"Shine the Light" Response Letters

Cal. Civ. Code § 1798.83 — Third-Party Direct Marketing Disclosure Requests

What Is a § 1798.83 "Shine the Light" Request?
Core concept: Cal. Civ. Code § 1798.83 is a disclosure statute about list-sharing for direct marketing. It asks one question: did your business share a California customer's personal information with third parties for the third parties' own direct marketing purposes during the immediately preceding calendar year?

If you receive a letter titled "Request for Consumer Records Under Cal. Civ. Code § 1798.83," the sender (often through a plaintiffs' firm) is asking you to disclose:

  • Categories of personal information you disclosed to third parties for their direct marketing
  • Names and addresses of those third parties

That's it. It is not a request for the individual's records, account data, SSN, payment credentials, or a CCPA-style access request.

What § 1798.83 IS

  • Standardized disclosure about list-sharing
  • Categories of PI + third-party names
  • Prior calendar year lookback
  • One request per customer per year
  • Standardized format allowed

What § 1798.83 Is NOT

  • "Send me my file" records-access right
  • A CPRA/CCPA request (different statute)
  • A demand for SSNs or card numbers
  • A deletion, correction, or opt-out request
  • Individualized file production
§ 1798.83 vs. CPRA/CCPA — Quick Comparison
Feature§ 1798.83 (Shine the Light)CPRA / CCPA
Scope3rd-party direct marketing disclosures onlyBroad PI rights (access, delete, correct, opt-out)
Customer definitionPersonal/family/household relationship"Consumer" = any CA resident
OutputCategories + third-party names (standardized)Specific pieces of PI, categories, sources, purposes
LookbackPreceding calendar year12 months before request
Frequency1 per customer per calendar year2 per consumer per 12 months
Employee threshold20+ employeesRevenue / data volume thresholds
Response time30 days (designated) / 150 days (other)45 days (extendable to 90)
Pattern alert: Many incoming "consumer records" letters from plaintiffs' firms are styled aggressively and list items like SSNs, bank account numbers, and credit card numbers. This is largely a pressure tactic. § 1798.83 does not require you to produce those items — it asks only about categories disclosed to third parties for their direct marketing.
Threshold Requirements (All Must Be Met)

Before drafting a response, check whether § 1798.83 even applies. The statute has several threshold gates that, if unmet, defeat the request entirely.

#RequirementDetails
1California residentThe requester must be a California resident.
2"Customer"Relationship must be primarily for personal, family, or household purposes. B2B / professional relationships fall outside this definition.
3Established business relationshipOngoing relationship, or within 18 months of a purchase/transaction. If the requester never completed a transaction, no established relationship may exist.
420+ employeesBusinesses with fewer than 20 full-time + part-time employees are exempt. This is an absolute exemption under § 1798.83(c)(1).
5Third-party disclosure for direct marketingThe business must have actually disclosed PI to third parties knowing or reasonably should know they would use it for their own direct marketing.
Common Threshold Defenses
Defense 1: Not a "customer"
If the requester's relationship is business/professional (not personal/household), § 1798.83 does not apply. Most B2B SaaS users fall here. Research participants whose data was provided by a client are also typically not "customers" of the platform.
Defense 2: Small business exemption
Fewer than 20 employees (FT + PT combined) = complete statutory exemption. One-sentence response citing § 1798.83(c)(1).
Defense 3: No established business relationship
If the requester never completed a transaction or their last interaction was more than 18 months ago, the threshold is not met.
Defense 4: Request sent to wrong address
If you properly designated and published a specific address (via "Your California Privacy Rights" link on your home page), you may have no obligation to respond to requests sent elsewhere. Responding is still often the lower-risk approach.
Timing Rules
ScenarioDeadline
Request received at your designated address/email30 days from receipt
Request received at a non-designated addressReasonable period, up to 150 days
CPRA/CCPA request (for comparison)45 days (extendable to 90)
Designated address requirement: Covered businesses must designate a mailing address or email for § 1798.83 requests and make it available via a "Your Privacy Rights" link on the home page. This both creates the intake channel and limits your obligation for misdirected requests.
Response Templates

Select the template that matches your situation. Replace bracketed placeholders with your details.

