BILL ANALYSIS �
SENATE JUDICIARY COMMITTEE
Senator Joseph L. Dunn, Chair
2005-2006 Regular Session
SB 550 S
Senator Speier B
As Amended May 2, 2005
Hearing Date: May 3, 2005 5
Civil Code 5
SK/ADM:cjt 0
SUBJECT
Personal Information: Data Brokers
DESCRIPTION
This bill would declare the intent of the Legislature to
enact legislation allowing consumers access to their
personal information held by data brokers and the ability
to request corrections in that information from the source
of the error.
BACKGROUND
SB 550 was heard on April 26, 2005 by this Committee and
rescheduled for hearing today in an effort to address
overbreadth concerns regarding the scope of the bill. The
bill has been amended since its last hearing date to delete
all substantive provisions of the bill. Instead, the bill
contains language expressing the intent of the Legislature
to enact legislation addressing the issue of personal
information held by data brokers, as noted above.
Representatives of groups opposing the prior version of the
measure have been notified that the bill has been gutted
and amended to insert the above intent language, and none
have raised objections to moving the bill in intent form as
a vehicle for further discussions.
This bill stems from recent security breaches at data
broker companies such as ChoicePoint and Seisint, a
subsidiary of LexisNexis. In the ChoicePoint incident,
identity thieves posed as legitimate debt collection and
(more)
�
SB 550 (Speier)
Page 2
insurance business customers in order to obtain access to
the company's databases. Press reports indicated that the
thieves stole personal information (including names,
addresses, social security numbers and financial
information) about 145,000 U.S. customers, including 65,000
from California. Newspaper accounts have also reported
that files of data brokers are often riddled with errors.
As a result, on March 30, 2005, the author's Committee on
Banking, Finance and Insurance held an informational
hearing entitled "After the Breach: How secure and accurate
is consumer information held by ChoicePoint and other data
aggregators?" Newspaper articles reported that
ChoicePoint's vice president for data acquisition indicated
at the hearing that the company would support legislation
that permitted consumers to see, and correct if necessary,
records that the company kept on them. ("State Lawmakers
Grill ChoicePoint Over Privacy Concerns, Potential for ID
Theft," Los Angeles Times, March 31, 2005.)
These security breaches have heightened awareness of this
burgeoning industry and the massive amounts of information
compiled about Americans and contained in the companies'
databases. According to the background paper prepared by
the Committee on Banking, Finance and Insurance for its
informational hearing, ChoicePoint has "expanded its
database of consumer information so that today it has over
50,000 government and corporate clients and stock worth
$4.1 billion. Various news reports state that ChoicePoint
has compiled approximately 19 billion public records in its
database and has records on virtually all US residents."
CHANGES TO EXISTING LAW
Existing law , the California Constitution, provides that,
among other rights, all people have an inalienable right to
pursue and obtain privacy. (California Constitution,
Article I, Section 1.)
Existing federal law , the Fair Credit Reporting Act (FCRA)
(15 U.S.C. 1681 et seq.), as amended by the Fair and
Accurate Credit Transactions Act of 2003 (FACT Act) (Public
Law 108-159), provides consumers, upon their request, with
one free credit report from each consumer reporting agency
in every 12-month period. Consumers are entitled to all
information in the consumer's file at the time of the
�
SB 550 (Speier)
Page 3
request, except as specified, and the companies are
responsible for correcting inaccuracies. The FCRA covers
credit bureaus and other issuers of consumer reports such
as tenant screening services and employment screening
services. Use of consumer credit reports is limited under
FCRA to "permissible purposes" which include employment,
credit, insurance, rental housing, child support
enforcement and collection purposes.
Existing law requires that a business must either: 1)
disclose to customers, upon request, what categories of
personal information the business shares with third parties
for marketing purposes, or 2) provide customers with the
ability to opt-out of having their information shared for
marketing purposes. (Civil Code Section 1798.83.)
This bill would express the intent of the Legislature to
enact legislation allowing consumers access to their
personal information held by data brokers and the ability
to request corrections in that information from the source
of the error.
COMMENT
1.Intent bill being moved as a vehicle to enable continued
discussions, with commitment to return any final product
to this Committee
As heard by the Committee last week, SB 550 would have
given consumers the right to see their personally
identifiable information held by a data broker and to
make any corrections in that information. The bill would
have also required data brokers, both quarterly and upon
request, to notify a consumer of the names and address of
all recipients of a report about the consumer and to
furnish a copy of any reported data, as specified.
Much concern was raised regarding the overbreadth of the
bill's application, particularly with respect to its
proposed definitions of "data broker," "report" and
"personally identifiable information." Opponents also
contended that the notice, furnishing a copy, and
correction provisions in the bill were unworkable.
At the suggestion of the Committee Chair, the bill has been
�
SB 550 (Speier)
Page 4
amended to delete all of its substantive provisions and
instead insert legislative intent language as described
above. This bill process will allow for continued
discussions and, hopefully, enable the author to more
precisely define the bill's key definitional terms and
refine its scope. At the committee's request, the three
known largest data brokers in the industry (ChoicePoint,
LexisNexis, and Acxiom) have been asked to furnish a
description of their business models in order to provide
members with a better understanding of what they do and
don't do (e.g., generally speaking, what kind of reports
and information are furnished to what type of
consumer/receiver). The three companies were also
invited to explain, if applicable, why some of their
business activities should not be considered as "data
brokering," so that potential overbreadth can be avoided.
Committee staff believes that the requested information
would help facilitate future discussions.
2.Stated need for reform
The author states:
Consumers in California place a premium on the
security and privacy of their personal information,
and overwhelmingly they expect to have control over
access to their information by individuals and
businesses. . . . Over the past several years, an
industry specializing in the collection, manipulation,
and sale of consumers' personal information has
developed such that some leaders of the industry
maintain billions of records on virtually every
citizen in the nation. Paradoxically, this "data
broker" industry has remained in virtual obscurity, so
that most consumers are unaware of its existence.
The information collected and sold by data brokers may
be used by any number of individuals or entities for
use in employment screening, private investigations,
collections, law enforcement, etc. without the
consumer knowing about the data transaction.
Moreover, when the consumer does discover that his or
her information is held by a data broker, he or she
may not have the ability to review all of the
information or to correct errors. Strong anecdotal
�
SB 550 (Speier)
Page 5
reports and surveys suggest that many consumer records
owned by data brokers contain inaccurate information.
Supporters Privacy Rights Clearinghouse and World Privacy
Forum argue that the bill is needed to give consumers
more control over their personal information that is
collected, compiled and sold by commercial data brokers.
Support: Consumer Federation of California; Privacy Rights
Clearinghouse; World Privacy Forum
Opposition: None known (to May 2 version)
HISTORY
Source: Author
Related Pending Legislation: None Known
Prior Legislation: AB 1950 (Wiggins), Chapter 877, Statutes
of 2004, required businesses to maintain
reasonable security procedures
SB 27 (Figueroa), Chapter 505, Statutes of 2003, related to
disclosure by businesses of categories of
personal information, as described above
SB 1386 (Peace), Chapter 915, Statutes of 2002, added
existing law's requirements regarding notice
of security breach
SB 168 (Bowen), Chapter 720, Statutes of 2001 added
protections allowing consumers to place a
security freeze on their credit reports
**************