• California List Information Disclosure Law Goes Into Effect
  • December 17, 2004
  • Law Firm: Reed Smith LLP - Pittsburgh Office
  • A California law affecting businesses that share information about customers who reside in that state goes into effect January 1. The law, signed by Gov. Gray Davis more than a year ago, applies to most businesses that sell or trade customer data, but it has some important caveats.

    The information-sharing disclosure law, SB 27, requires businesses to respond to customer requests concerning the personal information they share with other businesses. Businesses must disclose the types of personal information they share with third parties, and provide contact and descriptive information about the companies with which they share customer information.

    The law generally applies to businesses that disclosed personal information of customers to third parties in 2004, and knew or should have known that the third parties would use the personal information for direct marketing purposes. The definition of "personal information" covers customer names, postal and email addresses, race, religion, height, number of children, occupation, credit card and bank account numbers, payment history, and certain medical information.

    However, SB 27 also offers businesses an alternative to its onerous disclosure requirements. Businesses are exempted from the disclosure requirements if they inform customers of their right to prevent disclosure of their data, and offer a cost-free means to opt out of having such information shared with third parties.

    Also exempted from the law are financial institutions, which are regulated under their own statutory schemes; businesses with fewer than 20 employees; and certain nonprofit, political and religious organizations soliciting funds.

    Despite its exemptions, the law does have teeth. Like many of California's consumer laws, SB 27 contains a private right of action, which allows consumers to collect damages for injuries caused by violations of the law, as well as awards of attorneys' fees and costs, and civil penalties for intentional and unintentional violations.

    The Direct Marketing Organization reports that approximately 95 percent of its members already are in compliance with the new law because they offer customers alternatives to opt out of marketing lists. The opt-out option was added after lobbying by the marketing industry.

    While the opt-out provision may mean the law will have minimal impact on the direct marketing industry, the new law does serve to align mail-order marketing standards with those that currently apply to online commerce, according to privacy experts.

    Why This Matters: The law underscores the stated goal of California lawmakers and regulators to take a leadership role in crafting privacy standards. Because California is the most populous state in the nation and comprises the world's fifth-largest economy, businesses must do more than meet minimum federal privacy standards -- most also must comply with California's directives. Many may remember California's infamous Section 17200 provisions that allowed private citizens to sue as if they were the California Attorney General. Section 17200's statutory scheme spawned countless class actions throughout the state. That law, however, was substantially limited in the last election and is not expected to be the pariah is had been for so many years. One wonders, however, if SB 27's private standing provisions will become the next wave ridden by class action lawyers, now that 17200 has been taken away from them.