Consumer Privacy Policies

May 16, 2018

Consumer Privacy Policies

As was mentioned in my previous blog, consumer intelligence and big data are hot commodities. And while thieves are regularly breaching company walls to steal electronic information, businesses are also taking advantage of the lucrative opportunity of sharing and selling consumer data. And in an extremely competitive environment, it is understandable that a business would do so, particularly considering it is perfectly legal.

And it was almost as if California foretold this reality with 2003 being a very good year for consumer data protection. In this year the “Shine-the-Light” law was enacted to require businesses to notify consumers how consumer information is shared with third party direct marketers.

And more relevant today than in 2003 when it was passed is the California Online Privacy Protection Act. This series of laws were directed at online retailers who necessarily collect more information about consumers than do most brick and mortar businesses.

These consumer protection laws arose out of concern about how businesses were using consumer data unbeknownst to the consumer.  And in the 15 years that have elapsed since their inception, these laws have become commonplace which, unfortunately, can lead to complacency.  And that is precisely why I am going to provide a refresher.


If a business has an existing business relationship with a consumer and in the previous year disclosed consumer information to a third party for marketing purposes, the business must disclose to the consumer, on request, the business to which the information was disclosed and the type of information that was disclosed. Disclosure is made by way of a sharing disclosure statement.

If a business elects to provide the consumer within its privacy policy the option to elect whether to permit disclosure to third party direct marketers, the business does not have to provide the information sharing disclosure statement. The business only needs to inform the requesting consumer of the right of consumers to prohibit disclosure.

Businesses must also designate contact points from which the consumer can request an information sharing disclosure statement. Contact information for contact points must be made available to consumers. If the business has an online presence, this is most easily accomplished by a privacy policy that includes information on requesting an information sharing disclosure statement from the contact point.

Any business with 20 or more employees that shares consumer information with third party marketers is advised to adhere to the requirements outlined in Shine-the-Light. A consumer who isn’t afforded the rights enumerated in Shine-the-Light may be entitled to attorneys’ fees as well as civil penalties up to $3,000.00.

California Online Privacy Protection Act

When a commercial website or online service collects personally identifiable information from consumers, it must conspicuously post its privacy policy online. The privacy policy must generally contain the following information:

  1. Categories of information collected

  2. Process business has in place for consumers to view and change collected information

  3. How privacy policy changes

  4. How the business responds to browser restrictions on the sharing of information about the consumer

  5. Disclose whether other parties collect personally identifiable information

  6. Policy effective date

Unfortunately for consumers, the Act does not provide penalties for non-compliance. However, businesses are not off the hook for violations. The California Attorney General maintains a Privacy Enforcement & Protection Unit responsible for enforcing state and federal privacy laws. In one such action, the Privacy Enforcement & Protection Unit engaged mobile application developers that did not provide proper privacy notices. Under threat of fine, developers were given 30 days to remediate the deficiency. This doesn’t necessarily provide relief for the consumer, but it does help enforce compliance which in the end is the purpose of the Act.

While it is unlikely that a single violation will muster the interest of the attorney general, businesses should always consider the goodwill engendered with consumers by being open and compliant. Privacy will continue to be at the forefront of consumer concerns and businesses that fail to recognize this will suffer. Don’t let your business’s reputation be that of one that fails to take consumer privacy seriously.