BILL NUMBER: SB 25 CHAPTERED
BILL TEXT
CHAPTER 907
FILED WITH SECRETARY OF STATE OCTOBER 12, 2003
APPROVED BY GOVERNOR OCTOBER 12, 2003
PASSED THE SENATE SEPTEMBER 12, 2003
PASSED THE ASSEMBLY SEPTEMBER 11, 2003
AMENDED IN ASSEMBLY SEPTEMBER 10, 2003
AMENDED IN ASSEMBLY SEPTEMBER 8, 2003
AMENDED IN ASSEMBLY SEPTEMBER 3, 2003
AMENDED IN SENATE JUNE 2, 2003
AMENDED IN SENATE MARCH 6, 2003
INTRODUCED BY Senator Bowen
(Coauthors: Senators Aanestad, Alpert, Chesboro, Soto, and
Torlakson)
(Coauthors: Assembly Members Bogh, Correa, Hancock, Koretz,
Leslie, Montanez, Pavley, and Vargas)
DECEMBER 2, 2002
An act to amend Sections 1785.11.1, 1785.11.6, 1786.60, and
1798.85 of the Civil Code, relating to personal information.
LEGISLATIVE COUNSEL'S DIGEST
SB 25, Bowen. Personal information: security.
(1) Existing law authorizes a consumer to place a security alert
in his or her credit report, as specified, and sets forth the duties
of a consumer credit reporting agency with regard to a security
alert. Existing law requires a consumer credit reporting agency to
provide specified disclosures of a consumer's rights in connection
with consumer credit reporting.
This bill would, operative July 1, 2004, further provide that any
person who uses a consumer credit report in connection with the
approval of credit, as specified, may not lend money, extend credit,
or complete the purchase, lease, or rental of goods or
non-credit-related services without taking reasonable steps to verify
the consumer's identity, in order to ensure that the application for
an extension of credit or for the purchase, lease, or rental of
goods or non-credit-related services is not the result of identity
theft.
The bill would also specify that if a consumer has placed a
statement with the security alert in his or her file requesting that
identity be verified by calling a specified telephone number, any
person who receives that statement with the security alert in a
consumer's file must take reasonable steps to verify his or her
identity by contacting the consumer using the specified telephone
number prior to lending money, extending credit, or completing the
purchase, lease, or rental of goods or non-credit-related services,
with certain exceptions.
The bill would also revise the disclosures that a consumer credit
reporting agency is required to give a consumer.
(2) Existing law exempts specified demand deposit account
information services companies from the requirement for placing a
security alert or security freeze in a credit report.
This bill would revise that provision to apply to deposit account
information services companies, and would make conforming changes.
(3) Existing law authorizes a financial institution to print the
social security number of an individual or account documents, as
specified, but only prior to July 1, 2003.
This bill would extend that deadline until July 1, 2004.
(4) Existing law prohibits a person or entity, but not a state or
local agency, from publicly posting or displaying an individual's
social security number or doing certain other acts that might
compromise the security of an individual's social security number on
or after July 1, 2002, except as specified.
This bill would extend these requirements to state and local
agencies, subject to specified exceptions. This bill would also
provide that a person or entity may not encode or embed a social
security number in or on a card or document, including using a bar
code, chip, magnetic strip, or other technology, in place of removing
the social security number.
(5) This bill would incorporate further changes to Sections
1785.11.1 and 1798.85 of the Civil Code proposed by SB 602 and AB
763, respectively, contingent upon their prior enactment.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 1785.11.1 of the Civil Code is amended to read:
1785.11.1. (a) A consumer may elect to place a security alert in
his or her credit report by making a request in writing or by
telephone to a consumer credit reporting agency. "Security alert"
means a notice placed in a consumer's credit report, at the request
of the consumer, that notifies a recipient of the credit report that
the consumer's identity may have been used without the consumer's
consent to fraudulently obtain goods or services in the consumer's
name.
(b) A consumer credit reporting agency shall notify each person
requesting consumer credit information with respect to a consumer of
the existence of a security alert in the credit report of that
consumer, regardless of whether a full credit report, credit score,
or summary report is requested.
(c) Each consumer credit reporting agency shall maintain a
toll-free telephone number to accept security alert requests from
consumers 24 hours a day, seven days a week.
