Let the Sunshine In: Failure to Post Contact Information on Website Does Not Violate California’s Shine the Light Law

On December 19, 2013, the California Court of Appeal joined several federal courts in holding that a plaintiff lacked standing to sue under California’s Shine the Light law, Civil Code sections 1798.83 and 1798.84 (the “STL”), when he failed to allege that he made, or attempted to make, a disclosure request under the law.  Importantly, the Court explicitly held that a company’s failure to post its contact information in its privacy policy, by itself, does not constitute a violation of STL.  Also, notably for our fellow privacy law nerds out there, the court held that, in this case, an informational injury is not a cognizable injury under the STL. Plaintiff, like the plaintiffs in similar purported class actions filed throughout the country in late 2011 and early 2012, alleged that the defendant willfully violated the STL by “failing to provide a link on its home page ... titled ‘Your Privacy Rights’; [¶] failing to provide a link on its home page to a separate web page titled ‘Your Privacy Rights’; [¶] failing to provide—on the ‘first page’ of the link from its home page—a description of its ‘customer[s’] rights’ under the Act, including the right to request information about its information sharing practices or the right to opt out of information sharing altogether; and [¶] failing to provide—on the ‘first page’ of the link from its home page—the designated mailing address, email address, telephone number, or facsimile number for customer requests.” He alleged that, as a result, he was “deprived of information that he was statutorily entitled to under the Act, … deprived of a meaningful opportunity to exercise his statutorily-guaranteed right to inquire about and receive a detailed response explaining [the defendant’s] information sharing practices [,] … deprived of a meaningful opportunity to exercise his statutorily-guaranteed right to make informed decisions about his privacy and personal information[,] and … deprived of a meaningful opportunity to exercise his statutorily-guaranteed right to monitor and control the disclosure and use of his personal information.”

On demurrer, the defendant argued, among other things, that “to have standing under the STL (and, derivatively, under the U[nfair] C[ompetition] L[aw]), a customer must either have made, or attempted to make, a disclosure request under section 1798.83, subdivision (a).”  The trial court agreed, and the Court of Appeal affirmed.

To have standing under the STL, a plaintiff must be a “customer” who has been “injured by a violation of this title.” Failure to post contact information on a website – the Court of Appeal held – does not constitute such a violation.  “A failure to post information on a website . . . is a continuing event that cannot readily be quantified, and section 1798.84 does not provide a method for calculating a civil penalty for such a continuing event. Thus, we conclude that a continuing violation of this kind, without more, is not an actionable ‘violation of this title.’”

Organizations should not, however, jump to the conclusion that they no longer need to post anything to their website about STL.  In footnote 4, the Court noted that it “assume[d] that a plaintiff alleging that he or she wished to make a disclosure request but could not do so because the defendant did not make contact information available would also state a claim under the STL.”  This reemphasizes that, if an organization does not add to the home page of its web site a link either to a page titled “Your Privacy Rights” or add the words “Your Privacy Rights” to the home page’s link to the business’s privacy policy and describe on the first page of the link a customer’s rights pursuant to the STL along with the designated contact information,  it must do one of the following:  (1) notify managers who supervise employees who regularly interact with customers of the designated addresses and phone numbers and instruct those employees that customers who inquire shall be informed of the addresses or phone numbers; or (2) make the designated addresses or phone numbers readily available upon request of a customer at every place of business in California where the business or its agents regularly have contact with customers.

Looking to the legislative history, the Court noted that its reading of the STL is supported by the “safe harbor” provision in section 1798.84(d).  That subsection provides a “complete defense” for a business that cures its failure to provide the information, its provision of inaccurate information, or an untimely response to an STL request within 90 days:

Were the failure to disclose contact information also an actionable violation under the statute, it is hard to understand why the subsequent provision of “all the information, or accurate information, to all customers who were provided incomplete or inaccurate information” would be a complete defense—or, indeed, in the absence of a section 1798.83, subdivision (a) request for information, how a company would know to whom to provide this information. ¶Further, to construe "a violation" to include anything other than a company’s failure to provide a timely, complete, and accurate response to disclosure requests would eviscerate the safe harbor intended by section 1798.84, subdivision (d) and invite the very "liability trap" the Legislature sought to avoid. If we interpret the statute as plaintiff suggests, customers could bring suit whether or not they ever tried to contact a business about its privacy policy. Indeed, if the law is interpreted as plaintiff suggests, a customer who made a request for information and received a timely, complete, and accurate response could still sue for a STL violation by challenging the manner in which the company disclosed its contact information on its website.

The Court noted that its rejection of standing in this case is consistent with the recent rulings of federal courts in virtually identical class actions brought under the STL:  Boorstein v. Men’s Journal, 2012 WL 2152815 (C.D. Cal. 2012); Miller v. Hearst, 2012 WL 3205241 (C.D. Cal. 2012); King v. Conde Nast, 2012 WL 3186578 (C.D. Cal. 2012); and Murray v. Time Inc., 2012 WL 3634387 (N.D. Cal. 2012).

For those of us who live and breathe privacy law, the Court’s decision is also highly interesting because it rejected plaintiff’s argument that he suffered a cognizable injury in the form of an “informational injury” because he did not receive information to which he was statutorily entitled.  The Court noted that the plaintiff had “not cited any California cases recognizing ‘informational injury,’” and stated that it was “not aware of any such cases.” The Court did not suggest that there are no circumstances where informational injuries may be cognizable, instead focusing its decision on the STL – “a defendant’s failure to post information on its website in the manner the statute requires, without more, does not give rise to a cause of action.”

Bottom line - the developing STL case law is sending a clear message that a mere failure to post contact information on a website is not enough to violate the STL.  That being said - organizations need to continue to make sure that they have made their STL contact information available in one of the three ways allowed by the STL, and, if they receive an STL request, they must respond to it in the manner and in the timeframe required by the law.

Happy New Year to all!