Shine the Light Hub
Updated March 2026 Cal. Civ. Code § 1798.83

California "Shine the Light" Requests

Free tools to triage, classify, and respond to § 1798.83 "consumer records" demands. Built for SaaS companies and in-house counsel.

4
Response Templates
7-Q
Interactive Analyzer
13
Point Checklist
3
Risk Tiers Mapped
Section 01

Request Analyzer

Answer 7 questions to classify the incoming request and get a recommended response path.

Question 1 of 7
Is the requester a California resident?
Yes
No
Unknown
Question 2 of 7
What is the requester's relationship to your company?
Paying customer — personal use
Paying customer — business use
Trial / free user
Research participant
Unknown / not found in systems
Question 3 of 7
Is the relationship primarily for personal, family, or household purposes?
Yes
No
Unclear
Question 4 of 7
Does your company have 20 or more employees (full-time + part-time)?
Yes (20 or more)
No (fewer than 20)
Not sure
Question 5 of 7
Was the request sent to your designated privacy contact (the published § 1798.83 address)?
Yes
No
Not sure
Question 6 of 7
In the preceding calendar year, did your company share any customer personal information with a third party for that third party's own direct marketing?
Yes
No
Not sure
Question 7 of 7
Does the request explicitly cite § 1798.83 or "Shine the Light"?
Yes — it cites § 1798.83 / Shine the Light
No
It cites CCPA/CPRA instead
Both
Analysis Complete
Your § 1798.83 Request Assessment

Key Notes

    Section 02

    The Law Explained

    Eight key provisions of Cal. Civ. Code § 1798.83 every SaaS company should understand.

    AWhat § 1798.83 Actually Requires

    California Civil Code § 1798.83 is a disclosure statute about list-sharing for direct marketing. It asks one question: did you share a California customer's personal information with third parties for those third parties' own direct marketing purposes during the immediately preceding calendar year?

    If yes, you must report the categories of personal information disclosed and the names/addresses of the third parties. If no, you say so and you are done.

    What It IS

    • A standardized disclosure about list-sharing
    • Categories of PI + third-party names only
    • Prior calendar year lookback
    • One request per customer per year

    What It Is NOT

    • "Send me my file" (not a records-access right)
    • A CPRA/CCPA request (different statute)
    • A demand for SSNs or card numbers
    • A deletion or correction request

    BWho Can Make a Valid Request

    RequirementDetails
    California residentThe requester must be a California resident.
    "Customer"Relationship must be primarily for personal, family, or household purposes. Most B2B/professional relationships fall outside this definition.
    Established business relationshipOngoing relationship, or within 18 months of a purchase/transaction if not ongoing.
    One per yearA business is not obligated to respond more than once per customer per calendar year.
    Key takeaway: Many form demand letters from plaintiffs' firms skip the threshold analysis entirely. The first thing to check is whether the requester actually qualifies as a statutory "customer."

    CWhat Must Be Disclosed

    If you did disclose PI to third parties for their direct marketing, the statute requires:

    1. Categories of personal information disclosed (e.g., name/address, email, telephone, age/DOB, etc.)
    2. Names and addresses of the third parties that received it, plus examples of products/services marketed if not clear from the third party's name.
    Standardized format allowed: The statute expressly permits standardized-format responses and does not require businesses to provide information associated with specific individuals. You do not need to produce an individualized "consumer file."

    DThe 20-Employee Exemption

    Businesses that employ fewer than 20 persons on a full-time or part-time basis are exempt from § 1798.83. This is an absolute exemption — the statute simply does not apply.

    If your company is under 20 employees, you can respond with a single-sentence acknowledgment citing the exemption.

    E"Direct Marketing Purposes" Defined

    "Direct marketing purposes" means the use of personal information to solicit or induce a purchase, rental, lease, or exchange of products, goods, property, or services directly to individuals by means of mail, telephone, or email for personal, family, or household purposes.

    The definition also includes selling, renting, or exchanging personal information for consideration to other businesses.