(d) The toll-free telephone number shall be included in any
written disclosure by a consumer credit reporting agency to any
consumer pursuant to Section 1785.15 and shall be printed in a clear
and conspicuous manner.
(e) A consumer credit reporting agency shall place a security
alert on a consumer's credit report no later than five business days
after receiving a request from the consumer.
(f) The security alert shall remain in place for at least 90 days,
and a consumer shall have the right to request a renewal of the
security alert.
(g) Any person who uses a consumer credit report in connection
with the approval of credit based on an application for an extension
of credit, or with the purchase, lease, or rental of goods or
non-credit-related services and who receives notification of a
security alert pursuant to subdivision (a) may not lend money, extend
credit, or complete the purchase, lease, or rental of goods or
non-credit-related services without taking reasonable steps to verify
the consumer's identity, in order to ensure that the application for
an extension of credit or for the purchase, lease, or rental of
goods or non-credit-related services is not the result of identity
theft. If the consumer has placed a statement with the security
alert in his or her file requesting that identity be verified by
calling a specified telephone number, any person who receives that
statement with the security alert in a consumer's file pursuant to
subdivision (a) shall take reasonable steps to verify the identity of
the consumer by contacting the consumer using the specified
telephone number prior to lending money, extending credit, or
completing the purchase, lease, or rental of goods or
non-credit-related services. If a person uses a consumer credit
report to facilitate the extension of credit or for another
permissible purpose on behalf of a subsidiary, affiliate, agent,
assignee, or prospective assignee, that person may verify a consumer'
s identity under this section in lieu of the subsidiary, affiliate,
agent, assignee, or prospective assignee.
(h) For purposes of this section, "extension of credit" does not
include an increase in the dollar limit of an existing open-end
credit plan, as defined in Regulation Z issued by the Board of
Governors of the Federal Reserve System (12 C.F.R. 226.2), or any
change to, or review of, an existing credit account.
(i) If reasonable steps are taken to verify the identity of the
consumer pursuant to subdivision (b) of Section 1785.20.3, those
steps constitute compliance with the requirements of this section,
except that if a consumer has placed a statement including a
telephone number with the security alert in his or her file, his or
her identity shall be verified by contacting the consumer using that
telephone number as specified pursuant to subdivision (g).
SEC. 1.5. Section 1785.11.1 of the Civil Code is amended to read:
1785.11.1. (a) A consumer may elect to place a security alert in
his or her credit report by making a request in writing or by
telephone to a consumer credit reporting agency. "Security alert"
means a notice placed in a consumer's credit report, at the request
of the consumer, that notifies a recipient of the credit report that
the consumer's identity may have been used without the consumer's
consent to fraudulently obtain goods or services in the consumer's
name.
(b) A consumer credit reporting agency shall notify each person
requesting consumer credit information with respect to a consumer of
the existence of a security alert in the credit report of that
consumer, regardless of whether a full credit report, credit score,
or summary report is requested.
(c) Each consumer credit reporting agency shall maintain a
toll-free telephone number to accept security alert requests from
consumers 24 hours a day, seven days a week.
(d) The toll-free telephone number shall be included in any
written disclosure by a consumer credit reporting agency to any
consumer pursuant to Section 1785.15 and shall be printed in a clear
and conspicuous manner.
(e) A consumer credit reporting agency shall place a security
alert on a consumer's credit report no later than five business days
after receiving a request from the consumer.
(f) The security alert shall remain in place for at least 90 days,
and a consumer shall have the right to request a renewal of the
security alert.
(g) Any person who uses a consumer credit report in connection
with the approval of credit based on an application for an extension
of credit, or with the purchase, lease, or rental of goods or
non-credit-related services and who receives notification of a
security alert pursuant to subdivision (a) may not lend money, extend
credit, or complete the purchase, lease, or rental of goods or
non-credit-related services without taking reasonable steps to verify
the consumer's identity, in order to ensure that the application for
an extension of credit or for the purchase, lease, or rental of
goods or non-credit-related services is not the result of identity
theft. If the consumer has placed a statement with the security
alert in his or her file requesting that identity be verified by
calling a specified telephone number, any person who receives that
statement with the security alert in a consumer's file pursuant to
subdivision (a) shall take reasonable steps to verify the identity of
the consumer by contacting the consumer using the specified
telephone number prior to lending money, extending credit, or
completing the purchase, lease, or rental of goods or
non-credit-related services. If a person uses a consumer credit
report to facilitate the extension of credit or for another
permissible purpose on behalf of a subsidiary, affiliate, agent,
assignee, or prospective assignee, that person may verify a consumer'
s identity under this section in lieu of the subsidiary, affiliate,
agent, assignee, or prospective assignee.
