" law (CA Civil Code § 1798.83 ) is a privacy law passed by the California State Legislature in 2003. It became an active part of the California Civil Code on January 1, 2005. It is considered one of the first attempts by a state legislature in the United States to address the practice of sharing customers' personal information for marketing purposes, also known as "list brokerage." The law requires companies to disclose at a customer's request how and what personal information is shared with third parties and outlines provisions for enabling customers to opt out of information sharing altogether. The "Shine the Light" law outlines specific language for California residents that a company who does business with any California resident must include in an online privacy policy in order to be in compliance with the law.

History
The original bill, California S.B. 27, was introduced to the California State Senate by Liz Figueroa in December of 2002. The bill's co-authors included State Senators Dede Alpert, Sheila Kuehl, Gloria Romero, and Nell Soto.

The bill arose out of increasing concern with business practices in which consumers' personal information, collected by the company with which a consumer engaged in business, was sold to other third-party companies without the knowledge of the consumer. In support of the bill, Figueroa's office offered the State Senate numerous examples of lists of personal information available for purchase on the Internet. Figueroa's office wrote, "Transparency is the touchstone of consumer confidence in information handling... Because privacy is, by definition, so intensely personal, for a consumer to make a rational and informed and personal choice to opt-in, opt-out, or simply take their business elsewhere, the consumer must know the 'who, what, where and when' of how a business handles personal information."

After approval in the Senate, the bill went to the California State Assembly, where a number of concerns arose regarding "undue burden" placed on businesses. The authors made several changes to address business interests, including the addition of a provision granting a business 90 days to "cure a violation" and an exemption for small businesses. Revisions also provided businesses the option to either respond to incoming requests from consumers who want to know how their information is being used or to allow users to opt-out and "stop their information from being shared for marketing purposes."

The bill was amended three times in the State Senate and five times in the State Assembly. It passed the Assembly on September 8, 2003 and the Senate on September 12, 2003. On September 24, 2003, Governor Gray Davis signed it into law. The bill became operative on January 1, 2005.

Requirements
The law applies to all for-profit businesses that conduct business with any resident of California and have "shared customer personal information with other companies for their direct marketing use within the immediately preceding calendar year," with the exception of businesses with fewer than 20 employees and federal financial institutions. Businesses that maintain a free and public privacy policy which allows users to opt-in to or opt-out of information sharing are also exempt. The law defines "customer" as "an individual who is a resident of California who provides personal information to a business during the creation of, or throughout the duration of, an established business relationship if the business relationship is primarily for personal, family, or household purposes." A business does not need to be located in California, it simply needs to have a single customer who resides in the state.

Personal Information
Under the "Shine the Light" law, California defines 27 categories as "personal information" when disclosed to third parties.

Notification and Contact Points
The law requires that a business establish designated contact point—email address, a mailing address, or a phone or fax number—where they may direct Information-Sharing Disclosure requests. In addition, a business must do one of the following:
 * 1) Sufficiently provide to all employees who may have contact with consumers the contact points so that if a consumer asks about privacy practices, the employee can provide the contact information;
 * 2) Add a link on its home page titled "Your Privacy Rights" or "Your California Privacy Rights", or include one of those phrases in the same style as the heading "Privacy Policy" on a business's privacy policy page (linked from the business's home page). That section or separate "Your Privacy Rights" page must describe a customer's rights as outlined by the law and provide information to the consumer regarding the designated contact point;
 * 3) Clearly post or make available the contact information everywhere a customer interacts with the business's employees in California.

Disclosure and Violations
Businesses must provide to the consumer a complete list of all personal information disclosed to third-parties and the nature of that information within 30 days of the request (150 days if it a request goes to another address or contact point that is not the designated contact point) but must only respond to requests from a customer once in a calendar year. The response must include the categories of information disclosed and the companies to which they were disclosed in the last calendar year. Businesses with Privacy Policies that allow users to opt-in or opt-out can respond to Information-Sharing Disclosure requests with the information on how to opt-in or opt-out.

If a business receives notice that they have failed to comply by submitting incomplete information or not responding to the request at all, the law provides a grace period of 90 days for them to provide complete information as requested. However, if a business fails to meet a consumer's request according to the law, that customer is entitled to recover civil damages of up to $500. If a company willfully fails to comply, the damages increase to up to $3,000 plus attorney's fees.