California Businesses Targeted For Inadequate Website Privacy Disclosures

22 February 2012 Privacy & Security Source Publication
Authors: Chanley T. Howell

It may be form over substance, but sometimes form counts.

California’s “Shine The Light” law (Cal. Civ. Code. §1798.83) requires businesses that collect California residents’ personal information and share it for marketing purposes to disclose to the consumers what information they share, and with whom, upon request. The law also has civic requirements for labeling the link to the disclosure. Failure to comply can subject violators to $3,000 in statutory damages for each violation, according to a series of class action complaints recently filed in California (Boorstein v. CBS Interactive Inc., Cal. Super. Ct., No. 476015, complaint filed 12/28/11; Boorstein v. Men’s Journal LLC, Cal. Super. Ct., No. 475697, complaint filed 12/22/11; Miller v. Hearst Communications, C.D. Cal., No. 12-733, complaint filed 1/27/12; Murray v. Time Inc., N.D. Cal., No. 12–431, notice of removal filed 1/26/12; Smith v. Microsoft Corp., Cal. Super. Ct., No. 476413, complaint filed 1/9/12).

Under the law, businesses may comply by providing California residents with the ability to opt out of the sharing of their personal information. The disclosures regarding a company’s information sharing practices and an individual’s opt out rights can be provided in the company’s website privacy policy. Notably, the link to the privacy policy must be on the website homepage and clearly labeled “Your Privacy Rights”.

The law allows customers to request a list of categories of personal information disclosed by the company during the prior year, and the contact information for the companies receiving the personal information. The definition of “personal information” is broad, including basic information such as names and addresses, as well as other information such as height, weight, race, religion, occupation, political affiliation, medical conditions, and types of purchases made. Additionally, businesses should note that the law is triggered by disclosures to affiliates and commonly owned companies.

Each defendant company allegedly failed to label links to their privacy policies as “Your Privacy Rights” or to comply with the statute’s other requirements. The defendants’ failure to comply deprived plaintiffs of their statutorily guaranteed right to monitor and control the disclosure and dissemination of their valuable personal information, they alleged.

Small businesses with less than 20 employees are not covered by the law. Businesses may also comply by sharing personal information for marketing purposes only if individuals affirmatively consent to such sharing, and by giving individuals a no-cost way of opting out. Additionally, certain disclosures do not trigger the law, such as disclosing personal information to transaction processors and other service providers so long as the provider does not use the information for marketing purposes, and marketing to individuals with whom the company has an established business relationship.

Bottom line:  Companies that share personal information with third parties (including affiliates) for the third party to market to the individual should examine their privacy policies, including labels and placement of links to privacy policies, to ensure compliance with California’s Shine the Light law. Plaintiffs in the recently filed class action cases claim that failure to use a link on the home page labeled “Your Privacy Rights” violates the law.