(h) For purposes of this section, "extension of credit" does not
include an increase in the dollar limit of an existing open-end
credit plan, as defined in Regulation Z issued by the Board of
Governors of the Federal Reserve System (12 C.F.R. 226.2), or any
change to, or review of, an existing credit account.
(i) If reasonable steps are taken to verify the identity of the
consumer pursuant to subdivision (b) of Section 1785.20.3, those
steps constitute compliance with the requirements of this section,
except that if a consumer has placed a statement including a
telephone number with the security alert in his or her file, his or
her identity shall be verified by contacting the consumer using that
telephone number as specified pursuant to subdivision (g).
(j) A consumer credit reporting agency shall notify each consumer
who has requested that a security alert be placed on his or her
consumer credit report of the expiration date of the alert.
(k) Notwithstanding Section 1785.19, any consumer credit reporting
agency that recklessly, willfully, or intentionally fails to place a
security alert pursuant to this section shall be liable for a
penalty in an amount of up to two thousand five hundred dollars
($2,500) and reasonable attorneys' fees.
SEC. 2. Section 1785.11.6 of the Civil Code is amended to read:
1785.11.6. The following entities are not required to place in a
credit report either a security alert, pursuant to Section 1785.11.1,
or a security freeze, pursuant to Section 1785.11.2:
(a) A check services or fraud prevention services company, which
issues reports on incidents of fraud or authorizations for the
purpose of approving or processing negotiable instruments, electronic
funds transfers, or similar methods of payments.
(b) A deposit account information service company, which issues
reports regarding account closures due to fraud, substantial
overdrafts, ATM abuse, or similar negative information regarding a
consumer, to inquiring banks or other financial institutions for use
only in reviewing a consumer request for a deposit account at the
inquiring bank or financial institution.
SEC. 3. Section 1785.15 of the Civil Code is amended to read:
1785.15. (a) A consumer credit reporting agency shall supply
files and information required under Section 1785.10 during normal
business hours and on reasonable notice. In addition to the
disclosure provided by this chapter and any disclosures received by
the consumer, the consumer has the right to request and receive all
of the following:
(1) Either a decoded written version of the file or a written copy
of the file, including all information in the file at the time of
the request, with an explanation of any code used.
(2) A credit score for the consumer, the key factors, and the
related information, as defined in and required by Section 1785.15.1.
(3) A record of all inquiries, by recipient, which result in the
provision of information concerning the consumer in connection with a
credit transaction that is not initiated by the consumer and which
were received by the consumer credit reporting agency in the 12-month
period immediately preceding the request for disclosure under this
section.
(4) The recipients, including end users specified in Section
1785.22, of any consumer credit report on the consumer which the
consumer credit reporting agency has furnished:
(A) For employment purposes within the two-year period preceding
the request.
(B) For any other purpose within the 12-month period preceding the
request.
Identification for purposes of this paragraph shall include the
name of the recipient or, if applicable, the fictitious business name
under which the recipient does business disclosed in full. If
requested by the consumer, the identification shall also include the
address of the recipient.
(b) Files maintained on a consumer shall be disclosed promptly as
follows:
(1) In person, at the location where the consumer credit reporting
agency maintains the trained personnel required by subdivision (d),
if he or she appears in person and furnishes proper identification.
(2) By mail, if the consumer makes a written request with proper
identification for a copy of the file or a decoded written version of
that file to be sent to the consumer at a specified address. A
disclosure pursuant to this paragraph shall be deposited in the
United States mail, postage prepaid, within five business days after
the consumer's written request for the disclosure is received by the
consumer credit reporting agency. Consumer credit reporting agencies
complying with requests for mailings under this section shall not be
liable for disclosures to third parties caused by mishandling of
mail after the mailings leave the consumer credit reporting agencies.
(3) A summary of all information contained in files on a consumer
and required to be provided by Section 1785.10 shall be provided by
telephone, if the consumer has made a written request, with proper
identification for telephone disclosure.
(4) Information in a consumer's file required to be provided in
writing under this section may also be disclosed in another form if
authorized by the consumer and if available from the consumer credit
reporting agency. For this purpose a consumer may request disclosure
in person pursuant to Section 1785.10, by telephone upon disclosure
of proper identification by the consumer, by electronic means if
available from the consumer credit reporting agency, or by any other
reasonable means that is available from the consumer credit reporting
agency.
(c) "Proper identification," as used in subdivision (b) means that
information generally deemed sufficient to identify a person. Only
if the consumer is unable to reasonably identify himself or herself
with the information described above, may a consumer credit reporting
agency require additional information concerning the consumer's
employment and personal or family history in order to verify his or
her identity.
(d) The consumer credit reporting agency shall provide trained
personnel to explain to the consumer any information furnished him or
her pursuant to Section 1785.10.
(e) The consumer shall be permitted to be accompanied by one other
person of his or her choosing, who shall furnish reasonable
identification. A consumer credit reporting agency may require the
consumer to furnish a written statement granting permission to the
consumer credit reporting agency to discuss the consumer's file in
that person's presence.
(f) Any written disclosure by a consumer credit reporting agency
to any consumer pursuant to this section shall include a written
summary of all rights the consumer has under this title and in the
case of a consumer credit reporting agency which compiles and
maintains consumer credit reports on a nationwide basis, a toll-free
telephone number which the consumer can use to communicate with the
consumer credit reporting agency. The written summary of rights
required under this subdivision is sufficient if in substantially the
following form:
"You have a right to obtain a copy of your credit file from a
consumer credit reporting agency. You may be charged a reasonable
fee not exceeding eight dollars ($8). There is no fee, however, if
you have been turned down for credit, employment, insurance, or a
rental dwelling because of information in your credit report within
the preceding 60 days. The consumer credit reporting agency must
provide someone to help you interpret the information in your credit
file.
You have a right to dispute inaccurate information by contacting
the consumer credit reporting agency directly. However, neither you
nor any credit repair company or credit service organization has the
right to have accurate, current, and verifiable information removed
from your credit report. Under the Federal Fair Credit Reporting
Act, the consumer credit reporting agency must remove accurate,
negative information from your report only if it is over seven years
old. Bankruptcy information can be reported for 10 years.
If you have notified a consumer credit reporting agency in writing
that you dispute the accuracy of information in your file, the
consumer credit reporting agency must then, within 30 business days,
reinvestigate and modify or remove inaccurate information. The
consumer credit reporting agency may not charge a fee for this
service. Any pertinent information and copies of all documents you
have concerning an error should be given to the consumer credit
reporting agency.
If reinvestigation does not resolve the dispute to your
satisfaction, you may send a brief statement to the consumer credit
reporting agency to keep in your file, explaining why you think the
record is inaccurate. The consumer credit reporting agency must
include your statement about disputed information in a report it
issues about you.
You have a right to receive a record of all inquiries relating to
a credit transaction initiated in 12 months preceding your request.
This record shall include the recipients of any consumer credit
report.
You may request in writing that the information contained in your
file not be provided to a third party for marketing purposes.
You have a right to place a "security alert" in your credit
report, which will warn anyone who receives information in your
credit report that your identity may have been used without your
consent. Recipients of your credit report are required to take
reasonable steps, including contacting you at the telephone number
you may provide with your security alert, to verify your identity
prior to lending money, extending credit, or completing the purchase,
lease, or rental of goods or services. The security alert may
prevent credit, loans, and services from being approved in your name
without your consent. However, you should be aware that taking
advantage of this right may delay or interfere with the timely
approval of any subsequent request or application you make regarding
a new loan, credit, mortgage, insurance, rental housing, employment,
investment, license, cellular phone, utilities, digital signature,
Internet credit card transaction, or other services, including an
extension of credit at point of sale. If you place a security alert
on your credit report, you have a right to obtain a free copy of your
credit report at the time the 90-day security alert period expires.
A security alert may be requested by calling the following toll-free
telephone number: (Insert applicable toll-free telephone number).