Template A: No Qualifying Disclosures (Most Common)
Use this when your business did not share customer PI with third parties for their direct marketing during the preceding calendar year. This is the standard clean response for most SaaS companies.
[Company] acknowledges receipt of your [letter/email] dated [DATE], submitted on behalf of [NAME], requesting information under California Civil Code section 1798.83. Based on [Company]'s review of its practices for the immediately preceding calendar year, [Company] did not disclose customers' personal information to third parties for those third parties' direct marketing purposes. Accordingly, [Company] has no categories of personal information to report as having been disclosed for third parties' direct marketing purposes during that period, and no third parties to identify under section 1798.83 in response to this request. For clarity, your letter lists items such as Social Security numbers, bank account numbers, and credit or debit card numbers. [Company] does not collect or maintain Social Security numbers or bank account numbers for customers in the ordinary course. To the extent [Company] facilitates payments through third-party payment processors, [Company] does not store full payment card numbers. This response is provided for purposes of California Civil Code section 1798.83 only. Nothing in this letter constitutes an admission that [NAME] is a "customer" within the meaning of section 1798.83 or that section 1798.83 otherwise applies, and [Company] reserves all rights. Sincerely, [Name] [Title] [Company]
Template B: Requester Does Not Qualify as a Statutory Customer
Use this when the requester's relationship is business/professional, or when they are not found in your systems as a customer.
[Company] acknowledges receipt of your [letter/email] dated [DATE]. California Civil Code section 1798.83 applies to customers whose relationship with a business is primarily for personal, family, or household purposes. Based on [Company]'s records, [NAME]'s relationship with [Company] is [business/professional in nature / not reflected in our systems as a customer account]. Accordingly, [Company] does not believe section 1798.83 applies to this request as framed. [Company] reserves all rights and defenses.
Template C: Small Business Exemption (<20 Employees)
Use this if your company has fewer than 20 full-time and part-time employees combined. This is an absolute statutory exemption.
[Company] acknowledges receipt of your [letter/email] dated [DATE]. California Civil Code section 1798.83 applies to businesses that employ twenty (20) or more persons. [Company] currently employs fewer than twenty full-time and part-time persons combined. Accordingly, [Company] is not subject to the disclosure requirements of section 1798.83(a). [Company] reserves all rights.
Template D: Qualifying Disclosures Exist (Rare)
Use this if your business did disclose customer PI to third parties for their direct marketing. You must provide the statutory categories and third-party identification.
[Company] acknowledges receipt of your [letter/email] dated [DATE], submitted on behalf of [NAME], requesting information under California Civil Code section 1798.83. During the immediately preceding calendar year, [Company] disclosed the following categories of personal information to the following third parties for those third parties' direct marketing purposes: Categories disclosed: - [e.g., name and mailing address] - [e.g., email address] - [e.g., telephone number] Third parties: 1. [Company Name], [Address] — [Products/Services Marketed] 2. [Company Name], [Address] — [Products/Services Marketed] This disclosure is provided in standardized format pursuant to section 1798.83(e). [Company] reserves all rights.
Need a Customized Response?

Get a 30-minute consultation. We'll classify the request, pick the right template, and finalize a response you can send immediately.

Schedule Consultation — $135
SaaS Data Flow Risk Map

Common SaaS data flows and whether they create § 1798.83 exposure. The key question: is the recipient using the disclosed PI for its own direct marketing?

Service Provider Carve-Outs
Key rule: Disclosures to third parties for processing, storage, or management on the business's behalf are not deemed disclosures for the third party's direct marketing purposes — provided the third party does not use or further disclose the data for its own marketing. This carve-out covers most standard SaaS vendor relationships.
Usually Safe
💳

Payment Processors

Stripe, Square, Braintree with restricted-use terms. Processing payments on your behalf is not direct marketing.

💬

Customer Support Platforms

Zendesk, Intercom, Freshdesk as service providers handling tickets on your behalf.

Cloud Infrastructure

AWS, GCP, Azure for hosting and storage. No customer PI used for vendor's own marketing.

📊

Analytics Tools

Google Analytics collecting device/usage data. Not PI disclosed for vendor's own direct marketing.

Email Service Providers

SendGrid, SES, Postmark sending emails on your behalf with restricted-use terms.

Needs Review
📋

CRM with Co-Marketing

HubSpot, Salesforce with co-marketing features. Does the partner market to your contacts?

🔄

Integration Partners

Bidirectional data sharing. Check DPA restrictions on the partner's use.

🔗

Referral/Affiliate Programs

Sharing customer contact info with affiliates who may market to them.

📝

Survey Tools

Survey platforms that may use respondent data for their own purposes.

Likely Exposure
💰

Customer List Sales/Rentals

Selling or renting your customer list. Classic § 1798.83 trigger.

📣

Co-Marketing Arrangements

Partner markets directly to your customers using data you shared.

👥

Lead-Sharing Without Restrictions

Sharing leads with a partner who uses them for their own solicitations.

💻

Data Broker Relationships

Providing customer data to data brokers or aggregators.

