Companies doing business in California face a new threat in the coming year. Plaintiffs’ lawyers have started filing class actions seeking millions in statutory damages and attorneys’ fees under California’s “Shine the Light” law. This statute, set forth in California Civil Code § 1798.83, is a little known, seldom-litigated provision that could have devastating consequences for businesses that fail to comply.

Although the law has been around for six years, recent audits show uneven compliance, which may be the reason many class action lawyers are starting to take notice. See Thomas, Lauren and Hoofnagle, Chris Jay, Exploring Information Sharing Through California’s 'Shine the Light' Law (Aug. 13, 2009). Read on for an overview of the law and recommended steps to help ensure that your company does not become the next target.

California’s ‘Shine the Light’ Law

On the books since January of 2005, the “Shine the Light” law is part of California’s Consumer Records Act (“the Act”), Cal. Civ. Code § 1798.80 et seq., a statutory scheme that requires organizations dealing with California residents to take steps to protect personal information, including destroying personal information in records that are discarded and providing notice if personal information is unlawfully accessed.

Section 1798.83 is designed to allow California residents to learn how organizations are distributing their personal information. The Act requires disclosure by any “business” that, in the past calendar year, “disclosed” “personal information” about a “customer” to “third parties” and knows (or reasonably should know) that the third party used the information for “direct marketing purposes.” The “disclosure” is to be made upon “customer request” and generally must include, at a minimum, the names and addresses of third parties with which the business shared customers’ personal information. Violations subject businesses to civil penalties of $500 per violation ($3,000 per violation if willful) plus attorneys’ fees and costs.

Basic Contours of the Law

The statute defines each of the terms quoted above and those terms provide the contours of the law:

• “Business” — a sole proprietorship, partnership, corporation, association, or “any other group,” “however organized,” and whether or not organized to make a profit. Cal. Civ. Code § 1798.80.
• "Disclose” — any “transfer” orally, in writing, electronically, “or [by] any other means” “to any third party.” Cal. Civ. Code § 1798.83(e)(3).
• “Personal information” — “any information that when it was disclosed identified, described, or was able to be associated with an individual ….” Cal. Civ. Code § 1798.83(e)(7).
• “Customer” — an “individual” (limited to a natural person) who “is a resident of California” and provides personal information to a business as part of an “established business relationship.” Cal. Civ. Code § 1798.83(e)(1); Cal. Civ. Code § 1798.80(d).
• “Established business relationship” — a relationship formed by “a voluntary, two-way communication” “with or without an exchange of consideration,” for the purpose of: (i) purchasing, renting, or leasing “real or personal property, or any interest therein,” or (ii) obtaining a “product or service.” The relationship must be (a) ongoing and not expressly terminated by the business or the customer, or (b) if the relationship is not ongoing, no more than 18 months have elapsed from the date of the transaction. Cal. Civ. Code § 1798.83(e)(5).
• “Third parties” — includes a “business that is a separate legal entity from the business that has an established business relationship” with a customer. Cal. Civ. Code § 1798.83(e)(8). Special rules apply for sharing certain types of information with affiliated businesses. Cal. Civ. Code § 1798.83(f).
• “Direct marketing purposes” — the use of personal information to “solicit or induce” a purchase, rental, lease, or exchange of products, goods, property, or services “directly to individuals” using the mail, telephone, or electronic mail. Cal. Civ. Code § 1798.83(e)(2).

Under the law, a customer can submit one request per year requiring a business to disclose how and with whom personal information has been shared. Cal. Civ. Code § 1798.83(a)(1). Businesses must respond within 30 days by disclosing the names and addresses of third parties with which personal information was shared, as well as a list of the type of information provided. Cal. Civ. Code § 1798.83(a)(1)-(2). Alternatively, if the business allows customers to “opt-out” of having personal information shared with third parties, it can respond simply by notifying the customer of the cost-free method of preventing disclosure. Cal. Civ. Code § 1798.83(c)(2). For this option to work, the business also must publish its opt-out option as part of its privacy policy. Id.

Class Action Drivers — Disclosure Requirements, Statutory Damages and Attorneys’ Fees

To enable customers to understand how to make a request for disclosure, the “Shine the Light” law requires businesses to designate a mailing address, email address or toll-free phone number to receive customer requests. Cal. Civ. Code § 1798.83(b)(1). The business must publicize the address or number by doing one of the following:

• Notify all agents and managers. A business can “[n]otify all agents and managers who directly supervise employees who regularly have contact with customers of the designated addresses or numbers” and “instruct those employees” to advise customers who inquire about the designated address or number. Cal. Civ. Code §
  1798.83(b)(1)(A). The phrase “employees who regularly have contact with customers” refers to employees “whose contact with customers is not incidental to their primary employment duties, and whose duties do not predominantly involve ensuring the safety or health of the business's customers.” It includes, but is not limited to, “employees whose primary employment duties are as cashier, clerk, customer service, sales, or promotion.” Cal. Civ. Code § 1798.83(e)(4).
• Website disclosures. Alternatively, a business can add a link to the homepage of its website titled “Your Privacy Rights” or add the same words to the homepage’s link to the business’s privacy policy. The first page of the link should describe the customer’s rights under Section 1798.83 and provide the designated address or toll-free telephone number. This option is subject to certain font and formatting requirements. Cal. Civ. Code § 1798.83(b)(1)(B).
• Physical location disclosures. A business can make the designated address or phone number “readily available upon request” of a customer “at every place of business in California where the business or its agents regularly have contact with customers.” Cal. Civ. Code § 1798.83(b)(1)(C).

