5%6%

50%

30%

8%

Company Responses N=112

Sharing Opt OutNo Response No Sharing

11%

13%

16%61%

Policies at Companies that Responded N=56

Sharing Opt Out OtherNo Sharing

Lauren Thomas1,3 Chris Hoofnagle, JD2 Ashkan Soltani, MIMS2

Louisiana State University1 University of California, Berkeley2 SUPERB-TRUST REU3

Exploring Privacy Through California’s “Shine the Light” Law

INTRODUCTION

METHODS

RESULTS

CONCLUSION

ACKNOWLEDGEMENTS

Do your favorite stores sell your personal information to other businesses?

Californians now have the right to ask companies to disclose how they sell personal information to third parties, or require those companies to stop selling the information.  In this study, we employed SB 27, California’s “Shine the Light” law to test whether companies are sharing information with third parties, and how they complied with the law.  

It has been shown that 43% of consumers do not trust companies not to share their personal information.3 A study in 2004 by the Ponemon Institute explored SB 27 and 32 companies and found that a majority of the business limited their third-party information shairing.9 There was also a similar study at the University of California, Berkeley in 2007.10 At that time, most of the companies did not share personal information. This current study will explore how companies respond to the SB 27 and assist companies in developing more effective responses to privacy inquiries.

Compiled list of 112 companies

Searched companies’ privacy policy

Assigned categories to each company

• Bricks and mortar• New Economy• Hybrid

Recorded How contact information was collected

• Privacy policy page• “Your California Privacy Rights”• General Customer Service Page• Web page regarding legal

information• Emailing customer service

Request letters were mailed June 18, 2009

0

20

40

60

80

How Company Contact Information Was Obtained

"Your California Privacy Rights" pagePrivacy Policy PageWeb Page for Legal MattersGeneral Customer Service PageOther

Num

ber o

f Com

pani

es

PetSmart provided an optimal response—the letter clearly states

the company’s policy.

Other companies provided less optimal responses. For instance,

Victoria’s Secret allows customers to opt out of information sharing. But to

effectuate this privacy-enhancing choice, one needs to give the

company all of their addresses.

This study has reflected how companies respond to California’s SB 27 “Shine the Light” law.  Four years after the law has been implemented, we see that most companies (among those that responded to the request) do no share consumers’ personal information to third parties for their direct marketing purposes.  It is unlikely that the sharing practices of companies such as Walt Disney, which shares personal information with 29 other companies, is consonant with consumers’ expectations. These results will inform consumers and policymakers about how companies comply with statutory privacy laws.

I would like to thank SUPERB-TRUST for giving me this wonderful opportunity. I would also like to thank Shannon Canty, Quentin Mayo, Chris Hoofnagle, and Ashkan Soltani for assisting me with this project.

Found “Your California Privacy Rights” Link

NO “Your California Privacy Rights” Link

Opt-Out Option

NO Opt-Out Option

• Company removed from

study

DISCUSSION

Of the 112 companies we queried, 56 never replied to the request, 34 stated that they do not share information with third parties, 7 offered methods for consumers to opt out, and 6 disclosed information sharing. 30 companies replied within 14 days which is consistent with the 30 days the law gives for responses to the request. There were 50% of the companies that did not respond. Most companies that responded complied with SB-27.

Companies that provide opt-out rights place consumers in a difficult situation—in order to protect their privacy, they have to provide personal information beyond name.  For instance, Victoria's Secret requested "all of the addresses that you have provided to Victoria's Secret.“ Other companies, such as PETSMART simply replied by informing us of no information sharing.

From this study, we saw a slight change in the percentage of companies whom disclosed information sharing and a larger percentage of companies who never responded to the request than previous studies. There were less companies that gave an opt-out option and expressed there was no information sharing. The ‘other’ category had a minimal change from the study conduction in 2007.10

REFERENCES

[3]"Dear Marketer, Please Take Me Off Your Lists, Thank You." Opt-Out | Get Off the Lists! 4 Sept. 2001. Center for Democracy and Technology. 20 July 2009 <http://opt-out.cdt.org/>. [4]"The TRUSTe Advocate." Online Trust, Online Safety & Privacy Services from TRUSTe. 13 July 2009 <http://www.truste.org/about/newsletters/novdec2004.html>. [9]"EPIC SB 27 Shine the Light Law." Electronic Privacy Information Center. 25 Jan. 2005. 20 July 2009 <http://epic.org/privacy/profiling/sb27.html>. [10]Hoofnagle, Chris Jay and King, Jennifer. “Consumer Information Sharing: Where the Sun Still Don’t Shine. 17 December 2007. 18 June 2009. <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1137990>.

Only 6 companies chose to disclose their

information sharing practices. Here, Walt

Disney explains that they share customer data with

29 companies.