You have a right to place a "security freeze" on your credit
report, which will prohibit a consumer credit reporting agency from
releasing any information in your credit report without your express
authorization. A security freeze must be requested in writing by
certified mail. The security freeze is designed to prevent credit,
loans, and services from being approved in your name without your
consent. However, you should be aware that using a security freeze
to take control over who gets access to the personal and financial
information in your credit report may delay, interfere with, or
prohibit the timely approval of any subsequent request or application
you make regarding a new loan, credit, mortgage, insurance,
government services or payments, rental housing, employment,
investment, license, cellular phone, utilities, digital signature,
Internet credit card transaction, or other services, including an
extension of credit at point of sale. When you place a security
freeze on your credit report, you will be provided a personal
identification number or password to use if you choose to remove the
freeze on your credit report or authorize the release of your credit
report for a specific party or period of time after the freeze is in
place. To provide that authorization you must contact the consumer
credit reporting agency and provide all of the following:
(1) The personal identification number or password.
(2) Proper identification to verify your identity.
(3) The proper information regarding the third party who is to
receive the credit report or the period of time for which the report
shall be available.
A consumer credit reporting agency must authorize the release of
your credit report no later than three business days after receiving
the above information.
A security freeze does not apply to a person or entity, or its
affiliates, or collection agencies acting on behalf of the person or
entity, with which you have an existing account, that requests
information in your credit report for the purposes of reviewing or
collecting the account. Reviewing the account includes activities
related to account maintenance, monitoring, credit line increases,
and account upgrades and enhancements.
You have a right to bring civil action against anyone, including a
consumer credit reporting agency, who improperly obtains access to a
file, knowingly or willfully misuses file data, or fails to correct
inaccurate file data.
If you are a victim of identity theft and provide to a consumer
credit reporting agency a copy of a valid police report or a valid
investigative report made by a Department of Motor Vehicles
investigator with peace officer status describing your circumstances,
the following shall apply:
(1) You have a right to have any information you list on the
report as allegedly fraudulent promptly blocked so that the
information cannot be reported. The information will be unblocked
only if (A) the information you provide is a material
misrepresentation of the facts, (B) you agree that the information is
blocked in error, or (C) you knowingly obtained possession of goods,
services, or moneys as result of the blocked transactions. If
blocked information is unblocked you will be promptly notified.
(2) Beginning July 1, 2003, you have a right to receive, free of
charge and upon request, one copy of your credit report each month
for up to 12 consecutive months."
SEC. 4. Section 1786.60 of the Civil Code is amended to read:
1786.60. Notwithstanding subdivision (a) of Section 1798.85,
prior to July 1, 2004, any financial institution may print the social
security number of an individual on any account statement or similar
document mailed to that individual, if the social security number is
provided in connection with a transaction governed by the rules of
the National Automated Clearing House Association, or a transaction
initiated by a federal governmental entity through an automated
clearing house network.
SEC. 5. Section 1798.85 of the Civil Code is amended to read:
1798.85. (a) Except as provided in subdivisions (b), (h), and
(i), a person or entity may not do any of the following:
(1) Publicly post or publicly display in any manner an individual'
s social security number. "Publicly post" or "publicly display"
means to intentionally communicate or otherwise make available to the
general public.
(2) Print an individual's social security number on any card
required for the individual to access products or services provided
by the person or entity.
(3) Require an individual to transmit his or her social security
number over the Internet, unless the connection is secure or the
social security number is encrypted.
(4) Require an individual to use his or her social security number
to access an Internet Web site, unless a password or unique personal
identification number or other authentication device is also
required to access the Internet Web site.
(5) Print an individual's social security number on any materials
that are mailed to the individual, unless state or federal law
requires the social security number to be on the document to be
mailed. Notwithstanding this paragraph, social security numbers may
be included in applications and forms sent by mail, including
documents sent as part of an application or enrollment process, or to
establish, amend or terminate an account, contract or policy, or to
confirm the accuracy of the social security number.
(b) Except as provided in subdivision (e), a person or entity that
has used, prior to July 1, 2002, an individual's social security
number in a manner inconsistent with subdivision (a), may continue
using that individual's social security number in that manner on or
after July 1, 2002, and a state or local agency that has used, prior
to January 1, 2004, an individual's social security number in a
manner inconsistent with subdivision (a), may continue using that
individual's social security number in that manner on or after
January 1, 2004, if all of the following conditions are met:
(1) The use of the social security number is continuous. If the
use is stopped for any reason, subdivision (a) shall apply.
