You have probably noticed how many websites include a "California Privacy Rights" clause somewhere within their Privacy Policy agreements, and oftentimes link separately to this clause from their website's footer section.

This kind of clause is required for certain businesses by the "California Civil Code Section 1798.83" also known as California's "Shine the Light" law.

It typically informs California residents that they have the right, once per calendar year, to request disclosure of what kind of personal information has been collected about them and then shared with other third parties for the third party's direct marketing use, as well as the names and addresses of those third parties with which the information has been shared.

This clause and the right for California residents to request this information is a requirement of the California Civil Code Section, but it's commonly known as the "Shine the Light" law.


The "Shine the Light" Law

The "Shine the Light" law is a California State privacy law that was proposed in 2003, amended three times in the State Senate and five times in the State Assembly, and was finally passed by the California State Legislature in 2003.

The law officially became an active part of the California Civil Code on January 1, 2005.

Businesses were commonly collecting personal information from their customers, such as email addresses, mailing addresses, and phone numbers, and then selling this information to third-parties without letting the customers know.

These third parties were then using this personal information to directly market to customers via email, mailings, and phone calls that the customer never authorized or expected.

The "Shine the Light" law was created in an attempt to protect the privacy of California residents and help end these undesirable business practices by making it a requirement that businesses disclose certain information that those businesses collect and then share with third parties for marketing purposes, as well as let consumers know to whom their personal information was shared with.

Who must follow this law

Not every business are required to comply with the "Shine the Light" law.

If your business meets the following requirements, you'll be responsible for complying with this law:

  1. If your business has 20 or more employees,
  2. Has any customers who are residents of California, and
  3. Has, within the past calendar year, shared personal information from any of your customers with a third party for the purpose of direct marketing.

Exemptions

The following types of businesses are exempt from having to comply with this law:

  • Those with fewer than 20 employees
  • Non-profit organizations
  • Politicians and political groups
  • Religious organizations
  • Credit reporting bureaus
  • Federal financial institutions
  • Providers of public real estate records, or
  • Businesses that only share information after users have opted in to this sharing, or that provides easy access to an opt-out function that allows users to opt out of having their information shared.

Requirements of the law

If your business must comply with the "Shine the Light" law, there are a number of requirements that must be met.

Requirement #1

You must let customers know, free of charge, and either in writing or electronically, if you have, in the previous calendar year, disclosed any of the following information to third parties for those third parties to use for direct marketing purposes:

  • Name and address, including any email addresses
  • Information about children: name, age, date of birth, gender, how many children someone has
  • Physical information such as height, weight, race, medical conditions, drugs or therapies used
  • Financial information such as credit card, debit card, or bank account number, investment history
  • Lifestyle information such as political party affiliation, education level, religion etc.

Find the entire list as defined by the law here.

Requirement #2

You must also provide who are (name, address) the third parties that received any of the above personal information from your business in the previous calendar year for the purposes of direct marketing.

Note that the law explicitly states the following:

[..] if the nature of the third parties' business cannot reasonably be determined from the third parties' name, examples of the products or services marketed, if known to the business, sufficient to give the customer a reasonable indication of the nature of the third parties' business

Requirement #3

You must, according to the "Shine the Light" law:

[..] designate a mailing address, electronic mail address, or, if the business chooses to receive requests by telephone or facsimile, a toll-free telephone or facsimile number, to which customers may deliver requests.

Requirement #4

You must let your employees, agents, managers, etc., and anyone who has regular contact (like your customer support team) with customers of this method of contact, and make this information available to customers upon request at every place of business located within California or where contact is made regularly with customers.

Requirement #5

You must add either a conspicuous link titled "Your Privacy Rights" to your website homepage, within the Privacy Policy agreement itself, or include a conspicuous homepage link titled "Your California Privacy Rights."

In either case, the first page of either link must "describe a customer's rights" and "shall provide the designated mailing address, e-mail address, as required, or toll-free telephone number or facsimile number."

Requirement #6

You must comply with any requests by customers within 30 days, or no longer than 150 days if a request is made in some way that hasn't been designated by your business but that you still receive.

Requirement #7

You are only required to disclose this information to customers who ask for it once per the calendar year.

Penalties for non-compliance

If your business must comply with the "Shine the Light" law and does not do so, there may be legal and financial repercussions.

If a customer requests information under the law and your business does not provide this information, the customer may file a civil lawsuit to recover damages that he feels were caused by your failure to disclose.

Typically, a business will have a 90-day grace period in which the information the customer requested can be finally provided to him.

If the information is provided within this grace period, the business will not have to pay damages.

Damages are limited to $500 unless a willful, intentional or reckless violation is found by the court. In that case, damages can be as high as $3,000 and there will be no 90-day grace period.

