How to Comply with "Shine the Light" - a Quick Primer

Designed to protect consumer privacy, California’s new “Shine the Light” law went into effect on January 1 st, allowing over 35 million state residents to request and receive personalized marketing reports from any business where they’ve made a purchase or have an account. Please note, of course, that Lyris is not a legal expert, and we offer the information below with no implied or express warranties; it is for informational purposes only. We encourage our clients, customers, and web site visitors to speak with their own legal advisors to understand how this legislation may apply to their businesses in particular.

What does the law mean for my business?

Among other things, when any California resident makes a “Shine the Light” request, the law requires any business with more than 20 employees to respond with the names and addresses of any external companies (including affiliates) with which it shared that customer’s personal data over the previous year. On top of that, a business is obligated to divulge the exact nature of the information it shared—everything from basic customer demographics to more detailed information like religion, political affiliation, even weight. The information must be supplied to the customer “in writing or by electronic mail.”

This will be complicated and expensive to implement. Is this law fair to marketers?

With some decidedly costly and far-reaching consequences, many marketers regard “Shine the Light” as somewhat misguided and overly broad. Yet along with the CAN-SPAM and a growing body of state-level legislation restricting unsolicited materials, the new law is part of a clear, growing trend toward permission-based messaging—one extending beyond email to affect all marketing channels.

Which organizations are affected?

Any company with more than 20 employees that has an “established business relationship” with a California resident and has disclosed that resident’s personal information to a third party within the preceding calendar year.

Which organizations are not affected?

With certain restrictions: nonprofit organizations, political fundraising groups, financial institutions, businesses providing public real estate records, credit reporting agencies, and any business that allows its customers to prevent their personal information from being shared (see the next section).

What's the simplest and easiest way to comply?

Fortunately, a provision added to the law by former California Governor Gray Davis provides marketers with a shortcut to “Shine the Light” compliance—one that doesn’t involve building expensive new databases or business processes. In a nutshell, the provision says that you’re in compliance with “Shine the Light” as long as you give your customers the ability to prevent their personal information from being shared with third parties. If you allow customers to exclude themselves, their requests for disclosure can simply be answered with a stock response on how to go about removing their names from future third party marketing exchanges.

To take this path to compliance, you should share only the data of those customers who give their explicit consent for you to do so—commonly known as an “opt-in” approach. The law says that an opt-out approach is acceptable too—that is, removing only those customers who make a specific request to be excluded from having their data shared—but with this growing trend toward permission-based marketing, it’s best to go with an opt-in solution.
Note, whichever approach you take, it seems that you’re still obligated to notify your Californian customers as to how they can prevent their information from being shared in the future.

What are my other options for compliance?

If you really don’t want to give your customers the choice to prevent their personal information from being shared, then you need to be equipped to provide detailed marketing data within 30 days to any Californian who requests it.

By the way, keep in mind that California is just one state. If other states pass similar legislation, the administrative costs associated with providing detailed, on-demand marketing reports to consumers will escalate significantly over the next several years.

Still, if you choose this approach to compliance, here are the major things you’ll have to do:

• Designate a mailing address, electronic mail address, or a toll-free telephone or facsimile number to which customers may make disclosure requests.

• Respond to disclosure requests within 30 days, providing the names and addresses of any third parties with which the customer’s data was shared over the past 12 months—including all categories of personal information that were shared.

• Add an area to your company’s web site entitled “Your Privacy Rights” and provide details on how to go about making a disclosure request.

• Make the designated contact information available to customers in any place of business in California where contact is regularly made with customers.

One Final Way to Comply with "Shine the Light">

Of course, the easiest approach of all to complying with “Shine the Light” is to refrain from sharing customer data with third parties altogether. Such a policy not only serves to distinguish you as an ethical marketer, it helps you navigate the growing minefield of legislation against unsolicited materials.

Keep in mind, however, that if your business has shared customer data with a third party over the past 12 months, you’re still obligated to comply with the new law.

Information on “Shine the Light” from the Privacy Rights Clearinghouse can be read here.

Contact us at editor@lyris.com to share your ideas. We may include it in the next issue of Making Mail Work!

Shannon Coulter is a Marketing Manager at Lyris Technologies.