(2) The individual is provided an annual disclosure that informs
the individual that he or she has the right to stop the use of his or
her social security number in a manner prohibited by subdivision
(a).
(3) A written request by an individual to stop the use of his or
her social security number in a manner prohibited by subdivision (a)
is implemented within 30 days of the receipt of the request. There
may not be a fee or charge for implementing the request.
(4) The person or entity does not deny services to an individual
because the individual makes a written request pursuant to this
subdivision.
(c) This section does not prevent the collection, use, or release
of a social security number as required by state or federal law or
the use of a social security number for internal verification or
administrative purposes.
(d) This section does not apply to documents that are recorded or
required to be open to the public pursuant to Chapter 3.5 (commencing
with Section 6250), Chapter 14 (commencing with Section 7150) or
Chapter 14.5 (commencing with Section 7220) of Division 7 of Title 1
of, Article 9 (commencing with Section 11120) of Chapter 1 of Part 1
of Division 3 of Title 2 of, or Chapter 9 (commencing with Section
54950) of Part 1 of Division 2 of Title 5 of, the Government Code.
This section does not apply to records that are required by statute,
case law, or California Rule of Court, to be made available to the
public by entities provided for in Article VI of the California
Constitution.
(e) (1) In the case of a health care service plan, a provider of
health care, an insurer or a pharmacy benefits manager, a contractor
as defined in Section 56.05, or the provision by any person or entity
of administrative or other services relative to health care or
insurance products or services, including third-party administration
or administrative services only, this section shall become operative
in the following manner:
(A) On or before January 1, 2003, the entities listed in paragraph
(1) of subdivision (e) shall comply with paragraphs (1), (3), (4),
and (5) of subdivision (a) as these requirements pertain to
individual policyholders or individual contractholders.
(B) On or before January 1, 2004, the entities listed in paragraph
(1) of subdivision (e) shall comply with paragraphs (1) to (5),
inclusive, of subdivision (a) as these requirements pertain to new
individual policyholders or new individual contractholders and new
groups, including new groups administered or issued on or after
January 1, 2004.
(C) On or before July 1, 2004, the entities listed in paragraph
(1) of subdivision (e) shall comply with paragraphs (1) to (5),
inclusive, of subdivision (a) for all individual policyholders and
individual contractholders, for all groups, and for all enrollees of
the Healthy Families and Medi-Cal programs, except that for
individual policyholders, individual contractholders and groups in
existence prior to January
1, 2004, the entities listed in paragraph (1) of subdivision (e)
shall comply upon the renewal date of the policy, contract, or group
on or after July 1, 2004, but no later than July 1, 2005.
(2) A health care service plan, a provider of health care, an
insurer or a pharmacy benefits manager, a contractor, or another
person or entity as described in paragraph (1) of subdivision (e)
shall make reasonable efforts to cooperate, through systems testing
and other means, to ensure that the requirements of this article are
implemented on or before the dates specified in this section.
(3) Notwithstanding paragraph (2), the Director of the Department
of Managed Health Care, pursuant to the authority granted under
Section 1346 of the Health and Safety Code, or the Insurance
Commissioner, pursuant to the authority granted under Section 12921
of the Insurance Code, and upon a determination of good cause, may
grant extensions not to exceed six months for compliance by health
care service plans and insurers with the requirements of this section
when requested by the health care service plan or insurer. Any
extension granted shall apply to the health care service plan or
insurer's affected providers, pharmacy benefits manager, and
contractors.
(f) If a federal law takes effect requiring the United States
Department of Health and Human Services to establish a national
unique patient health identifier program, a provider of health care,
a health care service plan, a licensed health care professional, or a
contractor, as those terms are defined in Section 56.05, that
complies with the federal law shall be deemed in compliance with this
section.
(g) A person or entity may not encode or embed a social security
number in or on a card or document, including, but not limited to,
using a bar code, chip, magnetic strip, or other technology, in place
of removing the social security number, as required by this section.
(h) This section shall become operative, with respect to the
University of California, in the following manner:
(1) On or before January 1, 2004, the University of California
shall comply with paragraphs (1), (2), and (3) of subdivision (a).
