|
===Requirements===
The law applies to all businesses, for-profit or non-profit,businesses that conduct business with any customerresident inof California and have "shared customer personal information with other companies for their direct marketing use within the immediately preceding calendar year,"<ref name=epic></ref> with the exception of businesses with fewer than 20 employees and federal financial institutions.<ref name=epic></ref> The law defines "customer" as "an individual who is a resident of California who provides personal information to a business during the creation of, or throughout the duration of, an established business relationship if the business relationship is primarily for personal, family, or household purposes."<ref name=cacode></ref>
Under the "Shine the Light" law, California defines 27 categories as "personal information" when disclosed to third parties.<ref name=cacode></ref>
|}
The law requires that a business establish designated contact point—email address, a mailing address, or a phone or fax number—where they may direct Information-Sharing Disclosure requests. In addition, a business must do one of the following:
The law contains a few exceptions for information-sharing among different companies of the same brand.
# Sufficiently provide to all employees who may have contact with consumers the contact points so that if a consumer asks about privacy practices, the employee can provide the contact information;
# Add a link on its home page titled "Your Privacy Rights" or "Your California Privacy Rights", or include one of those phrases in the same style as the heading "Privacy Policy" on a business's privacy policy page (linked from the business's home page). That section or separate "Your Privacy Rights" page must describe a customer's rights as outlined by the law and provide information to the consumer regarding the designated contact point;
# Clearly post or make available the contact information everywhere a customer interacts with the business's employees in California.
Businesses must provide to the consumer a complete list of all personal information disclosed to third-parties and the nature of that information within 30 days of the request (150 days if it a request goes to another address or contact point that is not the designated contact point). If a business fails to comply but are able to provide sufficient reason for non-negligent failure to comply, the law provides a grace period of 90 days. However, a business who fails to meet a consumer's request according to the law a is entitled to recover civil damages of up to $3,000 plus attorney's fees.
Online privacy policies often include language targeted specifically at California residents. <br />
Add to the home page of its Web site, a link either to a page
titled "Your Privacy Rights" or to add the words "Your Privacy
Rights," to the home page's link to the business' privacy policy. If
the business elects to add the words "Your Privacy Rights" to the
link to the business' privacy policy, the words "Your Privacy Rights"
shall be in the same style and size of the link to the business'
privacy policy. If the business does not display a link to its
privacy policy on the home page of its Web site, or does not have a
privacy policy, the words "Your Privacy Rights" shall be written in
larger type than the surrounding text, or in contrasting type, font,
or color to the surrounding text of the same size, or set off from
the surrounding text of the same size by symbols or other marks that
call attention to the language. The first page of the link shall
describe a customer's rights pursuant to this section and shall
provide the designated mailing address, e-mail address, as required,
or toll-free telephone number or facsimile number, as appropriate.
If the business elects to add the words "Your California Privacy
Rights" to the home page's link to the business's privacy policy in a
manner that complies with this subdivision, and the first page of
the link describes a customer's rights pursuant to this section, and
provides the designated mailing address, electronic mailing address,
as required, or toll-free telephone or facsimile number, as
appropriate, the business need not respond to requests that are not
received at one of the designated addresses or numbers.
(C) Make the designated addresses or numbers, or means to obtain
the designated addresses or numbers, readily available upon request
of a customer at every place of business in California where the
business or its agents regularly have contact with customers.
===Criticism===
| 