We know that California has a lot of privacy laws, but the Shine the Light law is one of the oldest in the state, and it still catches businesses off guard because it is not about cookies or ad tech. It’s about who you share customer information with for marketing and what you must disclose when a customer asks. Increasingly, it is also about litigation risk because plaintiffs’ attorneys are now filing claims against companies for alleged Shine the Light violations.

California’s Shine the Light law gives California residents the right to ask a business:

  • Whether the business shared their personal information with third parties for those third parties’ direct marketing purposes; and
  • Who those third parties are, plus what categories of information were shared.

This law is aimed at businesses that:

  • Do business with California residents;
  • Have an established customer relationship with a California resident; and
  • Share certain personal information with third parties for the third parties’ direct marketing.

Of course, there are exceptions and nuances, but the simplest way to think about it is this: if you share customer data (e.g., name, email address, telephone number, other account related information, etc.) with other companies so they can market their own products or services, you should assume Shine the Light applies and prepare accordingly. Such planning and preparedness means that your business should publish a clear request method (i.e., a simple “Shine the Light” statement in your website privacy policy), make sure customer support and privacy teams know what a Shine the Light request is and how to respond, track marketing-related sharing,  respond on time with the right content and, importantly, when you receive a valid request, respond with the required disclosures. Don’t improvise—use a vetted template.

Even with newer California privacy frameworks, Shine the Light remains a classic compliance tripwire because it is consumer initiated and simple enough that plaintiffs’ attorneys can test compliance quickly, by reading your policy, submitting a request, and then filing claims if the company allegedly lacks the required intake path or fails to provide the required disclosures. These alleged violations are showing up in demand letters and lawsuits, which means the cost of getting it wrong can include legal fees and operational disruption, not just a policy update.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.

Read more about Kathryn Rattigan
Show more Show less