BILL NUMBER: SB 1730 CHAPTERED
BILL TEXT
CHAPTER 786
FILED WITH SECRETARY OF STATE SEPTEMBER 22, 2002
APPROVED BY GOVERNOR SEPTEMBER 21, 2002
PASSED THE SENATE AUGUST 30, 2002
PASSED THE ASSEMBLY AUGUST 28, 2002
AMENDED IN ASSEMBLY AUGUST 27, 2002
AMENDED IN ASSEMBLY JUNE 25, 2002
AMENDED IN ASSEMBLY JUNE 13, 2002
AMENDED IN ASSEMBLY JUNE 12, 2002
AMENDED IN SENATE APRIL 18, 2002
AMENDED IN SENATE APRIL 1, 2002
INTRODUCED BY Senator Bowen
(Coauthor: Assembly Member Alquist)
FEBRUARY 21, 2002
An act to amend Sections 1785.11.2, 1785.11.6, and 1798.85 of the
Civil Code, relating to personal information.
LEGISLATIVE COUNSEL'S DIGEST
SB 1730, Bowen. Personal information.
(1) Existing law authorizes a consumer to place a security alert
in his or her credit report by making a request in writing or by
telephone to a consumer credit reporting agency, as specified.
Existing law requires consumer credit reporting agencies to take
specified actions in response to a request by a consumer to place a
security freeze, as defined, on his or her credit report. Existing
law makes various entities exempt from that requirement.
This bill would additionally exempt from those requirements the
use of a consumer credit report by any person or entity administering
a credit file monitoring subscription service to which the consumer
has subscribed or by any person or entity for the purpose of
providing a consumer with a copy of his or her credit report upon the
consumer's request. The bill would also exempt a fraud prevention
services company from the requirement to place a security alert or a
security freeze in a credit report, as specified.
(2) Existing law prohibits a person or entity, except as
specified, from publicly posting or displaying an individual's social
security number, printing that social security number on a card
required for the individual to access products or services or on
materials mailed to the individual, or otherwise requiring an
individual to transmit or use that social security number. These
provisions become operative in the case of a health care service
plan, a provider of health care, and other, specified health care
related entities as the requirements pertain to individual
policyholders, employer groups, and enrollees of state medical
insurance programs on various dates, as specified.
This bill would revise those provisions to additionally provide
that they shall become operative in the case of the provision by any
person or entity of administrative or other services relative to
health care or insurance products or services on various dates, as
specified.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 1785.11.2 of the Civil Code is amended to read:
1785.11.2. (a) A consumer may elect to place a security freeze on
his or her credit report by making a request in writing by certified
mail to a consumer credit reporting agency. "Security freeze" means
a notice placed in a consumer's credit report, at the request of the
consumer and subject to certain exceptions, that prohibits the
consumer credit reporting agency from releasing the consumer's credit
report or any information from it without the express authorization
of the consumer. If a security freeze is in place, information from
a consumer's credit report may not be released to a third party
without prior express authorization from the consumer. This
subdivision does not prevent a consumer credit reporting agency from
advising a third party that a security freeze is in effect with
respect to the consumer's credit report.
(b) A consumer credit reporting agency shall place a security
freeze on a consumer's credit report no later than five business days
after receiving a written request from the consumer.
(c) The consumer credit reporting agency shall send a written
confirmation of the security freeze to the consumer within 10
business days and shall provide the consumer with a unique personal
identification number or password to be used by the consumer when
providing authorization for the release of his or her credit for a
specific party or period of time.
(d) If the consumer wishes to allow his or her credit report to be
accessed for a specific party or period of time while a freeze is in
place, he or she shall contact the consumer credit reporting agency,
request that the freeze be temporarily lifted, and provide the
following:
(1) Proper identification, as defined in subdivision (c) of
Section 1785.15.
(2) The unique personal identification number or password provided
by the credit reporting agency pursuant to subdivision (c).
(3) The proper information regarding the third party who is to
receive the credit report or the time period for which the report
shall be available to users of the credit report.
(e) A consumer credit reporting agency that receives a request
from a consumer to temporarily lift a freeze on a credit report
pursuant to subdivision (d), shall comply with the request no later
than three business days after receiving the request.
(f) A consumer credit reporting agency may develop procedures
involving the use of telephone, fax, the Internet, or other
electronic media to receive and process a request from a consumer to
temporarily lift a freeze on a credit report pursuant to subdivision
(d) in an expedited manner.
(g) A consumer credit reporting agency shall remove or temporarily
lift a freeze placed on a consumer's credit report only in the
following cases:
(1) Upon consumer request, pursuant to subdivision (d) or (j).