    Exclusions: Charitable solicitations, political fundraising/communications, certain single-transaction disclosures, and account transfers are carved out.

    FService Provider Carve-Outs

    Disclosures to third parties for processing, storage, or management on the business's behalf are not deemed disclosures for the third party's direct marketing purposes — provided the third party does not use or further disclose the personal information for its own direct marketing.

    Why this matters for SaaS: Your payment processor (Stripe), support platform (Zendesk), email service provider (SendGrid), and analytics tools (Google Analytics) are typically service providers with restricted-use terms. These are not § 1798.83 disclosures.

    GAlternative Compliance Option

    Instead of producing the category/third-party list, a business may comply by adopting and disclosing a privacy policy that either:

    1. Does not disclose customer PI for third-party direct marketing unless the customer affirmatively opts in, or
    2. Does not disclose if the customer has exercised an opt-out right.

    If using this approach, the business must notify the customer of their right to prevent disclosure and provide a cost-free mechanism to exercise it.

    H§ 1798.83 vs. CPRA/CCPA Comparison

    Feature§ 1798.83 (Shine the Light)CPRA / CCPA
    Scope3rd-party direct marketing disclosures onlyBroad PI rights (access, delete, correct, opt-out)
    Customer definitionPersonal/family/household relationship"Consumer" = any CA resident
    OutputCategories + third-party names (standardized)Specific pieces of PI, categories, sources, purposes
    LookbackPreceding calendar year12 months before request
    Frequency1 per customer per calendar year2 per consumer per 12 months
    Employee threshold20+ employeesRevenue / data volume thresholds
    Response time30 days (designated) / 150 days (other)45 days (extendable to 90)
    Section 03

    Response Templates

    Select a scenario to generate a ready-to-customize response letter.

    Most Common

    No Qualifying Disclosures

    You did not share customer PI with third parties for their direct marketing. This is the clean, standard response for most SaaS companies.

    Threshold Defense

    Not a Statutory Customer

    The requester's relationship is business/professional, not personal/household, or they are not found in your systems.

    Exemption

    Small Business (<20 Employees)

    Your company employs fewer than 20 full-time and part-time persons combined and is exempt from § 1798.83.

    Rare

    Qualifying Disclosures Exist

    You did disclose customer PI to third parties for their direct marketing. Full statutory disclosure required.

    Template

    Section 04

    SaaS Risk Map

    Common data flows and whether they create § 1798.83 exposure.

    Usually Safe
    💳

    Payment Processors

    Stripe, Square, Braintree with restricted-use terms. Processing payments on your behalf is not direct marketing.

    💬

    Customer Support Platforms

    Zendesk, Intercom, Freshdesk as service providers handling tickets on your behalf.

    Cloud Infrastructure

    AWS, GCP, Azure for hosting and storage. No customer PI used for vendor's own marketing.

    📊

    Analytics Tools

    Google Analytics collecting device/usage data. Not disclosing PI for vendor's own direct marketing.

    Email Service Providers

    SendGrid, SES, Postmark sending transactional/marketing emails on your behalf with restricted-use terms.

    Needs Review
    📋

    CRM with Co-Marketing

    HubSpot, Salesforce with co-marketing features enabled. Review if partner can market to your contacts.

    🔄

    Integration Partners

    Bidirectional data sharing where the partner accesses your customer data. Check DPA restrictions.

    🔗

    Referral/Affiliate Programs

    Sharing customer contact info with affiliates. Does the affiliate market to your customers using that data?

    📝

    Survey Tools

    Survey platforms that may use respondent data for their own purposes. Check terms carefully.

    Likely Exposure
    💰

    Customer List Sales/Rentals

    Selling or renting your customer list to other businesses is the classic § 1798.83 trigger.

    📣

    Co-Marketing Arrangements

    Partner markets directly to your customers using data you shared. This is direct marketing disclosure.

    👥

    Lead-Sharing Without Restrictions

    Sharing leads with a partner who uses them for their own solicitations without restricted-use agreement.

    💻

    Data Broker Relationships

    Providing customer data to data brokers or aggregators who resell or use it for marketing.

