Internet based businesses that harvest and share the personally identifiable data of California residents failed to properly label links to their privacy policies and, as a result, are potentially liable for significant civil penalties for each violation. The series of recently filed putative class action complaints were brought by California residents under California’s “Shine the Light” and unfair competition statutes against Microsoft Corporation, Hearst Communications Inc., CBS Interactive Inc., Men’s Journal LLC, and Time Inc. Allegations include alleged failures to label links to privacy policies as “Your Privacy Rights,” as well as other statutory requirements that, according to plaintiffs, deprived plaintiffs of their statutorily guaranteed right to monitor and control the disclosure and dissemination of their valuable personal information.
The statute was enacted in 2005 and requires businesses that collect California residents’ personal information, share it for direct marketing purposes, and have at least 20 employees, to specifically disclose to the consumers, upon request, what information they share and who they share it with. Alternatively under the statute, Internet based businesses may provide California residents with a free option of opting-out of sharing personal information, altogether. Online business are required to provide a link on the website homepage in order for consumers to make the request, or opt-out.
The “Shine the Light” statute was one of the very first legislative attempts to address list brokerage – the compilation and sale of an individuals’ personal information for marketing campaigns. Often, businesses fail to inform consumers of their data sales activities, and major companies, both online and off, sell their customer lists to list brokers. In simple terms, the statute is designed to assist consumers in learning about how their information is sold to others and provide them an opportunity to limit the sale. The statute also requires Internet based businesses that operate in California and gather and share California residents’ personal information to label website homepage links to their privacy policies as “Your Privacy Rights.”
The statute requires that covered businesses, at the request of a customer with whom they have an established relationship, provide a list of categories of personal information disclosed within the preceding year, as well as the identities and contact information of the companies receiving that information. ‘Personal information” is defined broadly to include not only information such as names and addresses, but also information such as height, weight, race, religion, occupation, political affiliation, medical conditions, and types of purchases made.
The following personal information disclosures do not constitute “disclosures” for purposes of triggering the privacy policy and consumer reporting requirements under the statute: (a) for data processing, storage, and management, but only if the third party does not use the information for marketing or further disclose it; (b) for marketing to consumers with whom the business has an established business relationship, provided the business does not disclose the information to third parties for the third parties’ marketing purposes; (c) for maintaining and servicing accounts; or (d) for obtaining payment for a transaction.
This guest post was written by Richard B. Newman, an Internet Law Attorney that specializes in performance marketing, business litigation, and regulatory compliance at Hinch Newman LLP in New York, New York.