Content deleted Content added
Agreatnotion (talk | contribs) |
Agreatnotion (talk | contribs) |
||
Line 43:
The bill was amended three times in the State Senate and five times in the State Assembly. It passed the Assembly on September 8, 2003 and the Senate on September 12, 2003. On September 24, 2003, [[Governor]] [[Gray Davis]] signed it into law. The bill became operative on January 1, 2005.
The law applies to all for-profit businesses that conduct business with any resident of California and have "shared customer personal information with other companies for their direct marketing use within the immediately preceding calendar year,"<ref name=epic></ref> with the exception of businesses with fewer than 20 employees and federal financial institutions. Businesses that maintain a free and public privacy policy which allows users to opt-in to or opt-out of information sharing are also exempt. The law defines "customer" as "an individual who is a resident of California who provides personal information to a business during the creation of, or throughout the duration of, an established business relationship if the business relationship is primarily for personal, family, or household purposes."<ref name=cacode></ref> A business does not need to be located in California, it simply needs to have a single customer who resides in the state.
Under the "Shine the Light" law, California defines 27 categories as "personal information" when disclosed to third parties.<ref name=cacode></ref>
Line 72:
|}
The law requires that a business establish designated contact point—email address, a mailing address, or a phone or fax number—where they may direct Information-Sharing Disclosure requests. In addition, a business must do one of the following:
# Sufficiently provide to all employees who may have contact with consumers the contact points so that if a consumer asks about privacy practices, the employee can provide the contact information;
Line 78:
# Clearly post or make available the contact information everywhere a customer interacts with the business's employees in California.<ref name=cacode></ref>
===Disclosure and Violations===
Businesses must provide to the consumer a complete list of all personal information disclosed to third-parties and the nature of that information within 30 days of the request (150 days if it a request goes to another address or contact point that is not the designated contact point) but must only respond to requests from a customer once in a calendar year. The response must include the categories of information disclosed and the companies to which they were disclosed in the last calendar year.<ref name=prc>Privacy Rights Clearinghouse. "[http://www.privacyrights.org/ar/SB27Release.htm California's "Shine the Light" Law Goes into Effect Jan. 1, 2005]." Press Release. Posted December 29, 2004. Retrieved on 11-03-01.</ref> Businesses with Privacy Policies that allow users to opt-in or opt-out can respond to Information-Sharing Disclosure requests with the information on how to opt-in or opt-out.<ref name=prc>
If a business receives notice that they have failed to comply by submitting incomplete information or not responding to the request at all, the law provides a grace period of 90 days for them to provide complete information as requested.<ref name=cacode></ref> However, if a business fails to meet a consumer's request according to the law, that customer is entitled to recover civil damages of up to $500. If a company willfully fails to comply, the damages increase to up to $3,000 plus attorney's fees.<ref name=prc></ref>
===Criticism===
| |||