Examples of "Your California Privacy Rights" clauses

MyCommerce

At MyCommerce, there's a link in the footer for "Your California Privacy Rights". This is separate from the main Privacy Policy of page, and is easily findable by users:

Highlight California Privacy Rights link in MyCommerce footer

Their "California Privacy Rights" section is very short and lets users know that residents of California are permitted to "request information regarding the disclosure of your personal information by Digital River, Inc. or its subsidiaries to a third party for the third party's direct marketing purposes" and gives users an email address and mailing address where requests can be sent:

Screenshot of California Privacy Rights page of MyCommerce

Ford Motor Company

Ford places a link to the "Your CA Privacy Rights" page in its website footer section:

Highlight Your CA Privacy Rights link in Ford footer

When a user clicks on this link, she is taken to the "Your California Privacy Rights" section that explains how the "Shine the Light" law affects users and what rights it gives them.

The Ford Motor Company does a great job of explaining the law in a way that's easy to understand by stating that:

California residents who provide personal information in obtaining products or services for personal, family, or household use are entitled to request and obtain from us once a calendar year information about the customer information we shared, if any, with other businesses for their own direct marketing use. If applicable, this information would include the categories of customer information and the names and addresses of those businesses with which we shared customer information for the immediately prior calendar year (e.g., requests made in 2016 will receive information regarding 2015 sharing activities).

An email address where requests can be sent is also included, as well as a notice that only information covered by the "Shine the Light" law will be shared.

Screenshot of Your CA Privacy Rights page of Ford

UPS

UPS takes a different approach to this type of legal requirement by informing users of their rights under the "Shine the Light" law.

Their "California Privacy Rights" section informs California residents that they have the right to ask UPS to refrain from sharing personal information with certain affiliates and third parties for their marketing purposes and invites users to send in their preferences either by email or written mail.

Note how no information is included here about requesting this type of information once per year.

This kind notice by UPS simply gives users the ability to opt-in to explicitly allow their information to be shared and provides a clear and easy way for users to opt-out of having their information shared.

Screenshot of Your California Privacy Rights modal window

Disney

While the UPS CA Privacy Rights section is very short and vague, Disney takes a very different approach with their "California Privacy Rights" section by making it longer, more informative, and very personable.

The law is explained to users, and a statement is made about how Disney takes great pride in the trusting relationship they have with their guests. A link is provided to Disney family companies, the main Privacy Policy, and an email address and written address are both also provided.

Screenshot of Your California Privacy Rights page from Disney

This is a great way to convey not only the factual information about what effects the "Shine the Light" law has but also to convey the overall notion of trust and respect for privacy rights of customers, which is exactly what the "Shine the Light" law aims to establish.

NVIDIA

NVIDIA does not have a separate link or web page for its "California Privacy Rights" clause.

However, the Privacy Policy page is named "NVIDIA Privacy Policy/Your California Privacy Rights" and there's a section within the this legal agreement named "Notice to California Residents - Your California Privacy Rights" so this information is still conspicuous and included in an eye-catching way.

Table of Contents of Privacy Policy of NVIDIA highlighting Section 11

The "Notice to California Residents" section is short and to the point, informing NVIDIA customers who are California residents of their rights under the "Shine the Light" law:

Screenshot of Section 11, Notice to California Residents, from NVIDIA

As a result, NVIDA opted to include the notice for CA residents and information about the "Shine the Light" law within the Privacy Policy agreement. NVIDIA posted a clear link to its Privacy Policy agreement in its website footer section:

NVIDIA footer: Highlight where the Privacy Policy link is

Verizon

Verizon includes a number of different agreements and policies within its Privacy Policy section, including a "California Privacy Rights" link and section:

Verizon Privacy Policy: Highlight California Privacy Rights section

Each of these different policies can be found by a user by clicking on links in its website footer section:

Footer of Verizon website: Highlight where the Privacy Policy link is

The California Privacy Rights section of Verizon's Privacy Policy informs users of their rights under the "Shine the Light" law, and provides means for customers to execute their rights:

Screenshot of California Privacy Rights page of Verizon

Walmart

Walmart includes a link directly to its "California Privacy Rights" section in the website footer:

Footer of Walmart website: Highlight where California Privacy Rights link is

Walmart's approach to this California Privacy Rights requirement is to let customers know that their main Privacy Policy main applies to all customers, including those in California, and that information is only shared outside of Walmart for direct marketing purposes if affirmative consent has been given by a customer.

Customers are informed that Walmart shares personal information with other businesses within the Walmart family, and provides a method for customers to contact them with any questions or to request information.

Screenshot of California Privacy Rights page of Walmart

Jostens

Jostens includes a separate footer link to its "CA Privacy Rights policy" page:

Footer of Jostens: Highlight where the link to Your CA Privacy Rights is

The "Legal Notices" link also includes a link directly to this legal page:

Screenshot of the Legal Notices page of Jostens

Jostens has a very clear and basic "CA privacy rights" section that let users know that "under California law, Jostens customers who are California residents may request certain information regarding the types of information shared by Jostens with third parties for their direct marketing purposes, and the identities of those third parties."

This language used in their legal policy is very similar to the actual language of the law.

Screenshot of the Your California Privacy Rights page of Jostens

If you are required to comply with this law, you must have a Privacy Policy section that informs these customers of their rights under the "Shine the Light" law.

Let users know that they have the right to request what personal information you have shared with third parties, for the purpose of direct marketing, within the previous calendar year.

Provide a way for users to contact you to make this request, either via email, written mail, or both. Include this information in your "CA Privacy Rights" section.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy