Privacy Legislation Enacted in 2003
Unless otherwise noted, all laws go into effect January 1, 2004
Data Collection/Use Limits
SB 1 (Speier) - Financial Information Privacy: This bill, which is substantially similar to last year's SB 773, enacts the California Financial Information Privacy Act. It prohibits financial institutions from sharing or selling personally identifiable nonpublic information without obtaining a consumer's consent, as provided. It provides for a plain-language notice of the privacy rights it confers. The bill requires that (1) a consumer must "opt in" before a financial institution may share personal information with an unaffiliated third party, (2) consumers be given an opportunity to "opt out" of sharing with a financial institution's financial marketing partners (JMAs), and (3) consumers be given the opportunity to "opt out" of sharing with a financial institution's affiliates, with some exceptions. When an affiliate is wholly owned, in the same line of business, subject to the same functional regulator and operates under the same brand name, an institution may share its customers' personal information with the affiliate without providing an opt-out right. It takes effect July 1, 2004.
SB 25 (Bowen) - This bill extends the ban on the public posting or display of Social Security numbers to local and state government agencies, with delayed effective dates for U.C., the C.S.U. system, the community college districts, the Student Aid Commission and the Franchise Tax Board. It requires, effective July 1, 2004, users of credit reports to take reasonable steps to verify identity on reports with fraud alerts, including calling any specified phone number before granting credit. It also extends the deadline for banks to cease printing SSNs on account documents mailed to consumers to July 1, 2004.
AB 213 (Leslie) - "Black boxes" in automobiles: This bill requires manufacturers that install "event data recorders" in vehicles to disclose that fact in the owner's manual. It also limits the retrieval and use of data from such a device to vehicle owner or others permitted by the owner, in response to a court order, for the purpose of improving vehicle safety, or for servicing or repairing the vehicle. Data retrieved for improving vehicle safety may not be released for any other purpose and must not reveal the owner's identity if shared with other vehicle safety organizations. Subscription services that install such devices must disclose the device's function in the subscription service agreement. Effective for vehicles manufactured after 7/1/04.
SB 660 (Speier) - This bill establishes a procedure to keep Social Security numbers confidential in court filings for legal separation, dissolution or nullification of marriage. It creates a separate one-page form containing the parties' SSNs to be placed in the confidential portion of the court file. This bill requires the form to contain a notice informing parties of their right to redact SSNs from documents and materials filed with the court.
AB 715 (Chan) - This bill adds many types of "marketing" to the list of prohibited uses and disclosures of individually identifiable medical information by health care providers and health plans. It would exclude communications for which the communicator does not receive remuneration from a 3rd party, communications to plan enrollees to inform them of their benefits and plan procedures, unremunerated treatment-related communications, and remunerated "disease management" communications for life-threatening or seriously debilitating conditions with opportunity for patient to opt-out.
AB 763 (Liu) - Social Security numbers: This bill prohibits a Social Security number that is otherwise permitted to be mailed from being printed, in whole or in part, on a postcard or other mailer or visible on the envelope or without the envelope having been opened.
AB 1105 (Jackson) - Identity theft statute of limitations: This bill gives victims, law enforcement, and prosecutors a reasonable opportunity to discover and investigate the crime of identity theft by specifying that the statute of limitations for the crime (and publicly filing a false or forged document) commences when the crime was discovered, instead of when it was committed.
AB 1294 (Wiggins) - Debt collection and identity theft: This bill is intended to help identity theft victims deal with debt collectors who are trying to collect debts incurred by the thief. It requires a debt collector to stop collection when an alleged debtor furnishes a police report of identity theft and other information on his status as an identity theft victim. If a collector ultimately determines that the information fails to establish that the consumer is not responsible for the debt, the collector has to notify the consumer of that determination and its basis before proceeding with collection. The bill also helps identity theft victims clear up their records by requiring debt collectors who cease collection activities to notify the creditors and consumer credit reporting agencies to which the collector previously provided adverse information.
AB 1610 (Pavley) - Consumer credit reporting: This bill addresses what law enforcement and consumer advocates consider a major factor in the increase in identity theft: the sloppy practices of credit issuers. It requires a credit issuer using a consumer credit report, who discovers that key identifying information (first and last name, address, SSN) on an application for credit does not match the information in the credit report, to take reasonable steps to stop and verify the accuracy of the information on the application.
AB 1772 (Committee on Banking & Finance) - Identity theft: access to fraudulent account information: This bill gives victims of "business identity theft" an important right of consumer victims. Business identity theft occurs when an unauthorized person uses a business's identifying information to get credit or make purchases in the business's name. The bill adds mail receiving or forwarding services and office or desk space rental services to the types of accounts on which an identity theft victim may get information.