    Section 05

    Compliance Checklist

    13 items to audit your § 1798.83 readiness. Progress is saved locally.

    0%

    Compliance Score

    Check items below to track your § 1798.83 compliance posture.

    01 Published "Your California Privacy Rights" link on website home page
    02 Designated email or mailing address for § 1798.83 requests
    03 Privacy policy includes § 1798.83 disclosure language
    04 Internal routing process for incoming privacy requests
    05 Staff training on classifying § 1798.83 vs. CPRA requests
    06 Vendor audit: reviewed DPAs/service provider terms for marketing-use restrictions
    07 No customer PI shared with third parties for their direct marketing (or documented opt-in/opt-out mechanism)
    08 Response templates prepared and reviewed by counsel
    09 30-day response calendar/tickler system in place
    10 Employee headcount documented (for < 20 exemption if applicable)
    11 Authorization/identity verification process for requests received via attorney
    12 Records retention policy for § 1798.83 responses (maintain for 3+ years)
    13 Annual review of data-sharing practices against statutory categories
    Section 06

    Frequently Asked Questions

    What is a "Shine the Light" request under California law?

    Cal. Civ. Code § 1798.83 requires businesses to disclose, upon request, whether they shared a California customer's personal information with third parties for the third parties' direct marketing purposes during the preceding calendar year. If they did, they must identify the categories of information shared and the third parties that received it.

    Does § 1798.83 apply to B2B SaaS companies?

    It depends on whether your users are "customers" with a relationship "primarily for personal, family, or household purposes." Most B2B SaaS relationships are business/professional and fall outside the statute's customer definition. However, if you have consumer-facing users or freemium individual accounts, those may qualify.

    What counts as "direct marketing purposes"?

    Using personal information to solicit or induce purchases of products/services directly to individuals via mail, telephone, or email for personal/family/household purposes. It also includes selling, renting, or exchanging personal information for consideration.

    Do I have to provide a copy of the requester's records?

    No. § 1798.83 requires a standardized disclosure of categories of PI disclosed and names/addresses of third parties. It expressly allows standardized format and does not require businesses to provide information associated with specific individuals.

    What is the deadline to respond?

    30 days if the request is received at your designated privacy contact address. Up to 150 days if received elsewhere. The statute does not require a response to requests sent to non-designated addresses if you have properly published your designated contact.

    Can I ignore requests sent to the wrong email address?

    If you properly designated and published a specific address for § 1798.83 requests (via a "Your California Privacy Rights" home page link), you may have no obligation to respond to requests sent elsewhere. However, responding is generally lower risk than ignoring.

    What if I use vendors like Stripe, HubSpot, Google Analytics, or a support desk?

    Disclosures to service providers for processing, storage, or management on your behalf are generally not deemed disclosures for the third party's direct marketing purposes, provided the vendor does not use or further disclose the data for its own marketing. Review your DPAs/vendor terms.

    What categories of information are covered?

    The statute lists extensive categories including: name/address, email, age/DOB, telephone, education, employment, SSN, bank/credit card numbers, and more. However, the question is only whether you disclosed these categories to third parties for their direct marketing — not whether you collect them.

    How is this different from CCPA/CPRA requests?

    § 1798.83 is narrower: it only asks about third-party direct marketing disclosures. CPRA/CCPA provides broader rights including access to specific pieces of PI, deletion, correction, and opt-out of sale/sharing. Different thresholds, definitions, and timelines apply.

    What is the "alternative compliance" option?

    If your privacy policy adopts and discloses a policy of (a) not disclosing customer PI for third-party direct marketing unless the customer opts in, or (b) not disclosing if the customer opts out, you can comply by notifying the customer of their right to prevent disclosure and providing a cost-free mechanism to exercise it.

    Need help responding to a § 1798.83 request?

    Get a 30-minute consultation with a California-licensed attorney. We'll classify your request, pick the right template, and finalize a response you can send immediately.

    Schedule Consultation
    Consultations start at $135 for 30 minutes