Compliance Checklist

13 items to audit your § 1798.83 readiness. Click to check off items.

Published "Your California Privacy Rights" link on website home page
Designated email or mailing address for § 1798.83 requests
Privacy policy includes § 1798.83 disclosure language
Internal routing process for incoming privacy requests
Staff training on classifying § 1798.83 vs. CPRA requests
Vendor audit: reviewed DPAs for marketing-use restrictions
No customer PI shared for third-party direct marketing (or opt-in/opt-out mechanism documented)
Response templates prepared and reviewed by counsel
30-day response calendar/tickler system in place
Employee headcount documented (for < 20 exemption)
Identity verification process for attorney-submitted requests
Records retention policy for responses (3+ years)
Annual review of data-sharing practices against statutory categories
Frequently Asked Questions
Cal. Civ. Code § 1798.83 requires businesses to disclose, upon request, whether they shared a California customer's personal information with third parties for the third parties' direct marketing purposes during the preceding calendar year. If they did, they must identify the categories of information shared and the third parties that received it.
It depends on whether your users are "customers" with a relationship "primarily for personal, family, or household purposes." Most B2B SaaS relationships are business/professional and fall outside the statute's customer definition. However, if you have consumer-facing users or freemium individual accounts, those may qualify.
Using personal information to solicit or induce purchases of products/services directly to individuals via mail, telephone, or email for personal/family/household purposes. It also includes selling, renting, or exchanging personal information for consideration.
No. § 1798.83 requires a standardized disclosure of categories of PI disclosed and names/addresses of third parties. It expressly allows standardized format and does not require businesses to provide information associated with specific individuals.
30 days if the request is received at your designated privacy contact address. Up to 150 days if received elsewhere. The statute does not require a response to requests sent to non-designated addresses if you have properly published your designated contact.
Disclosures to service providers for processing, storage, or management on your behalf are generally not deemed disclosures for the third party's direct marketing purposes, provided the vendor does not use or further disclose the data for its own marketing. Review your DPAs/vendor terms to confirm restricted use.
The statute lists extensive categories including: name/address, email, age/DOB, telephone, education, employment, SSN, bank/credit card numbers, and more. However, the question is only whether you disclosed these categories to third parties for their direct marketing — not whether you collect them.
§ 1798.83 is narrower: it only asks about third-party direct marketing disclosures. CPRA/CCPA provides broader rights including access to specific pieces of PI, deletion, correction, and opt-out of sale/sharing. Different thresholds, definitions, and timelines apply. Many demand letters blend both statutes.
If you properly designated and published a specific address for § 1798.83 requests (via a "Your California Privacy Rights" home page link), you may have no obligation to respond to requests sent elsewhere. However, responding is generally lower risk than ignoring, especially when the sender is a plaintiffs' firm.
If your privacy policy adopts and discloses a policy of (a) not disclosing customer PI for third-party direct marketing unless the customer opts in, or (b) not disclosing if the customer opts out, you can comply by notifying the customer of their right to prevent disclosure and providing a cost-free mechanism to exercise it.
Attorney-Assisted Response
Flat-fee service: We draft and finalize your § 1798.83 response for a flat $575 fee. This includes classifying the request, confirming threshold applicability, auditing your vendor stack, and delivering a final response letter ready to send. Schedule a consultation to get started.
What's Included
  • Request classification: Determine if the letter is actually § 1798.83, CPRA/CCPA, or a hybrid
  • Threshold analysis: Customer status, employee count, designated address, established business relationship
  • Vendor audit: Review your data-sharing practices and DPAs for direct marketing exposure
  • Final response letter: Ready to send on your letterhead, with reservation of rights and non-admissions
  • Privacy policy review: Confirm your "Your California Privacy Rights" section and designated contact are compliant
When to Hire an Attorney
  • The letter comes from a known privacy plaintiffs' firm (e.g., Swigart Law Group, Edelson PC)
  • You are unsure whether you had qualifying third-party marketing disclosures
  • The request is ambiguous (blends § 1798.83 and CPRA language)
  • You have co-marketing, affiliate, or lead-sharing arrangements that might trigger exposure
  • You want to assert threshold defenses (not a customer, <20 employees) without creating litigation risk
Schedule a Consultation

30-minute consultation with a California-licensed attorney. Classify your request, pick the right template, and finalize a response.

Consult — $135 for 30 min
Related Resources

Disclaimer: This page provides general legal information about Cal. Civ. Code § 1798.83 for educational purposes. It is not legal advice and does not create an attorney-client relationship.

Terms.Law — Sergei Tokmakov, Esq. • CA Bar #279869

© 2026 Terms.Law. All rights reserved.