California has a well-earned reputation for leading the United States on consumer privacy. Most privacy professionals are thoroughly versed in the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA). Fewer maintain the same depth of familiarity with the statute that preceded both: California Civil Code Section 1798.83, known as the Shine the Light law.
That gap in attention is increasingly difficult to justify. Shine the Light litigation has accelerated in recent years, plaintiff-side firms have become adept at identifying non-compliant disclosure mechanisms, and the statute’s requirements sit squarely at the intersection of three organisational functions — legal, privacy, and marketing — that do not always communicate effectively with one another. Organisations that treat Shine the Light as a historical footnote to the CCPA do so at their own litigation risk.
This article provides a complete account of what the Shine the Light law requires, how courts have interpreted and enforced it, where litigation exposure currently concentrates, and what legal, privacy, and marketing teams must do to achieve and maintain genuine compliance.
What Is the Shine the Light Law?
California Civil Code Section 1798.83 was enacted in 2003 and took effect on 1 January 2005 — more than a decade before the CCPA. Its animating concern was specific: the practice of businesses sharing California consumers’ personal information with third parties for those third parties’ direct marketing purposes, without consumers having any visibility into or control over that sharing.
The law’s name reflects its operative mechanism. It does not prohibit the sharing of personal data for direct marketing purposes. Instead, it requires transparency — it shines a light on data sharing practices that would otherwise be invisible to consumers — and gives consumers the right to act on what they learn.
Who Must Comply
The Shine the Light law applies to businesses that:
- Have an established business relationship with a California resident; and
- Have, within the preceding calendar year, disclosed personal information about that consumer to third parties for those third parties’ direct marketing purposes.
The statute does not impose a revenue threshold or employee count minimum. Unlike the CCPA, which applies only to businesses meeting specific size and data processing thresholds, Shine the Light’s scope is determined solely by the nature of the business relationship and the data sharing conduct. Any business with California customers that shares personal data for third-party direct marketing is potentially subject to its requirements.
What Counts as Personal Information Under Shine the Light
The categories of personal information covered by Shine the Light are broader than many compliance teams appreciate. The statute defines covered information to include: name, address, email address, age or date of birth, names or usernames, telephone number, social security number, physical description, account number, medical information, health insurance information, education level, profession, employment history, financial information, credit scores, marital status, and any other information that is collected from the customer in connection with a product or service transaction.
Critically, “personal information” under Shine the Light is not limited to sensitive categories. It encompasses the kind of routine customer profile data — name, email, purchase history context — that marketing platforms exchange as a matter of course.
What “Direct Marketing Purposes” Means
The statute’s application turns significantly on whether data is shared for “direct marketing purposes.” California courts and the California Attorney General have interpreted this phrase to cover the use of personal information to solicit purchases of goods or services directly to consumers. This encompasses traditional mailing list sharing, co-registration data arrangements, and the provision of customer data to advertising partners who use it to target consumers with commercial messages.
Whether programmatic advertising data flows, pixel-based audience sharing, and data clean room arrangements constitute sharing “for direct marketing purposes” within the statute’s meaning has been a live question in litigation. The direction of judicial interpretation has generally been toward inclusion rather than exclusion where the ultimate purpose of the data transfer is consumer-targeted commercial solicitation.
What the Law Actually Requires
Shine the Light creates two distinct compliance pathways, and the choice between them is the first decision a covered business must make.
Option One: Honour Individual Consumer Requests
Under the first pathway, a business must designate a mechanism through which California customers can submit requests to learn:
- The categories of personal information the business shared with third parties for direct marketing purposes during the preceding calendar year; and
- The names and addresses of all third parties that received personal information, along with the categories of information shared with each.
A business that receives a valid Shine the Light request must respond within thirty days. The response must specifically identify the categories of information disclosed and the identity of each recipient. A vague or generic response does not satisfy the statute.
The business must also designate a contact point for these requests — a mailing address, email address, or toll-free telephone number — and must make that contact point reasonably accessible to consumers. Burying a Shine the Light contact mechanism in a privacy policy in a way that makes it practically inaccessible does not constitute adequate disclosure.
Option Two: Adopt a Broader Opt-Out and Disclosure Policy
Under the second pathway, a business may satisfy Shine the Light by adopting and disclosing a policy that gives all California customers the right to opt out of the sharing of their personal information with third parties for direct marketing purposes, provided that the business:
- Clearly discloses the opt-out right in its privacy policy or in a separate notice to California customers;
- Provides a cost-free mechanism for exercising the opt-out; and
- Either honours opt-out requests or, if the customer opts out, refrains from sharing that customer’s personal information for direct marketing purposes.
This pathway is operationally more demanding in one respect — it requires the business to actually honour opt-out requests on a going-forward basis — but it may be preferable for businesses that prefer a single consistent policy across their customer base rather than a reactive request-and-respond mechanism.
