News / Resources

Privacy class action litigation is hot in California and a new wave of lawsuits are being filed under California's 2003 "Shine the Light" law, codified in Cal. Civ. Code Section 1798.83.

This privacy law affects most businesses with as few as 20 employees and allows individuals to learn about how a business sells and shares their personal information. Companies that do business with California residents must either allow their customers an opportunity to opt out (without charge) of having their information shared, or the company must make a detailed disclosure of how personal information was shared in the past calendar year for direct marketing purposes. For businesses without a storefront operation, there may be additional requirements for disclosing the business's privacy policy, including a detailed posting on its website.

Personal information is broadly defined and includes:

• Name and address
• Email address
• Age or date of birth
• Names of children
• Email or other addresses of children
• Number of children
• The age or gender of children
• Height
• Weight
• Race
• Religion
• Occupation
• Telephone number
• Education
• Political party affiliation
• Medical condition
• Drugs, therapies or medical products or equipment used
• The kind of product the customer purchased, leased or rented
• Real property purchased, leased or rented
• The kind of service provided
• Social security number
• Bank account number
• Credit card number
• Debit card number
• Bank or investment account, debit card or credit card balance
• Payment history
• Information pertaining to the customer's creditworthiness, assets, income or liabilities.

Under the Shine the Light law, once per calendar year, a consumer has the right to request, and receive within 30 days of the request, information about (1) how the consumer can exercise opt-in or opt-out rights, or (2) the type of personal information shared for direct marketing purpose and with whom it was shared.

Violations of the Shine the Light law are hefty, as civil penalties are available under Cal. Civil Code Section 1798.84, and they range between $500 and $3,000 per violation, plus attorneys' fees and costs. Businesses may have a 90-day safe harbor to correct an untimely or inaccurate notification.

Since damages are so difficult to prove in privacy lawsuits, plaintiff attorneys are looking to laws with statutory damages already in place (such as Song-Beverly, the Video Privacy Protection Act and the Confidential Medical Information Act). It is no surprise that plaintiff attorneys are trolling websites to see if businesses are displaying an appropriate privacy policy. If the business is not, a putative class action lawsuit will likely be filed seeking millions, or even billions, of dollars in statutory penalties without proof of actual damages. If a review of your privacy policies was not on your list of 2012 New Year's resolutions, it should be quickly added.

For more information about how this law may impact your business, please contact Theodore J. Kobus III ( or 212.271.1504) or any member of Baker Hostetler's Privacy, Security and Social Media Team.

Authorship Credit: Theodore J. Kobus III and Craig A. Hoffman