Has your company shared customers’ personal information with affiliates or third parties during 2004? Did your affiliate or the third party use the information for direct marketing? This law, which takes effect on January 1, 2005, may apply to you.
California continues to spearhead protection of consumers’ personal information with SB 27, the "Disclosure of Customer’s Personal Information" (Civil Code section 1798.83), which takes effect January 1, 2005 (the "Act"). The Act requires disclosure by any "business" that has, in the prior calendar year, "disclosed" "personal information" to "third parties" and knows or reasonably should know that the third party used the information for its "direct marketing purposes." The "disclosure" is to be made upon "customer request" and must include the names and addresses of third parties with whom the business shared the personal information. Penalties for violation include injunction and civil penalties of $500 per violation ($3,000 per violation if willful) plus attorneys’ fees and costs.
What "business" is covered?
The Act is broad and reaches any entity which has done business with a California resident. A "business" is a sole proprietorship, partnership, corporation, association, or other group, however organized, whether or not organized to operate at a profit, including financial institutions wherever organized or the parent or subsidiary of a financial institution.1 Businesses with fewer than 20 full-time or part-time employees are excluded.2 The Act does not apply to financial institutions which are subject to the California Financial Information Privacy Act (SB 1)3 if they are in compliance with that statute.
What constitutes "disclosing" personal information for "direct marketing purposes"?
"Direct marketing purposes" means the use of personal information to solicit or induce a purchase, rental, lease, or exchange of products, goods, property, or services directly to an individual by means of the mail, telephone or e-mail for their personal, family, or household purposes. The sale, rental, exchange, or lease of personal information for consideration to businesses is a "direct marketing purpose" for the seller/lessor of the information.4
Certain information sharing is excluded from the Act’s coverage, including: (1) disclosures to third parties pursuant to contracts or arrangements for (a) processing, storing, managing or organizing personal information if the third party does not use the information for direct marketing purposes and does not further share the information; (b) marketing to the business’ customers where the third party marketer is not permitted to use the information for its own marketing purposes; (c) maintaining or servicing accounts; (d) public record information related to real property; or (e) joint marketing with a third party under specified agreement terms; or (2) use by certain tax exempt organizations to solicit charitable or political contributions. Other exceptions are set forth in the Act at section 1798.83(d).
"Sharing" of information may occur where you don’t expect it. If you are a manufacturer and include warranty or product registration cards with your product, those cards usually solicit personal information and are returned by the customer to the company or a processor under contract with the company. If your agreement with the processor allows it to use the information for marketing, the Act will require you to make the required disclosures.
What is "personal information"?
"Personal information" means information that when it was disclosed identified, described or was able to be associated with an individual including:5
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
A customer can request disclosure once a year.
A "customer" who has an "established business relationship"6 with the business can request disclosure once a year. "Customer" means a California resident who provides personal information to a business in connection with an established business relationship that is primarily personal, family or household in nature.7 "Established business relationship" means one formed by a voluntary, two-way communication, with or without an exchange of consideration, which is ongoing and not expressly terminated or with regard to a product or service purchased within the prior 18 months.
A customer must be able to request the disclosure by mail or e-mail or, if the business chooses, by toll-free telephone or fax. The business must make customers aware of the available method to request the disclosure.8
Disclosure includes at least the name and address of the recipient by type of information shared.
The business must give any requesting customer a written list of (1) all categories/types of personal information the business shared with third parties over the prior calendar year, (2) the names and addresses of the third party recipients with whom each category of information was shared, and (3) the types of products or services each third party markets (if known) if such products or services are not reasonably clear from the third party’s name (collectively, the "Disclosure Information").
A business can prepare a standard form response which sets forth the required Disclosure Information, rather than providing information specific to a particular customer.
Responses to requests for disclosure are due in 30 days.
The business must provide the Disclosure Information in writing or by e-mail in response to a customer request received at the designated address or contact number within 30 days; responses to requests received at any other address or number must be within a reasonable period not to exceed 150 days from receipt. A business need not respond to a customer request more than once during a calendar year.
Does a business have to disclose sharing with affiliated third parties?
If the business discloses information to an affiliated third party which shares the same brand name (and who uses the information for its direct marketing purposes), then it must include in its written disclosure the overall number of affiliated companies that share the same brand name, but the name and addresses of those affiliates do not need to be disclosed by category of information shared. If the information shared with the affiliated third party sharing the same brand name is "sensitive" or includes "sensitive" information9 along with other information, then the name and address of the affiliate must be disclosed by category of information.
If the business discloses information to an affiliated third party which does not share the same brand name, it must make the same type of disclosure as for an unaffiliated third party.
Who are considered "third parties"?
