Recently, several big class-action lawsuits have been filed in California over whether adequate notices are being given to consumers when their personal information is sold. With the major controversy surrounding Facebook and the use of its users’ personal information during the 2016 presidential campaign, the public has become more aware and informed about this topic.
A recent Newsweek article reports that data brokers typically try to stay below the radar so as not to draw attention to what they do for a living. This may be partly responsible for the fact that over half of all Canadians and Americans say that they do not know exactly what happens when they give their name, address, phone number and email address to a website or company.
Recent lawsuits use California’s Shine the Light Law (S.B.27) to object to how these marketing companies use all our data. The lawsuits allege:
“The company failed to properly identify a method for obtaining a disclosure as to how the company shares its customer’s personal information.”
With the publicity surrounding these lawsuits, other consumers are taking notice and filing their own suits, many of them class-action suits. Before deciding whether to file or not, it’s important to know exactly what S.B.27 is and how it works.
Overview of S.B. 27
According to S.B. 27, certain companies must disclose how they share their customer’s information each time a customer asks for it. Each time a company receives a request from a customer wanting to know how the company has shared their information with marketers, they must provide the information. This only covers the previous twelve months. In addition, S.B. 27 only allows consumers to make these requests in cases where the customer was not given access to the company’s privacy policies containing opt-out notices.
In order to be compliant with S.B.27, a company must create a privacy policy that includes opt-out rights, and provide that to their customers in an acceptable manner. It’s important for the consumer to fully understand the privacy notice and how they should proceed with opting out if desired. Many consumers are claiming that they were not notified about how their personal information is being used and who it is being sold to.
Who must comply?
Not all businesses must meet the terms of S.B. 27. Those affected will have these four things in common:
- 20 or more employees
- Business relationships with customers in California
- Have in the past, shared a customer’s personal info with other companies for the purpose of marketing
- The incident must have taken place within the previous calendar year
There are some businesses who are exempt from the bill’s requirements. These include:
- Financial organizations subject to certain provisions of S.B. 1, the California Financial Information Privacy Act.
- Those administering business-related disclosures to third parties. For instance, administrative or customer service personnel who do not use the information for their own direct marketing needs.
Rights of each individual under S.B. 27
Consumers have the right to be notified by the business using a designated contact method such as email, phone, and regular mail. In the notification, the company should outline how it shares the personal information of its customers with other businesses for the purposes of direct marketing.
Notifications can be completed in any one of several ways:
- A customer service representative from the company may contact customers who request this and go over their full policy for sharing customer personal data with third-party marketers.
- Customers may view the company’s privacy policy by visiting a store or branch and asking to see it.
- Customers may be directed to view the privacy policy statement by visiting the company’s website. The website must clearly show a link to “Your Privacy Rights” or “Your California Privacy Rights”. The privacy notice can be posted on the company’s website or on another web page that includes all this information. The disclosure must include wording that clearly indicates that the information is being given at no cost and is updated regularly with any changes to the law.
Consumers also have the right to request the following information each year from any California company they do business with:
- Customers can contact the company to find out whether they implement and comply with S.B. 27.
- Customers can request information about how to opt-in or opt-out of information sharing. The company is then responsible to notify the customer free of charge and in writing about opting in or out of sharing personal information.
- There are additional requirements for a business that does not provide their consumers with the opt-in and opt-out information. This information must also be provided free of charge in writing or by email.
Companies are required to go into some detail about exactly what customer information they are sharing. They must provide:
- Names and addresses of all third parties that obtained personal information during the preceding year from the business for direct marketing purposes.
- Exactly what information they shared, i.e., the customer’s name, address, phone number, birth date, etc.
- They must ensure that the customer understands what type of business they’re private info has been sold to. For instance, in cases where an individual might not readily recognize the business name, the company must provide examples of the types of products and services the third party vendor sells.
For those who wish to contact one or more companies to ask about how their personal information is being used, the Privacy Rights Clearinghouse has drafted a letter that can be used to request this information from any company.
The Penalties for Failing to Comply
There are legal remedies provided under the law when S.B. 27 is not properly followed. If a company fails to respond to a disclosure request, the customer is entitled to recover a civil penalty of up to $500 per violation. If the court decides that the company was willful, reckless or intentional in not adhering to S.B. 27, those filing lawsuits may be able to get $3,000 per incident. In some cases, the plaintiff’s attorney fees are also included in the award. A suit should be filed within 90 days of learning that an individual’s personal information was bought or sold without the person’s knowledge.