The Privacy Policy Disclosure Requirement
Regardless of which compliance pathway a business selects, the Shine the Light law requires the business to disclose its chosen compliance mechanism in its privacy policy. That disclosure must describe the pathway the business has adopted and provide the contact information or opt-out mechanism that consumers need to exercise their rights.
Privacy policies that acknowledge CCPA rights in detail while omitting any reference to Shine the Light compliance mechanisms are, by definition, deficient under the statute — and that deficiency is precisely the kind of gap that plaintiff-side litigation firms are trained to identify.
The Litigation Landscape: How Shine the Light Cases Are Filed and Won
Shine the Light litigation has a distinct character compared to CCPA enforcement actions. Understanding that character is essential for in-house counsel assessing their organisation’s exposure.
The Private Right of Action
Unlike many US privacy statutes that rely solely on regulatory enforcement, Shine the Light provides a private right of action. California consumers may sue directly for violations of the statute. Statutory damages under Section 1798.84 range from $100 to $500 per violation, with an enhanced ceiling of $500 to $3,000 per violation where the court finds that the violation was wilful, intentional, or reckless.
In isolation, these per-violation figures appear modest. In the context of a class action involving millions of California customers and systematic non-compliance across a multi-year period, they are not modest at all. The arithmetic of Shine the Light class litigation has driven several significant settlements, and the plaintiff-side bar has become increasingly sophisticated in structuring claims to maximise the statutory damages calculation.
What Plaintiffs Typically Allege
Shine the Light class actions tend to cluster around a limited set of recurring deficiencies:
No Shine the Light disclosure in the privacy policy. The most common basis for a Shine the Light claim is the simplest: the defendant’s privacy policy makes no reference to the statute, provides no contact mechanism for Shine the Light requests, and discloses no opt-out right for direct marketing data sharing. This deficiency is straightforward to allege, straightforward to document, and does not require the plaintiff to prove that any specific data sharing occurred — only that the required disclosure mechanism is absent.
Inadequate or inaccessible disclosure. A business may include a Shine the Light reference in its privacy policy but structure it in a way that renders it practically inaccessible — through obscure placement, inadequate description of the contact mechanism, or language that fails to clearly communicate the consumer’s rights. Courts have found that technical compliance that defeats the statute’s transparency purpose does not satisfy the law.
Failure to respond adequately to requests. Where a consumer submits a valid Shine the Light request and the business either fails to respond within thirty days, responds with a generic non-answer, or declines to identify the specific third-party recipients and data categories, the failure to respond constitutes a separate violation basis.
Mismatch between policy and practice. Businesses that disclose an opt-out right under the second pathway but continue to share opted-out consumers’ data with third-party marketing partners face claims that go beyond mere disclosure deficiency — they involve affirmative misrepresentation and operational non-compliance simultaneously.
Notable Litigation Patterns and Settlements
Shine the Light litigation has targeted a wide range of industries, with particular concentration in sectors that historically relied heavily on customer list sharing and co-registration marketing arrangements: retail, financial services, subscription media, insurance, and e-commerce.
Several structural patterns recur across filed cases and settlements:
Plaintiff-side firms frequently file Shine the Light claims alongside CCPA claims, creating multi-statute privacy class actions that compound settlement pressure. The combination is strategically effective because CCPA claims may require proof of a data breach or other qualifying event, while Shine the Light claims require only proof of a disclosure deficiency — meaning that even where CCPA claims are vulnerable to early dismissal, Shine the Light claims may survive.
Defendants that attempt to moot Shine the Light claims by updating their privacy policies after the lawsuit is filed face the argument that the update does not extinguish liability for the period of non-compliance that preceded it. Past violations are not remedied by prospective policy changes.
Courts have been receptive to class certification in Shine the Light cases where the alleged deficiency is systemic — a missing or inadequate privacy policy disclosure that affected all California consumers equally — rather than requiring individualised proof of harm. This makes the statute particularly well-suited to class treatment.
Settlement values in Shine the Light cases have ranged from six figures for smaller defendants to multi-million dollar resolutions for large consumer-facing businesses with substantial California customer bases. The reputational dimension of a Shine the Light class action — which involves public disclosure of a business’s data sharing practices as part of the litigation record — provides additional settlement incentive independent of the monetary exposure.
The Relationship Between Shine the Light and the CCPA/CPRA
One of the most persistent sources of compliance confusion is the assumption that CCPA compliance subsumes Shine the Light compliance. It does not, and the distinction matters operationally.
The CCPA and CPRA create a right to opt out of the “sale” or “sharing” of personal information, which encompasses many of the same data flows that Shine the Light addresses. However, the two statutes operate differently in several important respects:
Scope of covered businesses differs. The CCPA applies to businesses meeting specific revenue, data volume, or data selling thresholds. Shine the Light applies to any business with a California customer relationship that shares personal information for direct marketing — no threshold required.
The disclosure mechanism requirements differ. CCPA’s “Do Not Sell or Share My Personal Information” link and opt-out mechanism does not automatically satisfy Shine the Light’s requirement to designate a contact point for Shine the Light requests or to adopt and disclose a compliant opt-out policy under the statute’s own framework. A business with a fully CCPA-compliant privacy infrastructure may still be non-compliant under Shine the Light if its privacy policy does not separately address the statute.
Damages mechanisms differ. The CCPA’s private right of action is limited to data breach scenarios. Shine the Light’s private right of action is available for any violation of the statute’s disclosure and response requirements, without any breach requirement.
The practical consequence is that Shine the Light compliance must be assessed and maintained as a distinct obligation, even for organisations that have invested heavily in CCPA compliance infrastructure.
Shine The Ligh Compliance Requirements for Legal, Privacy, and Marketing Teams
Genuine Shine the Light privacy law compliance is not achieved through a single policy update. It requires sustained coordination across three organisational functions that historically operate with limited integration.
For In-House Legal and Privacy Teams
Conduct a Shine the Light-specific privacy policy audit. Review your current privacy policy against the statute’s disclosure requirements. Confirm that the policy: identifies your chosen compliance pathway (request-and-respond or opt-out policy); provides a clearly accessible contact mechanism or opt-out right; uses language sufficient to communicate the consumer’s rights under the statute; and addresses Shine the Light separately from CCPA disclosures rather than relying on CCPA language to cover Shine the Light obligations implicitly.
Map your direct marketing data sharing practices. Identify every third party to whom your organisation discloses California consumer personal information for direct marketing purposes. This mapping should cover contractual data sharing arrangements, co-marketing partnerships, affiliate data transfers, and any programmatic or platform-based data flows that result in third parties using your customer data for targeted commercial solicitation. The map must be accurate, current, and maintained as marketing relationships evolve.
Establish a Shine the Light request intake and response process. Designate a responsible team and a defined workflow for receiving, validating, and responding to Shine the Light requests within the statutory thirty-day window. Requests submitted in good faith — identifying the consumer and indicating the desire for Shine the Light information — must be treated as valid regardless of the channel through which they arrive. Document all requests and responses.
Assess litigation exposure for the prior calendar year. Given the statute’s focus on sharing that occurred “within the preceding calendar year,” organisations that have not previously maintained Shine the Light-compliant disclosure mechanisms should assess their exposure for the period of non-compliance and obtain legal advice on remediation strategy.
For Marketing and Ad-Tech Teams
Review all third-party data sharing arrangements against the Shine the Light definition. Marketing teams frequently enter data partnerships, co-registration arrangements, and platform data sharing agreements without legal review of whether the resulting data flows constitute sharing for “direct marketing purposes” under California law. Every arrangement in which customer personal information is provided to a third party that will use it to solicit purchases from California consumers should be reviewed against the statute’s requirements.
Audit your consent and opt-out infrastructure. Where your organisation has adopted the opt-out pathway under Shine the Light, confirm that the opt-out mechanism functions as disclosed, that opt-out signals are operationally honoured across all relevant data sharing systems, and that new marketing partnerships are assessed for Shine the Light compliance before launch rather than after.
Treat privacy policy updates as a marketing operations dependency. When new third-party data sharing arrangements are established or existing ones are modified, the legal and privacy teams must be informed so that Shine the Light disclosures can be updated accordingly. A privacy policy that accurately described data sharing practices twelve months ago but does not reflect current arrangements is a live compliance deficiency.
Document the purpose of every data transfer. The Shine the Light analysis turns on whether data is shared “for direct marketing purposes.” Where data transfers serve multiple purposes — risk analysis, fraud prevention, and marketing — documenting the purpose allocation at the point of transfer creates a record that can support a defence if the transfer is later challenged.
Shine The Light Privacy Lawsuits
The Shine the Light law is not an anachronism. It is an active, litigated statute with a private right of action, a growing plaintiff-side litigation industry, and compliance requirements that are distinct from — and not subsumed by — the CCPA and CPRA frameworks that have consumed most of the privacy profession’s attention in recent years.
For in-house counsel, the statute represents a litigation exposure that can be substantially mitigated through targeted compliance investment. For privacy professionals, it represents a discrete set of disclosure and process requirements that belong in every California privacy compliance programme. For marketing and ad-tech teams, it represents a legal constraint on data sharing practices that must be factored into the architecture of every third-party marketing relationship.
Shine the Light privacy law compliance is neither technically complex nor operationally prohibitive. What it requires is deliberate attention — a specific audit, a specific policy disclosure, a specific request intake process, and a genuine mapping of direct marketing data flows. Organisations that provide that attention will find the statute straightforward to satisfy. Those that continue to treat it as a secondary concern behind the CCPA will find that plaintiff-side counsel are more than willing to bring it to their attention in court.