Under Section 1789.84(b), a “customer injured” by a violation may file a civil action to recover damages. In addition, the customer may seek $500 per violation or $3000 if the violation was willful, intentional or reckless. A “prevailing plaintiff” is entitled to recover reasonable attorneys’ fees and costs. Cal. Civ. Code § 1798.84(g).

Recent Class Action Activity

Over the past few weeks, several class actions have been filed against companies doing business in California, asserting violations of Section 1789.83. The most popular theory appears to be that companies are not complying with any of the three options available under Section 1798.83(b) for notifying customers how to send a disclosure request. The most popular target to date appears to be businesses that operate primarily online. The complaints allege that, because these businesses do not have a physical store, they do not have “employees who regularly have contact with customers” and thus cannot rely on the first option (notifying managers who supervise employees who regularly have customer contact) or the third option (making the contact address or number readily available at every place of business that regularly has customer contact). This allegation appears to assume that “contact” requires physical contact (rather than telephonic or electronic contact) — a seemingly dubious proposition given that the law contemplates telephonic and electronic notice. The complaints also allege that the targeted companies are not complying with the second option (providing a proper link to “Your Privacy Rights” from the company’s internet homepage). Asserting that these compliance failures somehow “dilute the value” of the plaintiffs’ personal information, the plaintiffs in these recent cases are seeking $3000 per violation, as well as fees and costs.

Defending Class Actions Filed Under California’s ‘Shine the Light’ Law

To date, few cases have been litigated under California’s “Shine the Light” law, so there are no good examples of how to defend these cases successfully, or how the courts have interpreted the law. That said, several strategies are evident from the face of the statute and the recently filed class action complaints.

Prevention. Often the best defense is a good offense. In this context, “offense” means taking proactive steps to ensure that your company does not become a class action target. Although businesses have three options to comply with the disclosure requirement, the most cost-effective appears to be option two, which simply requires a company to designate an address or toll-free number to receive disclosure requests and provide the required hyperlink and disclosures on the company’s website. In many cases, the company’s privacy policy can be tweaked to provide the required link and disclosures.

Challenge Plaintiff’s Harm Allegations. If you cannot avoid litigation, there are several strategies that can be used to attack the complaint and hopefully secure victory with minimal cost. For example, Section 1789.84 only permits “injured” customers to file suit for alleged violations of the “Shine the Light” law. The class actions filed to date include sparse injury allegations, at best asserting that the plaintiff’s personal information has a monetary value that supposedly is being “diluted” by the alleged failure to comply with Section 1789.83. Similar allegations recently have been rejected as too speculative to establish injury-in-fact. See, e.g., In re iPhone Application Litig., 2011 WL 4403963, at *4 (N.D. Cal. Sept. 20, 2011) (granting motion to dismiss; alleged “diminution in value of the personal information” was too vague and speculative to establish injury).

Built-in Class Action Defense? Although the issue has not been litigated, the law appears to have a built-in class action defense. Only “customers” can sue for alleged violations of the law, and Section 1798.83(e)(1) defines “customer” as an individual who is a “resident” of California. Traditionally, the terms “resident” or “residence” are synonymous with “domicile,” which requires physical presence and the intent to remain permanently for an indefinite period. See, e.g., Cal. Gov’t Code §§ 243-44; Burt v. Scarborough, 56 Cal. 2d 817, 819-20 (1961) (“residence” synonymous with “domicile”). Intent is an individualized question that depends on the state-of-mind of each putative class member. Such issues generally are inappropriate for class treatment. See, e.g., Knapp v. AT&T Wireless Srvs., Inc., 195 Cal. App. 4th 932, 944-45 (2011) (rejecting class certification in part because liability depended on each putative class member’s state of mind). Thus, by defining “customer” to include only “residents,” the law appears to require proof regarding an inherently individualized question that cannot be decided on a class basis and should preclude class certification.

Challenge Superiority. One of the reasons class action lawyers are filing these cases is because of the potential for large statutory damages. But the “blessing” of statutory damages can be turned against plaintiffs. In cases where the total statutory damages would be grossly disproportionate to any harm suffered, courts may conclude that a class action is not a “superior” method of adjudicating the dispute and certification should be denied. See, e.g.,Kaufman v. ACS Sys., 110 Cal. App. 4th 886, 922-24 (2003). This argument could be a useful tool for defeating class certification, if your opponents get greedy and make excessive demands for statutory damages.

Substantial Compliance. Assuming a business is not able to demonstrate actual compliance with Section 1789.83, another option is to focus the court on the steps your company has taken to inform customers of their privacy options. In certain cases, a defendant’s substantial compliance with a statutory requirement can be a defense to claims asserting minor or technical defects. See, e.g., Troyk v. Farmers Group, Inc., 171 Cal. App. 4th 1305 (2009) (discussing substantial compliance doctrine in context of alleged statutory violations).

The bottom line is that 2012 promises to be another active year for class actions in California. Be on the lookout for new trends and new class action theories being asserted by the plaintiffs’ bar and take steps to ensure that your company and your clients do not become the next target.