California Civil Code §1798.83 (also known as Senate Bill 27 or SB 27) requires a business to make certain disclosures to its California customers, when asked, about its information sharing practices. The law applies to a business’s information collection and sharing practices in all marketing channels, not just online.
As noted in earlier Alerts, the law takes effect January 1, 2005; now is the time for companies subject to SB 27 to start planning how they will comply with the law.
SB 27 applies if a business has an established business relationship with a California consumer and the business has shared customer personal information in the preceding calendar year with third parties for direct marketing purposes. Thus, a business that is not located in California but does business with California residents, whether through its website, mail order, or otherwise, is subject to the law.
Financial institutions that are subject to and comply with California’s financial information privacy law are exempt from SB 27. Also, businesses with fewer than 20 full or part-time employees are exempt.
All businesses subject to the law must provide a “contact point” that customers can use to make an SB 27 request. The contact point must be a mailing address, email address, or toll-free telephone or fax number. In addition, all businesses subject to the law must publicize their contact point in at least one of the following three ways: (1) on the business’s web site; (2) by training customer-contact employees to tell customers of the contact point; or (3) by providing the information in every California location that has regular customer contact.
A business must respond to a request under SB 27 within 30 days of receipt if it was received at the business’s contact point. A business is required to respond to a customer only once per calendar year.
The nature of the disclosure, in response to an SB 27 request, depends on the business’s privacy practices and policy.
- If a business implements, publicizes and complies with a privacy policy that offers customers a free method to opt-in or opt-out of information sharing, then the business can respond to an SB 27 request by telling the customer about its privacy policy and how the customer can exercise his or her opt-in or opt-out rights.
- If a business does not provide customers a chance to opt-in or opt-out of information sharing, then it must make the following disclosure to the customer free of charge in writing or by email:
- A list of the kinds of personal information that the business has disclosed to third parties for direct marketing purposes, and
- The names and addresses of all of the third parties that received personal information from the business for direct marketing purposes during the preceding calendar year. If the nature of the third parties’ business cannot be reasonably determined by its name, the business must also provide examples of the products or services marketed by the third party “sufficient to give the customer a reasonable indication of the nature of the third parties’ business,” if known by the business.
A disclosure to a customer does not need to be particular to that customer; the disclosure may be in a standardized format.
Certain information sharing practices are exempt from the disclosure requirement. For example, a business that shares information with a third party to process, store or manage the information does not need to disclose this practice to a customer, as long as the third party does not use the information for direct marketing purposes.
Businesses that are subject to SB 27 should start planning now how they will comply. Note that in addition to the legal remedies provided under current law, a customer is entitled to recover a civil penalty, up to $3,000, and attorneys’ fees and costs.
At a minimum, a business subject to SB 27 should:
- Determine whether it wants to extend California privacy rights to consumers throughout the country, or only to its California customers;
- Decide which privacy practice the business will implement (opt-in/opt-out, or something else) as this will determine the nature of the required disclosure;
- Keep track, on a company-wide basis, of all the third parties (names, addresses and brief description) with whom it shares customer personal information and the dates of such sharing;
- Keep track, on a company-wide basis, of the kinds of personal information it has shared (e.g., name, address, email address, social security number, telephone number);
- Establish and publicize a contact point for SB 27 requests; \
- Train customer service personnel how to handle such requests from customers; and
- Prepare the required disclosure (either the shorter disclosure telling a customer how to opt-in or opt-out, or the longer disclosure containing categories of information shared and the third parties with whom it was shared), and decide how that disclosure will be made (e.g., by email, first class mail, telephone, etc.)
The California Office of Privacy Protection is expected to issue Recommended Practices shortly that may provide businesses with some helpful information regarding compliance. However, the recommendations may exceed the legal requirements imposed by the new law. Accordingly, you should also consult counsel for a detailed analysis and recommendations as to your privacy policies and practices.
This client alert is a publication of Loeb & Loeb and is intended to provide information on recent legal developments. This client alert does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations.
Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.