Still in the Dark
California Consumers' Search for Answers About How Companies Share Their Personal Information

Executive Summary

Consumers often have little knowledge of, or control over, how companies with which they do business share their personal information with other businesses. To protect consumers’ privacy, California enacted the cutting-edge “Shine the Light” law in 2003, giving consumers new ways to learn how personal information is shared among businesses, and to opt out of such sharing.

In 2006, CALPIRG Education Fund asked members of CALPIRG to take part in a survey to determine how businesses respond to questions about the sharing of personal information of the kind covered by the “Shine the Light” law. Fifty-two individuals each contacted one company with which they do business and asked for information on how their personal information has been shared with other companies. Under the law, companies that engage in data sharing, and receive such a request, must either disclose the names of companies with which they have shared a consumer’s information or provide the consumer with a cost-free opportunity to opt out of future sharing.

The results of the survey show that, while some California businesses respond quickly and courteously to “Shine the Light” law information requests, many consumers were frustrated in their efforts to find out whether and how their personal information is shared with other businesses. Only about one-third (33 percent) of survey participants reported receiving a response consistent with the terms of the “Shine the Light” law.

More than one-third of consumers reported receiving no response at all to their request for information.

• Of the 52 participants in the survey, 31 (60 percent) received some type of response from the company within 30 days, 20 (38 percent) received no response at all, and one (2 percent) received a response after 30 days.

• Consumers who contacted companies by e-mail were far more likely to receive a response (87 percent response within 30 days), than consumers who contacted companies by regular mail 40 percent response within 30 days).

Of the 31 consumers who received some response from a company, 17 reported receiving a response consistent with the “Shine the Light” law.

• Ten consumers were informed that the company does not share their personal information with others, while six others received a cost-free opportunity to opt out of further information sharing. One consumer received a response on how their information was shared for non-marketing purposes.

• On the other hand, six consumers were instructed that they needed to take additional steps (for example, visit a Web site or call a toll-free number) to receive the information they were seeking, while three others were told they would receive a response later, but did not report ever receiving a response.

Many consumers reported that they were not satisfied with the companies’ response to their requests or faced hurdles in receiving an appropriate response.

• More than one-half of survey participants reported that they were not satisfied by the companies’ response to their request for information.

• While the majority of participants spent less than 15 minutes submitting and following up on their requests for information, five consumers (10 percent) reported spending more than a half-hour and two consumers reported spending more than two hours of their time communicating with the companies.

• Several participants reported having to make multiple attempts to receive an appropriate response to their request. As one consumer put it, “I was disappointed for the run-around … I will continue with this process, but it is frustrating and discouraging to do so.”

The survey demonstrates that, while the Shine the Light law enabled some consumers to find information and take action to preserve their privacy, the law is difficult to use, businesses’ response to the law is inconsistent, and steps should be taken to improve the law.

• Companies that do business with California consumers should be required to respond to privacy requests, regardless of whether they share information with third parties.

• Companies should be required to both disclose the personal information shared, and the third parties with which it is shared, and provide consumers with an opportunity to opt out of future sharing.

• Companies should be required to disclose their information sharing practices on their Web sites.

• Companies should be required to place a box on their Web sites’ privacy pages allowing consumers to opt out of information sharing.