On Jan. 1, California’s “Shine the Light” law — California Civil Code 1798.83 (SB 27) — went into effect. The law requires direct marketers, regardless of where they are based, to provide information about their use of a customer’s data to any California resident who requests it.
As Todd Miller, a consultant with San Rafael, CA-based list and marketing services provider Lenser, explains it, you must provide to customers who reside in California, free of charge and within 30 days of their request:
-
a list of the categories of personal information that were shared with third parties for direct marketing purposes in the preceding calendar year. Name and address are the most obvious categories. It is also likely that your company shares payment history and the kinds of products a customer purchases.
-
the names and addresses of the third-party firms with which you share information. Do not forget the cooperative databases, either. If the nature of a third party’s business is not apparent from its title, then you need to include examples of the company’s products and services as well.
The statute also encourages direct marketing companies to offer a simple, obvious way to opt out. Most catalog and Internet retailers already have privacy policies that do just that. Direct Marketing Association members who are in compliance with its membership rules are, in fact, already in compliance with the statute.
Nonetheless, if you’re not certain whether your company is compliant, or if you wish to err on the side of caution in doing business with California residents, Miller offers the following suggestions:
-
At the bottom of your Website’s home page, include a link to your privacy policy. Within this disclosure, include a form that allows a customer to enter his personally identifiable information for the express purpose of flagging it for a “do not rent” file you maintain. Alternately, or additionally, include an e-mail address, a toll-free telephone number, and a toll-free fax number that a customer can contact to make the same request.
-
Include a link to your privacy policy at the bottom of any promotional e-mails you send.
-
If your printed mail pieces include an order form, include the URL of your Website’s privacy policy, as well as the aforementioned e-mail address, toll-free telephone number, and toll-free fax number.
-
Build specific procedures or scripts for handling both initial and follow-up requests into your customer service training sessions. Periodically test your customer service staff on their handling of such requests — 100% compliance is not an unreasonable goal.
-
Express your pleasure in informing customers of their opt-out rights. Some may not have read the new law in its entirety. Nothing diffuses a customer’s anger and allays a customer’s concerns more quickly than genuine appreciation for his inquiry, coupled with a fastidious reply.
The penalty for violating the Shine the Light law is steep. Excluding any legal remedies that may already exist under California law, customers are entitled to recover a civil penalty of up to $500 per violation (or $3,000 for each willful, intentional, or reckless violation), as well as attorneys’ fees and costs the court deems reasonable.
“Rest assured, this law is only the beginning,” Miller adds. “Statutes such as this are likely the first of many new state privacy laws that will affect catalog and Internet retailers. Although the federal government has attempted to appropriate some forms of state consumer protection laws in order to alleviate what it calls ‘overregulation and confusion,’ it will not be able to hold back the legislation indefinitely.”