(2) On or before January 1, 2005, the University of California
shall comply with paragraphs (4) and (5) of subdivision (a).
(i) This section shall become operative with respect to the
Franchise Tax Board on January 1, 2007.
(j) This section shall become operative with respect to the
California community college districts on January 1, 2007.
(k) This section shall become operative with respect to the
California State University system on July 1, 2005.
(l) This section shall become operative, with respect to the
California Student Aid Commission and its auxiliary organization, in
the following manner:
(1) On or before January 1, 2004, the commission and its auxiliary
organization shall comply with paragraphs (1), (2), and (3) of
subdivision (a).
(2) On or before January 1, 2005, the commission and its auxiliary
organization shall comply with paragraphs (4) and (5) of subdivision
(a).
SEC. 5.5. Section 1798.85 of the Civil Code is amended to read:
1798.85. (a) Except as provided in subdivisions (b), (h), and
(i), a person or entity may not do any of the following:
(1) Publicly post or publicly display in any manner an individual'
s social security number. "Publicly post" or "publicly display"
means to intentionally communicate or otherwise make available to the
general public.
(2) Print an individual's social security number on any card
required for the individual to access products or services provided
by the person or entity.
(3) Require an individual to transmit his or her social security
number over the Internet, unless the connection is secure or the
social security number is encrypted.
(4) Require an individual to use his or her social security number
to access an Internet Web site, unless a password or unique personal
identification number or other authentication device is also
required to access the Internet Web site.
(5) Print an individual's social security number on any materials
that are mailed to the individual, unless state or federal law
requires the social security number to be on the document to be
mailed. Notwithstanding this paragraph, social security numbers may
be included in applications and forms sent by mail, including
documents sent as part of an application or enrollment process, or to
establish, amend or terminate an account, contract or policy, or to
confirm the accuracy of the social security number. A social
security number that is permitted to be mailed under this section may
not be printed, in whole or in part, on a postcard or other mailer
not requiring an envelope, or visible on the envelope or without the
envelope having been opened.
(b) Except as provided in subdivision (e), a person or entity
that has used, prior to July 1, 2002, an individual's social security
number in a manner inconsistent with subdivision (a), may continue
using that individual's social security number in that manner on or
after July 1, 2002, and a state or local agency that has used, prior
to January 1, 2004, an individual's social security number in a
manner inconsistent with subdivision (a), may continue using that
individual's social security number in that manner on or after
January 1, 2004, if all of the following conditions are met:
(1) The use of the social security number is continuous. If the
use is stopped for any reason, subdivision (a) shall apply.
(2) The individual is provided an annual disclosure, that informs
the individual that he or she has the right to stop the use of his or
her social security number in a manner prohibited by subdivision
(a).
(3) A written request by an individual to stop the use of his or
her social security number in a manner prohibited by subdivision (a)
is implemented within 30 days of the receipt of the request. There
may not be a fee or charge for implementing the request.
(4) The person or entity does not deny services to an individual
because the individual makes a written request pursuant to this
subdivision.
(c) This section does not prevent the collection, use, or release
of a social security number as required by state or federal law or
the use of a social security number for internal verification or
administrative purposes.
(d) This section does not apply to documents that are recorded or
required to be open to the public pursuant to Chapter 3.5 (commencing
with Section 6250), Chapter 14 (commencing with Section 7150) or
Chapter 14.5 (commencing with Section 7220) of Division 7 of Title 1
of, Article 9 (commencing with Section 11120) of Chapter 1 of Part 1
of Division 3 of Title 2 of, or Chapter 9 (commencing with Section
54950) of Part 1 of Division 2 of Title 5 of, the Government Code.
This section does not apply to records that are required by statute,
case law, or California Rule of Court, to be made available to the
public by entities provided for in Article VI of the California
Constitution.
(e) (1) In the case of a health care service plan, a provider of
health care, an insurer or a pharmacy benefits manager, a contractor
as defined in Section 56.05, or the provision by any person or entity
of administrative or other services relative to health care or
insurance products or services, including third-party administration
or administrative services only, this section shall become operative
in the following manner:
(A) On or before January 1, 2003, the entities listed in paragraph
(1) of subdivision (e) shall comply with paragraphs (1), (3), (4),
and (5) of subdivision (a) as these requirements pertain to
individual policyholders or individual contractholders.
