Old law, new risks: Navigating California's Shine the Light law

In recent months, businesses across a wide range of industries have experienced a notable uptick in requests under California's "Shine the Light" law, Civil Code § 1798.83, a little-known and sparsely litigated provision of the Consumer Records Act. These requests, typically sent by attorneys on behalf of a California resident who purports to have an "established business relationship" with the business, seek an accounting of the categories of personal information that have been disclosed to third parties for direct marketing purposes over the past calendar year and the contact information for those third parties. While the requests may appear innocuous, especially since they typically do not threaten litigation, they present real risks for companies that are unprepared to respond.

The law applies broadly

Enacted in 2003 and effective since 2005, the Shine the Light law was California's first major foray into consumer data transparency. Subject to certain exceptions, it applies to for-profit businesses with 20 or more employees that have established business relationships with California residents and disclose personal information of those individuals to third parties for the third parties' direct marketing purposes. The law applies to both online and offline businesses, as well as businesses that have no physical locations or employees in California.

Customers may make annual requests

Under the law, a "customer" has the right to request, once per calendar year, that the business disclose the categories of personal information about the customer that the business has disclosed to third parties for direct marketing purposes, along with the names and addresses of those third parties. A "customer" is an individual who is a resident of California who provides personal information to a business pursuant to an "established business relationship," that is, primarily for personal, family, or household purposes. In turn, an "established business relationship" is either an ongoing relationship formed by a voluntary two-way communication between the business and individual, for the purpose of purchasing, renting, or leasing property, products or services or the purchase, rental, or lease of property, products or services by the individual within 18 months. Accordingly, a "customer" may include not only paying customers, but also individuals who have interacted with a business through inquiries, subscriptions, or other voluntary communications.

The potential exposure for violations is significant

Failure to respond to a valid request, or responding inadequately, carries the risk of significant monetary exposure. The law provides for a private right of action and the ability to recover a civil penalty of up to $500 per incident of noncompliance and $3,000 per incident of willful, intentional, or reckless noncompliance. In addition, prevailing plaintiffs are entitled to recover attorneys' fees and costs, making the statute an attractive vehicle for class action litigation.

Importantly, however, businesses are afforded a 90-day cure period running from the date the business learns of its noncompliance unless the alleged violation is found to be willful, intentional or reckless.

Building a proactive response framework

Many businesses are caught off guard by Shine the Light requests because they assume that compliance with the California Consumer Privacy Act (CCPA) is sufficient to satisfy their obligations with regard to consumers' privacy rights. However, the law operates independently and imposes distinct obligations. To mitigate risks under the Shine the Light Law, businesses should take the following steps:

1. Assess applicability: Determine whether your business meets the statutory thresholds.

2. Designate a contact method: The statute requires businesses to provide a mailing address, email address, toll-free number, or fax number for receiving requests. This information must be accessible via the company's website and customer service channels.

3. Train employees: Employees should be trained to recognize Shine the Light requests and route them appropriately.

4. Maintain disclosure records: Keeping detailed records of what personal information is shared, with whom, and for what purpose will streamline the response process and reduce the risk of incomplete disclosures.

5. Consider an alternative to providing accountings: If the Shine the Light Law applies, a business can satisfy it with a published policy that you will obtain opt-in consent before sharing personal information with third parties for direct marketing purposes or that you will provide a cost-free method to opt-out. In addition, businesses that are subject to the Gramm-Leach-Bliley Act can satisfy their obligations by complying with its disclosure requirements.

6. Be prepared to provide timely accountings. If the business chooses to provide accountings instead of adopting an opt-in or opt-out policy, it must provide the accounting in writing or by email within 30 days upon receipt of the request, if the request is made through one of the channels designated by the business, or within 150 days if the request is submitted another way.  Given this brief timeframe, businesses must be able to quickly determine whether a requestor is a customer, the categories of personal information that the business disclosed to third parties for their direct marketing purposes within the past calendar year, and the name and address of those third-parties.

The recent surge in Shine the Light requests underscores a growing litigation risk for businesses that overlook this long-standing California privacy law. Despite its low profile, the statute offers statutory damages, attorneys' fees, and a private right of action -- making it an appealing tool for the plaintiffs' bar. A single misstep in responding to a request can trigger costly class action exposure. Businesses should not assume CCPA compliance is sufficient; instead, they must proactively assess their obligations under Shine the Light and implement a clear, defensible response framework to mitigate legal risk.