2025 Year in Review: California Shine the Light Request Trends

2025 Year in Review: California Shine the Light Request Trends

Blog WilmerHale Privacy and Cybersecurity Law

Throughout 2025, we saw a noticeable uptick in requests from California residents invoking their rights under the state’s “Shine the Light” law, Cal. Civ. Code § 1798.83. These requests come from “customers” who claim to have an “established business relationship” with a company and who seek information about whether that company shares personal information for “direct marketing purposes.” While these letters rarely threaten litigation outright, they signal growing customer awareness of privacy rights. Companies doing business in California should be aware of their obligations under the law and have a plan for responding to such requests. As enforcement trends continue to evolve in California and beyond, we invite you to stay informed by subscribing to the WilmerHale Privacy and Cybersecurity Law Blog.

Requirements of the Law

The Shine the Light law applies to for-profit businesses that have at least 20 employees and collect personal information from California residents and share that information with third parties for direct marketing purposes. Cal. Civ. Code § 1798.83(c)(1); Cal. Civ. Code § 1798.83(a)(1). Financial institutions subject to the California Financial Information Privacy Act are exempt. Cal. Civ. Code § 1798.83(h).

Covered businesses must respond within 30 days to Shine the Light requests from customers with whom they have an “established business relationship,” with certain information about their data sharing practices. Cal. Civ. Code § 1798.83(b)(1)(C). The required disclosures include (1) the categories of personal information the company shared in the previous year and (2) the name and address of any third party that received information for “direct marketing purposes.” Cal. Civ. Code § 1798.83(a).

“Direct marketing purposes” include the use of personal information to solicit or induce a purchase, rental, lease or exchange of goods or services by means of mail, telephone or email for personal, family or household purposes. Cal. Civ. Code § 1798.83(e)(2). If the third party’s business is unclear, the company must explain the types of products or services marketed. Cal. Civ. Code § 1798.83(a)(2).

The statute also requires covered businesses to take certain steps to facilitate customers’ submission of requests. Businesses must provide a clear way for customers to submit Shine the Light requests, such as by mail, email or a toll-free number. Cal. Civ. Code § 1798.83(b)(1). In addition, companies must inform customers of their rights and explain how to make a request under the law. Cal. Civ. Code § 1798.83(b)(1)(B). This information typically appears in a website’s privacy policy.

Any injured customer can bring a private action under the Shine the Light law. Cal. Civ. Code § 1798.84(b). A business’s failure to respond accurately and on time can result in penalties of up to $500 per violation and $3,000 for willful noncompliance, plus attorneys’ fees. Cal. Civ. Code § 1798.84(c); Cal. Civ. Code § 1798.84(g).

In the remainder of this post, we provide an overview of some issues that courts have considered when addressing Shine the Light lawsuits and that may be relevant to companies facing Shine the Light requests.

A Customer Must Have at Least Attempted to Make a Request Before Suing

A Shine the Light plaintiff generally must have either made or attempted to make a request under the statute, or face dismissal of their claims. In Boorstein v. Men’s Journal LLC, 2012 WL 2152815 (C.D. Cal. 2012), for example, the district court dismissed a Shine the Light claim because the plaintiff neither requested disclosures nor claimed that they would have done so if proper contact details were available. Id. at 3. Without those allegations, the court reasoned, the plaintiff had failed to allege a cognizable injury. Id. at 4. Similarly, in Boorstein v. CBS Interactive, Inc., 222 Cal. App. 4th 456 (2013), the California Court of Appeal concluded that to plead injury under the Shine the Light law, the plaintiff must have made or at least attempted a disclosure request. Id. at 464. The court emphasized that injury requires resulting harm, not just a procedural defect in the business’s response.

An “Established Business Relationship” Requires More Than Signing Up for Emails

As noted, the Shine the Light law applies only when a customer has an “established business relationship” with a business. Cal. Civ. Code § 1798.83(e)(5) defines this relationship as a voluntary, two-way communication between a business and a customer, with or without payment, for the purpose of obtaining a product or service. A “customer” is a California resident who provides personal information to a business during the creation or throughout the duration of that relationship. Cal. Civ. Code § 1798.83(e)(1).

That requires more than simply signing up for emails from a defendant. In Gamez v. VF Corp., 2018 WL 6333560 (C.D. Cal. 2018), the plaintiff alleged that they became a customer by providing their name and email address to the defendant. The plaintiff argued that this disclosure created an ongoing relationship because the company sent marketing emails. Id. at 3. The court disagreed. It held that the allegation of sharing contact information did not establish the context or purpose of the interaction. Id. The plaintiff failed to allege facts showing voluntary, two-way communication for the purpose of obtaining a product or service. Id. Without those details, the Shine the Light claim could not survive.

Plaintiffs Must Show Actual, Not Just Potential, Sharing

To plead a viable Shine the Light claim, a plaintiff typically must allege that a business actually—not just potentially—shared their personal information with third parties for direct marketing purposes. It is not enough to allege that a business’s privacy policy permits such sharing. For example, in Gamez v. VF Corp., 2018 WL 6333560 (C.D. Cal. 2018), the plaintiff cited a privacy policy stating that data “may” be shared. The district court dismissed the Shine the Light claim, concluding that conditional language in a privacy policy does not show that any information was actually shared for direct marketing purposes. Likewise, in Boorstein v. CBS Interactive, Inc., 222 Cal. App. 4th 456 (2013), the court held that the Shine the Light law does not impose liability for hypothetical sharing or for failing to post contact details in a privacy policy; it applies only when a business actually shares a customer’s personal information.

Authors

Related Solutions

We help companies protect data, comply with evolving regulations, and respond to investigations and litigation.

More from this series

Explore the Full Series

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link. (The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.

I Accept Cancel