Skip to content

How to Stay Out of the Limelight of California’s “Shine the Light” Law

Data_Spreadsheet

California’s "Shine the Light” law (Section 1798.83 of the California Civil Code), enacted on January 1, 2005, regulates how businesses share customers’ personal information with third-parties for direct marketing purposes.

Why should you care about this more than a decade old state-specific provision?

  • It can apply to businesses located outside of California;
  • Non-compliance could result in civil action or large statutory penalties ($500 or $3,000 per violation); and
  • While the law has existed for over 15 years, its relevance remains intact following the passage of recent changes to California’s Consumer Privacy Act (CCPA), which took effect on January 1, 2020. More about the CCPA here.

Below we’ve highlighted some of the requirements of the Shine the Light Law, so you can quickly determine if it’s germane to your practice or your clients.

1. What businesses must comply with the law?

Any business:

  • with 20 or more employees (including both full-time and part-time);
  • that has an ongoing relationship with a California resident primarily for personal, family or household purposes (“customer”); and
  • (a) disclosed identifying information about a customer (name, contact information, physical characteristics, education, etc.) within the past year to third parties and (b) knows or reasonably should know that such party used the personal information for its direct marketing purposes.

2. How does the law define “third party”?


Any business:

  • that’s a separate legal entity from the business that has a relationship with the customer, even if such third party is an affiliate;
  • has access to a database shared amongst businesses under which it is authorized to use for direct marketing purposes, unless such database is considered exempt from being considered a disclosure for direct marketing purposes under the statute; or
  • isn’t affiliated by common ownership or common corporate control with the business required to comply under the law. 

3. How does the law define “direct marketing purposes”?

Under the Shine the Light Law, direct marketing purposes means “the use of personal information to solicit or induce a purchase, rental, lease, or exchange of products, goods, property, or services directly to individuals by means of the mail, telephone, or electronic mail for their personal, family, or household purposes.”

The definition doesn’t include the use of personal information:

  • by bona fide tax exempt charitable or religious organizations to solicit charitable contributions;
  • by religious organizations to solicit charitable contributions;
  • by a third party when the third party receives personal information solely as a consequence of having obtained for consideration permanent ownership of accounts that might contain personal information; or
  • by a third party when the third party receives personal information solely as a consequence of a single transaction where, as a result of the transaction, personal information has to be disclosed in order to effectuate the transaction.”

4. What is required of covered businesses under the law?

Businesses subject to the Shine the Light Law must:

  • obtain opt-in consent from a customer to disclose his or her personal information to third parties for direct marketing purposes;
  • permit customers to opt out of such disclosures; or
  • provide customers the following information within 30 days of a request (limited to one request per year):

Additionally, a business subject to this statute must give a mailing or email address where customers can make such a request.

Notably, the law applies to both information collected online and information collected in-person. However, the foregoing information can be presented to a consumer in a standardized format since the law does not require information to be specific to the individual customer.

Plaintiffs allege in suits against Gilead that TDF drugs have low bioavailability, meaning they are not absorbed easily by the body, which necessitates a higher dosage in order to provide the advertised antiviral effect. It is further argued that even before Gilead began to market and sell its first TDF drug, Viread, in 2001, it was aware that TDF posed a safety risk to patients. Pre-clinical data for TDF revealed that it could cause significant bone and kidney damage.

It is alleged that by the time Stribild was introduced, and despite ten years of cumulative evidence showing that TDF could cause harm to patients’ bones and kidneys, Gilead downplayed the HIV medication’s side effects and merely suggested that prescribing doctors monitor bone mineral density in patients with a history of pathologic fracture or those who were at risk for osteopenia.

A safer alternative to TDF is tenofovir alafenamide (“TAF”), which Gilead has had in development since 2001. TAF is absorbed into the cells that the HIV virus targets, much more effectively than TDF and can therefore be administered at one-tenth the dosage required by TDF medications. At the significantly reduced dose, TAF has been shown to achieve the same, and in some instances higher, concentrations of the active ingredient tenofovir in targeted cells. For example, plaintiffs allege a 25mg dose of TAF achieves the same therapeutic effect as a 300 mg dose of TDF.

According to a press release from the AIDS Healthcare Foundation (“AHF”), Gilead “deliberately and maliciously suppressed from the market its alternate and newer formulation of the drug, TAF, in order to extend the patent life and sale of its existing medications that included TDF.” In keeping with claims of Gilead’s intention to withhold TAF from the American market until it had exhausted proceeds from TDF medications, the suit points out that Gilead did not receive FDA approval for TAF drugs until 2015 with the introduction of Genovya, just three years before the 2018 expiration of the TDF patent. Genovya was followed by Odefsey and Descovy in 2016.

Plaintiffs also argue that Gilead could have unilaterally strengthened the FDA warnings carried by its TDF drugs after initial FDA approval. Increasing evidence that patients with and without preexisting risk factors were experiencing adverse effects with a frequency and severity greater than reported in Gilead’s initial clinical trials, and expanding evidence that all patients were at risk for TDF induced kidney toxicity, should have prompted the company to update its warnings. However, the plaintiffs claim Gilead repeatedly chose financial gains over the health and safety of its patients.

Procedural Status:

Suits against Gilead concerning TDF drugs are currently in the early stages of litigation with the most recent suit against the pharmaceutical giant filed on March 17, 2020, in the Northern District of California. In that suit, which names 149 individual plaintiffs, it is alleged that Gilead intentionally withheld a safer alternative design of its TDF drugs known to be toxic to patients’ kidneys and bones, while failing to adequately warn about the risks, solely in favor of company profits.

The case is: Aaron Calkins et al. v. Gilead Sciences Inc., case number 3:20-cv-01884, in the U.S. District Court for the Northern District of California.