BILL ANALYSIS SENATE JUDICIARY COMMITTEE Senator Joseph L. Dunn, Chair 2005-2006 Regular Session SB 550 S Senator Speier B As Amended May 2, 2005 Hearing Date: May 3, 2005 5 Civil Code 5 SK/ADM:cjt 0 SUBJECT Personal Information: Data Brokers DESCRIPTION This bill would declare the intent of the Legislature to enact legislation allowing consumers access to their personal information held by data brokers and the ability to request corrections in that information from the source of the error. BACKGROUND SB 550 was heard on April 26, 2005 by this Committee and rescheduled for hearing today in an effort to address overbreadth concerns regarding the scope of the bill. The bill has been amended since its last hearing date to delete all substantive provisions of the bill. Instead, the bill contains language expressing the intent of the Legislature to enact legislation addressing the issue of personal information held by data brokers, as noted above. Representatives of groups opposing the prior version of the measure have been notified that the bill has been gutted and amended to insert the above intent language, and none have raised objections to moving the bill in intent form as a vehicle for further discussions. This bill stems from recent security breaches at data broker companies such as ChoicePoint and Seisint, a subsidiary of LexisNexis. In the ChoicePoint incident, identity thieves posed as legitimate debt collection and (more) SB 550 (Speier) Page 2 insurance business customers in order to obtain access to the company's databases. Press reports indicated that the thieves stole personal information (including names, addresses, social security numbers and financial information) about 145,000 U.S. customers, including 65,000 from California. Newspaper accounts have also reported that files of data brokers are often riddled with errors. As a result, on March 30, 2005, the author's Committee on Banking, Finance and Insurance held an informational hearing entitled "After the Breach: How secure and accurate is consumer information held by ChoicePoint and other data aggregators?" Newspaper articles reported that ChoicePoint's vice president for data acquisition indicated at the hearing that the company would support legislation that permitted consumers to see, and correct if necessary, records that the company kept on them. ("State Lawmakers Grill ChoicePoint Over Privacy Concerns, Potential for ID Theft," Los Angeles Times, March 31, 2005.) These security breaches have heightened awareness of this burgeoning industry and the massive amounts of information compiled about Americans and contained in the companies' databases. According to the background paper prepared by the Committee on Banking, Finance and Insurance for its informational hearing, ChoicePoint has "expanded its database of consumer information so that today it has over 50,000 government and corporate clients and stock worth $4.1 billion. Various news reports state that ChoicePoint has compiled approximately 19 billion public records in its database and has records on virtually all US residents." CHANGES TO EXISTING LAW Existing law , the California Constitution, provides that, among other rights, all people have an inalienable right to pursue and obtain privacy. (California Constitution, Article I, Section 1.) Existing federal law , the Fair Credit Reporting Act (FCRA) (15 U.S.C. 1681 et seq.), as amended by the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) (Public Law 108-159), provides consumers, upon their request, with one free credit report from each consumer reporting agency in every 12-month period. Consumers are entitled to all information in the consumer's file at the time of the SB 550 (Speier) Page 3 request, except as specified, and the companies are responsible for correcting inaccuracies. The FCRA covers credit bureaus and other issuers of consumer reports such as tenant screening services and employment screening services. Use of consumer credit reports is limited under FCRA to "permissible purposes" which include employment, credit, insurance, rental housing, child support enforcement and collection purposes. Existing law requires that a business must either: 1) disclose to customers, upon request, what categories of personal information the business shares with third parties for marketing purposes, or 2) provide customers with the ability to opt-out of having their information shared for marketing purposes. (Civil Code Section 1798.83.) This bill would express the intent of the Legislature to enact legislation allowing consumers access to their personal information held by data brokers and the ability to request corrections in that information from the source of the error. COMMENT 1.Intent bill being moved as a vehicle to enable continued discussions, with commitment to return any final product to this Committee As heard by the Committee last week, SB 550 would have given consumers the right to see their personally identifiable information held by a data broker and to make any corrections in that information. The bill would have also required data brokers, both quarterly and upon request, to notify a consumer of the names and address of all recipients of a report about the consumer and to furnish a copy of any reported data, as specified. Much concern was raised regarding the overbreadth of the bill's application, particularly with respect to its proposed definitions of "data broker," "report" and "personally identifiable information." Opponents also contended that the notice, furnishing a copy, and correction provisions in the bill were unworkable. At the suggestion of the Committee Chair, the bill has been SB 550 (Speier) Page 4 amended to delete all of its substantive provisions and instead insert legislative intent language as described above. This bill process will allow for continued discussions and, hopefully, enable the author to more precisely define the bill's key definitional terms and refine its scope. At the committee's request, the three known largest data brokers in the industry (ChoicePoint, LexisNexis, and Acxiom) have been asked to furnish a description of their business models in order to provide members with a better understanding of what they do and don't do (e.g., generally speaking, what kind of reports and information are furnished to what type of consumer/receiver). The three companies were also invited to explain, if applicable, why some of their business activities should not be considered as "data brokering," so that potential overbreadth can be avoided. Committee staff believes that the requested information would help facilitate future discussions. 2.Stated need for reform The author states: Consumers in California place a premium on the security and privacy of their personal information, and overwhelmingly they expect to have control over access to their information by individuals and businesses. . . . Over the past several years, an industry specializing in the collection, manipulation, and sale of consumers' personal information has developed such that some leaders of the industry maintain billions of records on virtually every citizen in the nation. Paradoxically, this "data broker" industry has remained in virtual obscurity, so that most consumers are unaware of its existence. The information collected and sold by data brokers may be used by any number of individuals or entities for use in employment screening, private investigations, collections, law enforcement, etc. without the consumer knowing about the data transaction. Moreover, when the consumer does discover that his or her information is held by a data broker, he or she may not have the ability to review all of the information or to correct errors. Strong anecdotal SB 550 (Speier) Page 5 reports and surveys suggest that many consumer records owned by data brokers contain inaccurate information. Supporters Privacy Rights Clearinghouse and World Privacy Forum argue that the bill is needed to give consumers more control over their personal information that is collected, compiled and sold by commercial data brokers. Support: Consumer Federation of California; Privacy Rights Clearinghouse; World Privacy Forum Opposition: None known (to May 2 version) HISTORY Source: Author Related Pending Legislation: None Known Prior Legislation: AB 1950 (Wiggins), Chapter 877, Statutes of 2004, required businesses to maintain reasonable security procedures SB 27 (Figueroa), Chapter 505, Statutes of 2003, related to disclosure by businesses of categories of personal information, as described above SB 1386 (Peace), Chapter 915, Statutes of 2002, added existing law's requirements regarding notice of security breach SB 168 (Bowen), Chapter 720, Statutes of 2001 added protections allowing consumers to place a security freeze on their credit reports **************