SB 544 (Chesbro) - This bill addresses the risk of identity theft created when veterans file their discharge papers (DD214s), which contain their SSN, with their county recorders. It requires county recorders to provide any military veteran who does so with a written form indicating that the document becomes public when it is recorded. The veteran would have to sign the form in acknowledgement.
SB 602 (Figueroa) - The Identity Theft Prevention and Assistance Act would help consumers prevent identity theft from occurring, assist victims, and strengthen law enforcement's investigative tools. It caps the fees for freezing credit files for non-ID theft victims at $10 for a freeze or general thaw and $12 for a thaw for a specific creditors. This will reduce the cost of placing freezes form the current $102 to $30. It prohibits bars, car dealers and others from collecting information by swiping driver's licenses for any purpose other than verifying age or authenticity of the license, check verification or when legally required. It requires a business that gets a request for a change of address on an account and then within a specified time period a request for a new credit card or service to notify the consumer at the former address of record. (Exception if request made with valid ID or by phone with password.) It requires credit reporting agencies to notify consumers when fraud alerts expire and to pay a penalty of up to $2,500 for reckless, willful or intentional failure to place a fraud alert. It establishes an expedited court process to compel credit issuers to provide documents on fraudulent accounts to identity theft victims, with damages of $100 per day for non-compliance. It clarifies Penal Code section 530.6 that law enforcement in victim's jurisdiction may investigate case or may refer to other jurisdiction where stolen personal information was used.
SB 684 (Alpert) - Identity theft victim access to fraudulent accounts: This bill closes a loophole in one of California's important recent identity theft laws. Existing law gives identity theft victims, and their law enforcement designees, the right to obtain information related to fraudulent accounts that were opened or applied for in their names by identity thieves. This bill clarifies that victims are also entitled to telephone and electronic records, as well as to paper records, on fraudulent accounts. It also gives victims a right to documents on their own accounts when the accounts were used fraudulently.
SB 752 (Alpert) - Criminal identity theft: This bill helps victims clear their records when an identity thief, using the victim's name, is arrested. It establishes a procedure for an identity theft victim to contest a charge by submitting a thumbprint for comparison with the thumbprint of the thief taken at time of arrest. Upon comparison of the thumbprints by prosecuting attorney and conclusion of non-match, the court may issue a finding of factual innocence and notify DMV. DMV will reverse driver's license revocation or suspension. If there is no thumbprint of the arrestee, the court may refer case to the arresting agency for further investigation. If insufficient evidence or no response is provided within 45 days, the court issues a finding of factual innocence. (Court has discretion not to if in interest of justice.)
SB 27 (Figueroa) - Information sharing disclosure: This bill gives consumers rights over their personal information in the hands of non-financial businesses. It lets consumers learn what's happening with their personal information and encourages non-financial businesses to let their customers opt-out of sharing that information with third parties. In response to customer request, businesses must provide either: 1) list of categories of personal info disclosed to 3rd parties and names and addresses of 3rd parties, OR 2) privacy statement giving customer cost-free opportunity to opt-out of info sharing. Consumer requests may be written or e-mail (or by phone or fax, if business so chooses). A business may provide contact instructions for requesting info by notifying employees with customer contact, responding to customer request, in GLB notice, or on web site. Info must be provided w/in 30 days of request received by designated means or 150 days if received otherwise. The requesting customer must have established business relationship. Business only has to respond once a year. Exemptions: Same brand name affiliates (only required disclosure is total number of affiliates shared with and certain categories of information), financial institutions in compliance with SB 1, businesses with <20 employees, charities, political organizations, administrative/transactional sharing, JMAs (per SB 1), credit reporting agencies. Penalties: up to $500 per unintentional violation and up to $3,000 for willful, intentional or reckless violation. It allows a 90-day "right to cure." This law takes effect January 1, 2005.
SB 186 (Murray) - Spam: This bill prohibits the sending of "spam" to or from a California e-mail address. It prohibits sending or advertising in unsolicited commercial e-mail (UCE) to or from a California address. It prohibits the collection of e-mail addresses or registering for multiple e-mail accounts for the purpose of initiating or advertising in UCE to or from a California address. It prohibits the use of automated "harvesting" of e-mail addresses for UCE. It prohibits sending commercial email advertisements with false or misleading information. UCE is defined as commercial e-mail sent to recipient who has not provided direct consent to receive from advertiser and who has no existing business relationship with advertiser. UCE sent to existing business relationships must contain opt-out provision via valid unsubscribe e-mail address or toll-free number. Penalties: Recipient, e-mail service provider, or Attorney General may sue for actual damages, liquidated damages of $1,000 per e-mail up to $1,000,000 per incident, plus attorney fees and costs. Court may reduce liquidated damages to $100/$100,000 if accidental and sender/advertiser has demonstrated due care and documented practices and procedures to prevent.