California Businesses Targeted For Inadequate Website Privacy Disclosures

22 February 2012 Privacy & Security Source Publication
Authors: Chanley T. Howell

It may be form over substance, but sometimes form counts.

California’s “Shine The Light” law (Cal. Civ. Code. §1798.83) requires businesses that collect California residents’ personal information and share it for marketing purposes to disclose to the consumers what information they share, and with whom, upon request. The law also has civic requirements for labeling the link to the disclosure. Failure to comply can subject violators to $3,000 in statutory damages for each violation, according to a series of class action complaints recently filed in California (Boorstein v. CBS Interactive Inc., Cal. Super. Ct., No. 476015, complaint filed 12/28/11; Boorstein v. Men’s Journal LLC, Cal. Super. Ct., No. 475697, complaint filed 12/22/11; Miller v. Hearst Communications, C.D. Cal., No. 12-733, complaint filed 1/27/12; Murray v. Time Inc., N.D. Cal., No. 12–431, notice of removal filed 1/26/12; Smith v. Microsoft Corp., Cal. Super. Ct., No. 476413, complaint filed 1/9/12).

Under the law, businesses may comply by providing California residents with the ability to opt out of the sharing of their personal information. The disclosures regarding a company’s information sharing practices and an individual’s opt out rights can be provided in the company’s website privacy policy. Notably, the link to the privacy policy must be on the website homepage and clearly labeled “Your Privacy Rights”.

The law allows customers to request a list of categories of personal information disclosed by the company during the prior year, and the contact information for the companies receiving the personal information. The definition of “personal information” is broad, including basic information such as names and addresses, as well as other information such as height, weight, race, religion, occupation, political affiliation, medical conditions, and types of purchases made. Additionally, businesses should note that the law is triggered by disclosures to affiliates and commonly owned companies.

Each defendant company allegedly failed to label links to their privacy policies as “Your Privacy Rights” or to comply with the statute’s other requirements. The defendants’ failure to comply deprived plaintiffs of their statutorily guaranteed right to monitor and control the disclosure and dissemination of their valuable personal information, they alleged.

Small businesses with less than 20 employees are not covered by the law. Businesses may also comply by sharing personal information for marketing purposes only if individuals affirmatively consent to such sharing, and by giving individuals a no-cost way of opting out. Additionally, certain disclosures do not trigger the law, such as disclosing personal information to transaction processors and other service providers so long as the provider does not use the information for marketing purposes, and marketing to individuals with whom the company has an established business relationship.

Bottom line:  Companies that share personal information with third parties (including affiliates) for the third party to market to the individual should examine their privacy policies, including labels and placement of links to privacy policies, to ensure compliance with California’s Shine the Light law. Plaintiffs in the recently filed class action cases claim that failure to use a link on the home page labeled “Your Privacy Rights” violates the law.

Insights

RCE PTA Carve-Out Resumes After Interference
18 September 2019
PharmaPatents
The Ninth Circuit Expected to Rule that Doctors Can Be Wrong in the Winter v. Gardens False Claims Act Case
18 September 2019
Legal News: Government Enforcement Defense & Investigations
Upcoming Webinar: Maximizing Solar Tax Credits - Navigating the Start of Construction Rules (Part 1)
17 September 2019
Renewable Energy Outlook
When Birds Finally Find a Nest
17 September 2019
Dashboard Insights
Lacktman, Ferrante Cited in mHealth Intelligence About Ryan Haight Act
19 September 2019
mHealth Intelligence
Tinnen Discusses How Viewpoint Diversity Helps Businesses Thrive
18 September 2019
InsideTrack
Vernaglia Comments on AHA v Azar Decision
18 September 2019
MedPage Today
Lach Comments on Launch of New Group
16 September 2019
BizTimes Milwaukee
MedTech Impact Expo & Conference
13-15 December 2019
Las Vegas, NV
Review of 2020 Medicare Changes for Telehealth
11 December 2019
Member Call
BRG Healthcare Leadership Conference
06 December 2019
Washington, D.C.
CTeL Telehealth Fall Summit 2019
04-06 December 2019
Washington, D.C.