Companies that disclose consumers’ personal information to third parties for use in direct marketing should prepare for the new obligations imposed by California’s direct marketing disclosure statute, which takes effect January 1, 2005.1 This statute requires a covered company to provide individual California customers, upon request, with certain information about such disclosures. It also requires companies to notify these customers of their ability to request this information, and to provide a means of submitting requests. Consistent with other broad-reaching California privacy legislation, this statute is not limited to companies located in California, but purports to cover any company that has established a business relationship with California residents. Companies that disclose or have disclosed customers’ personal information to third-party direct marketers during 2004 should evaluate their obligations under this statute, and will need to act quickly to develop the necessary notification and request-processing procedures by January 1st.

Key Facts You Should Know About California Civil Code Section 1798.83

1. When a Company Becomes Subject to Civil Code Section 1798.83

A company may be subject to California Civil Code Section 1798.83 if it has disclosed one of various categories of "personal information" to "third parties" during the prior calendar year, and if it knows or reasonably should know that these third parties used the personal information for their own direct marketing purposes.2 For purposes of this statute, "personal information" is any information that identifies, describes or can be associated with an individual, and includes categories ranging from name, address, or e-mail address to products purchased, medicines used, and payment history.3

Any recipient of the personal information that is a separate legal entity from the disclosing company is considered a "third party" under this statute.4 Thus, the statute purports to cover disclosures to affiliates if they are separate legal entities. Where affiliates share the same brand name, however, the requirements of the statute are somewhat reduced. Additionally, the statute excludes specific types of business-related disclosures to third parties, such as disclosures to vendors used for data administration, marketing, and customer service, as long as those third parties do not disclose or use the information for their own direct marketing purposes.

2. Which Customers are Entitled to Request Information Under the Statute

The statute requires a company to respond to requests by a "customer," defined as a resident of California who provides personal information to the company pursuant to an established business relationship for personal, family or household purposes.5 While the statute only applies to requests for information by California residents, it is not by its terms limited to business relationships that occur only or entirely in California. Thus, it would apply to any mail order, internet or telephonic business relationship with a California resident, and potentially to business relationships that take place entirely outside of California. A company is required to respond to a customer’s request for information under this statute only one time per calendar year.

3. What Type of Disclosure Document Must Be Prepared

If a company is subject to this statute, it must be prepared to provide two types of information upon request: (a) a list of the categories of "personal information" disclosed to third parties for the third parties’ direct marketing purposes during the prior calendar year,6 and (b) the names and addresses of those third parties. If the nature of a third party’s business cannot be determined from its name, the company also should provide examples of the third party’s products or services.

Significantly, the statute does not require companies to provide an individualized response identifying the types of personal information disclosed regarding the particular customer making the request. Instead, companies can provide standardized information covering all disclosures of customers’ personal information during the prior year.7

The response to the customer request for information on third party disclosure must be provided within 30 days if the request is sent to the designated address or numbers, or within a maximum of 150 days if the request is made in some other fashion.

4. What Steps Must Be Taken to Notify California Customers of Their Ability to Request This Disclosure

Any company covered by this statute must designate a mailing or email address or provide a toll-free telephone or facsimile number for customers to use in submitting requests for information under this statute. In addition, the company must implement at least one of the three notification options provided under the statute.8 The first option involves notifying the supervisors of employees who have regular customer contact about the designated address or toll-free number, and instructing them that this information should be provided in response to customer inquiries about the company’s privacy practices. The second option involves modifying the company’s online privacy policy to describe the customer’s rights under this statute and provide the designated address or toll-free number. The third approach involves making the designated address or toll-free number available upon request at every place of business in California where the company regularly has contact with customers.

The statute encourages companies to choose the option of providing this information in their online privacy policies, by allowing companies that follow this approach to disregard requests that are not submitted to the company’s designated address or toll-free number.9 Otherwise, a company must respond to a request that is received at a different address or number, although the normal thirty-day period for the response may be extended up to a maximum of 150 days in those circumstances.

Practical Advice to Prepare for California Civil Code Section 1798.83

  • Obtain legal advice regarding your company’s obligations under this statute.
  • Begin developing procedures to comply with Civil Code Section 1798.83 without delay, as the law goes into effect on January 1, 2005.
  • Designate an address or toll-free number for California customers to use in requesting information under this statute.
  • Prepare a disclosure sheet containing the information required by the statute, covering calendar year 2004.
  • Select at least one of the three options for notifying California customers of their ability to request information under this statute. We generally recommend covering this statute in the online privacy policy, as this would allow the company to respond to only those requests that are received at the designated address or toll-free number.
  • Create procedures for receiving, processing, and responding to requests for information within the 30 day period.

Concluding Thoughts on California Civil Code Section 1798.83

While California’s direct marketing disclosure statute does not regulate or restrict the disclosure of personal information, it imposes significant new obligations on companies that do share personal information with affiliates or other third parties. Accordingly, all companies covered by the statute should take steps to review and to ensure compliance with Civil Code Section 1798.83 before it becomes effective on January 1, 2005.

Footnotes

1: Morrison & Foerster alerted its clients about this new statute, then known as Senate Bill 27, in its January 23, 2004 article, "New California Privacy Laws Taking Effect in the New Year."

2: The term "direct marketing purposes" is defined as the use of personal information to directly solicit or induce individuals to purchase, rent, sell, or exchange products, property, or services for their personal, family, or household purposes. Cal. Civ. Code §1798.83(e)(2). Selling, renting, exchanging, or leasing personal information to businesses in exchange for consideration is considered a "direct marketing purpose." Id.

3: Cal. Civ. Code §1798.83(e)(7).

4: The term "third party" refers to one or more of the following: (1) a business that is a separate legal entity from the business that has an established business relationship with a customer, (2) a business authorized to access for its own direct marketing purposes a database shared among businesses, or (3) a business not affiliated by a common ownership or common corporate control.

5: Cal. Civ. Code §1798.83(e)(1).

6: The following categories of "personal information" would need to be identified: name and address; electronic mail address; age or date of birth; names of children; electronic mail or other addresses of children; number of children; age or gender of children; height; weight; race; religion; occupation; telephone number; education; political party affiliation; medical condition; drugs, therapies, or medical products or equipment used; the type of product the customer purchased, leased, or rented; real property purchased, leased, or rented; the type of service provided; Social Security number; bank account number; credit card number; debit card number; bank or investment account, debit card, or credit card balance; payment history; and information pertaining to the customer’s creditworthiness, assets, income, or liabilities. Cal. Civ. Code §§1798.83(a), 1798.83(e)(6)(A).

7: Cal. Civ. Code §1798.83(b)(2)("A business that is required to comply with this section is not obligated to provide information associated with specific individuals and may provide the information requested by this section in standardized form.")

8: See Cal. Civ. Code §1798.83(b)(1).

9: Cal. Civ. Code §1798.83(b)(1)(B).

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved