Overlooked and Enforceable: The Return of California “Shine the Light” Claims

Many businesses assume their California privacy exposure is addressed through compliance with the California Consumer Privacy Act (CCPA). That assumption can create blind spots.

We are seeing an increase in inquiries and pre-litigation letters invoking California’s “Shine the Light” law, Cal. Civ. Code § 1798.83, including letters sent to our own clients. While these requests may look routine, mishandling them can create statutory exposure and unnecessary litigation risk.

What Shine the Light Requires

Shine the Light focuses on a specific issue: whether a business shares a customer’s personal information with unaffiliated third parties so those third parties can market their own products or services directly to the customer. The statute only creates an obligation when both of the following occur:

• The business shared personal information for third-party direct marketing; and

• A customer submitted a request.

If triggered, the business may have to provide the names and addresses of the third parties that received the information and the categories of information disclosed. Courts have confirmed that both elements must exist before any obligation arises, and the statute provides a 30-day period to respond.

When You Don’t Have to Respond (Opt-In/Opt-Out)

The statute does not apply if the business provides customers with a meaningful opportunity to opt in to or opt out of third-party marketing disclosures. Many companies rely on CCPA-style opt-out mechanisms, but that alignment should be analyzed rather than assumed. CCPA compliance does not automatically satisfy Shine the Light; it is a separate law with its own requirements.

Why Businesses Are Getting These Letters

Recent demand letters suggest the statute is being used as a pre-litigation tool. A company that fails to recognize a Shine the Light request or respond within the statutory window may face avoidable claims.

These inquiries should be directed to legal counsel to determine whether the statute applies, whether an exemption is available, and whether a response is required.

Steps Companies Should Take Now

Businesses should assess whether they provide personal information to unaffiliated third parties for the third parties’ own marketing campaigns, including marketing by mail, email, or telephone. If so, they should confirm they maintain a compliant opt-in or opt-out mechanism and a clear process for handling requests.

Shine the Light is narrower than the CCPA, but it remains enforceable and increasingly invoked. Because it is often overlooked, it can create exposure even for companies that believe they are already fully compliant with California privacy law.