(2) If the consumer's credit report was frozen due to a material
misrepresentation of fact by the consumer. If a consumer credit
reporting agency intends to remove a freeze upon a consumer's credit
report pursuant to this paragraph, the consumer credit reporting
agency shall notify the consumer in writing prior to removing the
freeze on the consumer's credit report.
(h) If a third party requests access to a consumer credit report
on which a security freeze is in effect, and this request is in
connection with an application for credit or any other use, and the
consumer does not allow his or her credit report to be accessed for
that specific party or period of time, the third party may treat the
application as incomplete.
(i) If a consumer requests a security freeze, the consumer credit
reporting agency shall disclose the process of placing and
temporarily lifting a freeze, and the process for allowing access to
information from the consumer's credit report for a specific party or
period of time while the freeze is in place.
(j) A security freeze shall remain in place until the consumer
requests that the security freeze be removed. A consumer credit
reporting agency shall remove a security freeze within three business
days of receiving a request for removal from the consumer, who
provides both of the following:
(1) Proper identification, as defined in subdivision (c) of
Section 1785.15.
(2) The unique personal identification number or password provided
by the credit reporting agency pursuant to subdivision (c).
(k) A consumer credit reporting agency shall require proper
identification, as defined in subdivision (c) of Section 1785.15, of
the person making a request to place or remove a security freeze.
(l) The provisions of this section do not apply to the use of a
consumer credit report by any of the following:
(1) A person or entity, or a subsidiary, affiliate, or agent of
that person or entity, or an assignee of a financial obligation owing
by the consumer to that person or entity, or a prospective assignee
of a financial obligation owing by the consumer to that person or
entity in conjunction with the proposed purchase of the financial
obligation, with which the consumer has or had prior to assignment an
account or contract, including a demand deposit account, or to whom
the consumer issued a negotiable instrument, for the purposes of
reviewing the account or collecting the financial obligation owing
for the account, contract, or negotiable instrument. For purposes of
this paragraph, "reviewing the account" includes activities related
to account maintenance, monitoring, credit line increases, and
account upgrades and enhancements.
(2) A subsidiary, affiliate, agent, assignee, or prospective
assignee of a person to whom access has been granted under
subdivision (d) of Section 1785.11.2 for purposes of facilitating the
extension of credit or other permissible use.
(3) Any state or local agency, law enforcement agency, trial
court, or private collection agency acting pursuant to a court order,
warrant, or subpoena.
(4) A child support agency acting pursuant to Chapter 2 of
Division 17 of the Family Code or Title IV-D of the Social Security
Act (42 U.S.C. et seq.).
(5) The State Department of Health Services or its agents or
assigns acting to investigate Medi-Cal fraud.
(6) The Franchise Tax Board or its agents or assigns acting to
investigate or collect delinquent taxes or unpaid court orders or to
fulfill any of its other statutory responsibilities.
(7) The use of credit information for the purposes of prescreening
as provided for by the federal Fair Credit Reporting Act.
(8) Any person or entity administering a credit file monitoring
subscription service to which the consumer has subscribed.
(9) Any person or entity for the purpose of providing a consumer
with a copy of his or her credit report upon the consumer's request.
(m) This act does not prevent a consumer credit reporting agency
from charging a reasonable fee to a consumer who elects to freeze,
remove the freeze, or temporarily lift the freeze regarding access to
a consumer credit report, except that a consumer credit reporting
agency may not charge a fee to a victim of identity theft who has
submitted a valid police report or valid Department of Motor Vehicles
investigative report that alleges a violation of Section 530.5 of
the Penal Code.
SEC. 2. Section 1785.11.6 of the Civil Code is amended to read:
1785.11.6. The following entities are not required to place in a
credit report either a security alert, pursuant to Section 1785.11.1,
or a security freeze, pursuant to Section 1785.11.2:
(a) A check services or fraud prevention services company, which
issues reports on incidents of fraud or authorizations for the
purpose of approving or processing negotiable instruments, electronic
funds transfers, or similar methods of payments.
(b) A demand deposit account information service company, which
issues reports regarding account closures due to fraud, substantial
overdrafts, ATM abuse, or similar negative information regarding a
consumer, to inquiring banks or other financial institutions for use
only in reviewing a consumer request for a demand deposit account at
the inquiring bank or financial institution.
SEC. 3. Section 1798.85 of the Civil Code is amended to read:
1798.85. (a) A person or entity, not including a state or local
agency, may not do any of the following:
(1) Publicly post or publicly display in any manner an individual'
s social security number. "Publicly post" or "publicly display"
means to intentionally communicate or otherwise make available to the
general public.
(2) Print an individual's social security number on any card
required for the individual to access products or services provided
by the person or entity.
(3) Require an individual to transmit his or her social security
number over the Internet, unless the connection is secure or the
social security number is encrypted.