(B) On or before January 1, 2004, the entities listed in paragraph
(1) of subdivision (e) shall comply with paragraphs (1) to (5),
inclusive, of subdivision (a) as these requirements pertain to new
individual policyholders or new individual contractholders and new
groups, including new groups administered or issued on or after
January 1, 2004.
(C) On or before July 1, 2004, the entities listed in paragraph
(1) of subdivision (e) shall comply with paragraphs (1) to (5),
inclusive, of subdivision (a) for all individual policyholders and
individual contractholders, for all groups, and for all enrollees of
the Healthy Families and Medi-Cal programs, except that for
individual policyholders, individual contractholders and groups in
existence prior to January 1, 2004, the entities listed in paragraph
(1) of subdivision (e) shall comply upon the renewal date of the
policy, contract, or group on or after July 1, 2004, but no later
than July 1, 2005.
(2) A health care service plan, a provider of health care, an
insurer or a pharmacy benefits manager, a contractor, or another
person or entity as described in paragraph (1) of subdivision (e)
shall make reasonable efforts to cooperate, through systems testing
and other means, to ensure that the requirements of this article are
implemented on or before the dates specified in this section.
(3) Notwithstanding paragraph (2), the Director of the Department
of Managed Health Care, pursuant to the authority granted under
Section 1346 of the Health and Safety Code, or the Insurance
Commissioner, pursuant to the authority granted under Section 12921
of the Insurance Code, and upon a determination of good cause, may
grant extensions not to exceed six months for compliance by health
care service plans and insurers with the requirements of this section
when requested by the health care service plan or insurer. Any
extension granted shall apply to the health care service plan or
insurer's affected providers, pharmacy benefits manager, and
contractors.
(f) If a federal law takes effect requiring the United States
Department of Health and Human Services to establish a national
unique patient health identifier program, a provider of health care,
a health care service plan, a licensed health care professional, or a
contractor, as those terms are defined in Section 56.05, that
complies with the federal law shall be deemed in compliance with this
section.
(g) A person or entity may not encode or embed a social security
number in or on a card or document, including, but not limited to,
using a bar code, chip, magnetic strip, or other technology, in place
of removing the social security number, as required by this section.
(h) This section shall become operative, with respect to the
University of California, in the following manner:
(1) On or before January 1, 2004, the University of California
shall comply with paragraphs (1), (2), and (3) of subdivision (a).
(2) On or before January 1, 2005, the University of California
shall comply with paragraphs (4) and (5) of subdivision (a).
(i) This section shall become operative with respect to the
Franchise Tax Board on January 1, 2007.
(j) This section shall become operative with respect to the
California community college districts on January 1, 2007.
(k) This section shall become operative with respect to the
California State University system on July 1, 2005.
(l) This section shall become operative, with respect to the
California Student Aid Commission and its auxiliary organization, in
the following manner:
(1) On or before January 1, 2004, the commission and its auxiliary
organization shall comply with paragraphs (1), (2), and (3) of
subdivision (a).
(2) On or before January 1, 2005, the commission and its auxiliary
organization shall comply with paragraphs (4) and (5) of subdivision
(a).
SEC. 6. Section 1.5 of this bill incorporates amendments to
Section 1785.11.1 of the Civil Code proposed by this bill and SB 602.
It shall only become operative if (1) both bills are enacted and
become effective on or before January 1, 2004, (2) each bill amends
Section 1785.11.1 of the Civil Code, and (3) this bill is enacted
after SB 602, in which case Section 1785.11.1 of the Civil Code, as
amended by SB 602, shall remain operative only until the operative
date of this bill, at which time Section 1.5 set forth in Section 8
shall become operative, and Section 1 of this bill shall not become
operative.
SEC. 7. Section 5.5 of this bill incorporates amendments to
Section 1798.85 of the Civil Code proposed by both this bill and AB
763. It shall only become operative if (1) both bills are enacted
and become effective on or before January 1, 2004, (2) each bill
amends Section 1798.85 of the Civil Code, and (3) this bill is
enacted after AB 763, in which case Section 5 of this bill shall not
become operative.
SEC. 8. Section 1 or 1.5 of this act shall become operative on
July 1, 2004.