"Third parties" is defined to mean (1) a business that is a separate legal entity from the disclosing business, (2) a business that has access to a database shared among businesses, if it is authorized to use the database for direct marketing purposes (unless exempt), or (3) a business not affiliated by a common ownership or common corporate control.10
Is there a way to avoid having to make the disclosure?
A business may avoid making these disclosures under two circumstances. If it does not disclose personal information to third parties, it does not need to make the disclosure.
Alternatively, if a business provides its customers a cost-free choice in its privacy policy to either opt-in or opt-out of its information-sharing activities, then the business may, in lieu of providing the Disclosure Information on request of a customer, provide the customer with information on how to opt-in or opt-out of sharing and a cost-free means to exercise that right. To avail itself of this alternative, the business must maintain and disclose its policy.
Violations and available remedies
Consumers injured by violations can bring a civil action for damages. Injunctive relief is also available. A consumer can recover a civil penalty of up to $500 per violation; if the violation is willful, intentional or reckless, a consumer can recover a penalty of up to $3,000 per violation. Unless a violation was willful, intentional or reckless, a business can assert as a complete defense that it provided the information alleged to have been untimely, incomplete, or inaccurate to consumers within 90 days after it knows of its failure to correctly provide the information. Recovery of reasonable attorneys’ fees and costs also is available.
Steps to take before January 1, 2005
First, determine what customer personal information has been shared in the past calendar year, or would likely be shared in the future, with any third parties, including affiliates. If no information has been shared, no disclosure is required, although you may want to use the opportunity to communicate with your customer the fact that you do not share information. If the business decides to avoid sharing customer personal information with third parties who will use it for direct marketing purposes and, thereby, avoid the Act’s coverage, the business should ensure that all contracts with such parties prohibit use of customer personal information for direct marketing.
Second, determine the method for complying with the disclosure obligation. If a business has shared personal information and does not meet an exception, it can comply with the Act in either of two ways: Either provide customers with the Disclosure Information in a standard format, or alternatively, provide an opt-in or opt-out choice.
Third, establish or verify the procedure if you elect to comply through an opt-in/opt-out choice. If an opt-in/opt-out option will always be offered, the business should develop cost-free opt-in/opt-out procedures before January 1, 2005, prepare a standardized notification/response (to send to requesting customers) which explains the customer’s ability to exercise such choice without charge, review and revise its privacy policy to reflect the opt-in/opt-out procedures, and establish a database of such opt-ins/opt-outs. In either case, the business will have to respond to a customer’s request – either with the disclosure or the opt-in/opt-out procedure.
Fourth, if complying by providing Disclosure Information, a business should implement the following compliance procedures by January 1, 2005:
- Designate addresses or contact numbers (e.g., a mailing or e-mail address, toll-free telephone or fax number) at which it will receive customer requests for Disclosure Information.
- Set up a process to make customers aware of how to request Disclosure Information and establish systems to respond quickly (within 30 days) to customer requests for Disclosure Information.
- Develop a standardized response form to provide the Disclosure Information for the prior calendar year.
- Review company privacy policies to ensure that they disclose relevant information and allow the business flexibility for any desired information sharing and/or marketing.
- Review provisions in third-party contracts to make them consistent with the business’ practices (including the ability for the business to make the disclosures required by the Act) and to appropriately limit a third party’s use of customer personal information.
- Establish a method of keeping track of the categories of personal information shared and the third parties with whom personal information is shared (e.g., build a database for sharing taking place in 2005 in order to capture such data for disclosure in 2006).
Footnotes
1. Cal. Civ. Code § 1798.80(a)
2. Cal. Civ. Code § 1798.83(c)(1).
3. Cal. Fin. Code § 4050 et seq.
4. Cal. Civ. Code § 1798.83(e)(2).
5. Cal. Civ. Code § 1798.83(e)(7)
6. Cal. Civ. Code § 1798.83(e)(5).
7. Cal. Civ. Code § 1798.83(e)(1).
8. A business can do this by: (1) notifying all agents and managers of the designated addresses and numbers for customers to use in making a request for information; (2) adding to its website home page a link (which is subject to style and size specifications) to "Your Privacy Rights" which links either to a page explaining the customer’s rights under the Act or to the privacy policy, which shall also explain the customer’s rights under the Act and provide the contact information; or (3) making the addresses and contact numbers available at every place of business in California where the business has regular contact with customers.
9. The following categories of personal information are considered "sensitive" for such purposes: telephone number; race and religion; number of children; height and weight; children’s names, gender, age, e-mail or other addresses; bank or investment account, debit or credit card balance; medical condition, drugs, therapies, or medical products or equipment used; and social security number, bank account number, credit card number or debit card number.
10. Cal. Civ. Code § 1798.83(e)(8).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.