(4) Require an individual to use his or her social security number
to access an Internet Web site, unless a password or unique personal
identification number or other authentication device is also
required to access the Internet Web site.
(5) Print an individual's social security number on any materials
that are mailed to the individual, unless state or federal law
requires the social security number to be on the document to be
mailed. Notwithstanding this paragraph, social security numbers may
be included in applications and forms sent by mail, including
documents sent as part of an application or enrollment process, or to
establish, amend or terminate an account, contract or policy, or to
confirm the accuracy of the social security number.
(b) Except as provided in subdivision (c), subdivision (a) applies
only to the use of social security numbers on or after July 1, 2002.
(c) Except as provided in subdivision (f), a person or entity, not
including a state or local agency, that has used, prior to July 1,
2002, an individual's social security number in a manner inconsistent
with subdivision (a), may continue using that individual's social
security number in that manner on or after July 1, 2002, if all of
the following conditions are met:
(1) The use of the social security number is continuous. If the
use is stopped for any reason, subdivision (a) shall apply.
(2) The individual is provided an annual disclosure, commencing in
the year 2002, that informs the individual that he or she has the
right to stop the use of his or her social security number in a
manner prohibited by subdivision (a).
(3) A written request by an individual to stop the use of his or
her social security number in a manner prohibited by subdivision (a)
shall be implemented within 30 days of the receipt of the request.
There shall be no fee or charge for implementing the request.
(4) A person or entity, not including a state or local agency,
shall not deny services to an individual because the individual makes
a written request pursuant to this subdivision.
(d) This section does not prevent the collection, use, or release
of a social security number as required by state or federal law or
the use of a social security number for internal verification or
administrative purposes.
(e) This section does not apply to documents that are recorded or
required to be open to the public pursuant to Chapter 3.5 (commencing
with Section 6250), Chapter 14 (commencing with Section 7150) or
Chapter 14.5 (commencing with Section 7220) of Division 7 of Title 1
of, or Chapter 9 (commencing with Section 54950) of Part 1 of
Division 2 of Title 5 of, the Government Code. This section does not
apply to records that are required by statute, case law, or
California Rule of Court, to be made available to the public by
entities provided for in Article VI of the California Constitution.
(f) (1) In the case of a health care service plan, a provider of
health care, an insurer or a pharmacy benefits manager, a contractor
as defined in Section 56.05, or the provision by any person or entity
of administrative or other services relative to health care or
insurance products or services, including third-party administration
or administrative services only, this section shall become operative
in the following manner:
(A) On or before January 1, 2003, the entities listed in paragraph
(1) of subdivision (f) shall comply with paragraphs (1), (3), (4),
and (5) of subdivision (a) as these requirements pertain to
individual policyholders or individual contract holders.
(B) On or before January 1, 2004, the entities listed in paragraph
(1) of subdivision (f) shall comply with paragraphs (1) to (5),
inclusive, of subdivision (a) as these requirements pertain to new
individual policyholders or new individual contractholders and new
groups, including new groups administered or issued on or after
January 1, 2004.
(C) On or before July 1, 2004, the entities listed in paragraph
(1) of subdivision (f) shall comply with paragraphs (1) to (5),
inclusive, of subdivision (a) for all individual policyholders and
individual contractholders, for all groups, and for all enrollees of
the Healthy Families and Medi-Cal programs, except that for
individual policyholders, individual contractholders and groups in
existence prior to January 1, 2004, the entities listed in paragraph
(1) of subdivision (f) shall comply upon the renewal date of the
policy, contract, or group on or after July 1, 2004, but no later
than July 1, 2005.
(2) A health care service plan, a provider of health care, an
insurer or a pharmacy benefits manager, a contractor, or another
person or entity as described in paragraph (1) of subdivision (f)
shall make reasonable efforts to cooperate, through systems testing
and other means, to ensure that the requirements of this article are
implemented on or before the dates specified in this section.
(3) Notwithstanding paragraph (2), the Director of the Department
of Managed Health Care, pursuant to the authority granted under
Section 1346 of the Health and Safety Code, or the Insurance
Commissioner, pursuant to the authority granted under Section 12921
of the Insurance Code, and upon a determination of good cause, may
grant extensions not to exceed six months for compliance by health
care service plans and insurers with the requirements of this section
when requested by the health care service plan or insurer. Any
extension granted shall apply to the health care service plan or
insurer's affected providers, pharmacy benefits manager, and
contractors.
(g) If a federal law takes effect requiring the United States
Department of Health and Human Services to establish a national
unique patient health identifier program, a provider of health care,
a health care service plan, a licensed health care professional, or a
contractor, as those terms are defined in Section 56.05, that
complies with the federal law shall be deemed in compliance with this
section.