Doing Business in California? What To Know About
CIPA and Shine the Light Claims
In recent months, companies operating in California have reported an increase in demand letters requesting damages for alleged violations under new and existing privacy laws. Under current data privacy legislation, companies can expect these claims to continue.
Plaintiffs’ attorneys have relied on two statutes as a basis for their demands, the California Invasion of Privacy Act (“CIPA”) and California Civil Code § 1798.83 (“Shine the Light”).
What is CIPA?
Originally enacted in 1967 to “protect the right of privacy” of California residents, CIPA bans
wiretapping, eavesdropping, or recording private communications. In recent years, Plaintiffs’
attorneys compared real-time consumer-tracking software embedded in companies’ websites to
the type of behavior CIPA prohibits.
In addition to imposing criminal penalties and fines of up to $10,000, the statute allows private
individuals whose personal data has been intercepted by businesses to sue for $5,000 per
violation.
Who does CIPA apply to?
CIPA may apply to:
- Companies with consumer facing-websites or applications used by a California resident
- Both companies that use these technologies in their consumer-facing website or
application and third-party developers
What technologies may leave my company exposed under CIPA?
Potential CIPA liability may apply to a range of real-time consumer tracking technologies that
are a standard part of website or application design, which may include:
- Website analytics
- Software developer kits
- Third-party tracking pixels and software
- Fingerprinting software
- Application programming interfaces
- Conversation intelligence software-as-a-service (SaaS)
- Cookies and identity profiles
*Notably, CIPA is sensitive to the processes used to collect customers’ information. Likewise,
Shine the Light may not apply to businesses that share information with third parties only for
administrative or customer service purposes. To assess liability under these statutes,
businesses may want to coordinate with third parties to ensure awareness of their own business
practices and awareness and compliance under CIPA.
What is Shine the Light?
Originally enacted in 2003, the Shine the Light law was aimed at increasing customer
awareness of how their personal information may be shared with third parties for direct
marketing purposes. CIPA requires businesses to disclose their information-sharing practices
upon request or allow customers to consent to information sharing.
Failure to comply may result in a civil penalty of $500 per violation, and $3,000 if the violation is
willful, intentional, or reckless.
Who does Shine the Light apply to?
The Shine the Light law may apply to:
1. For-profit companies with 20 or more full or part-time employees,
2. that collect personal information from California residents, and
3. that have shared customer information with third parties for direct marketing purposes
4. within the immediately preceding calendar year.
Direct marketing may include spamming, telemarketing, or mail.
Personal information may include name, address, e-mail address, telephone numbers, date of
birth, medical or financial information, information about children, race, religion, occupation and
education, and information about the transaction.
Best Practices
While these statutes impose distinct obligations, compliance may be able to be addressed by
general practices that reflect their obligations to limit data collection and sharing of personal
information. To work toward compliance, a company may consider:
- Reviewing your company’s privacy policy to ensure that it accurately informs consumers
in California of their privacy rights. - Clearly communicating your company’s privacy policy to consumers.
- Ensuring that the consumer consents to the collection and sharing of personal
information.
For CIPA
Regarding liability under CIPA, businesses may want to consider:
- Reviewing your website or application design for features that collect personal
information of users. - Coordinating with third party providers to ensure their awareness and compliance with
CIPA risks and requirements. - If utilizing real-time tracking technologies, securing a consumer’s affirmative consent to
data tracking.
For Shine the Light:
There are a couple of avenues that may limit risk under the Shine the Light Law:
- Ensure that website or application design, physical store, or employees clearly disclose
consumer data privacy rights. - Ensure that that website or application design allows consumers to actively and easily consent to personal information sharing.
OR
- Maintain awareness of sales of customers’ personal information within the preceding
year. - Establish a designated address–email, mail, or toll-free number–that customers may use
to contact a business and request information about how their personal information is
used. - Be prepared to disclose the types of information shared and the names and contact
points for third parties that received or purchased the information within the preceding
year within 30 days.
What’s Next?
In the coming years, we may see legislation that responds to the challenges CIPA claims pose
to regular business operations in the digital age.
SB 690 proposes an exception to CIPA liability for companies that use personal data for
commercial purposes. However, the current status of this critical amendment is stalled.
What we know now:
- It will not be reconsidered until the 2026 legislative session, currently set to run from
January 5-August 31, 2026. - Legislative history indicates that any exception would only apply to future cases, not
currently pending claims or claims filed before the amendment is finalized. - Unanimous approval in the state senate may reflect policymakers’ concern with applying
CIPA to commercial data collecting practices.
Ultimately, the amendment’s status is uncertain, but there is reason for companies to be optimistic about an eventual tapering down of CIPA claims. Despite this, businesses should remain cognizant of other regulations aimed specifically at digital data collection.
Credit: Madeline Yuki Gaudlitz