BILL ANALYSIS �
SB 550
Page 1
Date of Hearing: July 5, 2005
ASSEMBLY COMMITTEE ON JUDICIARY
Dave Jones, Chair
SB 550 (Speier) - As Amended: June 28, 2005
SENATE VOTE : 23-10
SUBJECT : PERSONAL INFORMATION: DATA BROKERS
KEY ISSUES :
1)SHOULD INDIVIDUAL CONSUMERS HAVE A RIGHT TO ACCESS THEIR
PERSONAL INFORMATION THAT BUSINESSES COMPILE AND SELL WITHOUT
THEIR KNOWLEDGE, AND SEEK TO CORRECT ERRORS IN THAT
INFORMATION?
2)SHOULD CONSUMERS BE ABLE TO BRING A PRIVATE RIGHT OF ACTION TO
ENFORCE THE PROVISIONS OF THE ACT, AND EXISTING LAWS REQUIRING
BUSINESSES OWNING OR LICENSING PERSONAL INFORMATION TO
MAINTAIN ADEQUATE SECURITY BREACHES AND NOTIFY INDIVIDUALS
WHEN THEIR PERSONAL INFORMATION IS BREACHED?
SYNOPSIS
This bill provides individuals with access to, and an
opportunity to correct, their files compiled by data brokers.
The bill is modeled after the federal Fair Credit Reporting Act
(FCRA) and includes many consumer protections provided by the
FCRA. The bill requires data brokers to have a dependable
authentication process to ensure that only permitted parties
access the data files, and provides consumers with a private
right of action for violations of the security provisions.
Opponents of the bill argue that it unintentionally covers too
many entities, the conditions are too onerous, and that the bill
will make data broker information less reliable and more
expensive. Supporters of the bill state that SB 550 is
necessary to give consumers more control over their personal
information that is compiled and sold. They state that the
information collected by data brokers is used for employment,
law enforcement and various other purposes. Therefore,
inaccurate information can have very detrimental effects.
SUMMARY : Permits individuals to access and correct their files
compiled by data brokers, and requires data brokers to take
�
SB 550
Page 2
steps to protect their information from unauthorized access.
Specifically, this bill :
1)Requires a data broker (i.e. a nongovernmental entity that
regularly engages in compiling or maintaining consumer data
files for the purpose of providing consumer data files to
nonaffiliated third parties for money) to provide, upon
request, all data files maintained or compiled by the broker
about the individual, and the specific sources of the consumer
data files about the individual. Requires the data broker to
provide one free report annually.
2)Requires data brokers to verify proper identification as a
condition of disclosing personally identifiable information.
3)Requires a data broker to allow an individual the right to
request and receive prompt correction of errors in his or her
data fields - including a requirement that the data broker
must reinvestigate disputed items, correct inaccurate
information, and permit the individual to file a statement of
the dispute. Clarifies that a data broker does not have an
obligation to correct disputed information if it accurately
reflects information contained in a public record or the
source fails to confirm the accuracy of the information.
4)Requires a data broker to clearly and conspicuously notify
consumers via its website (through certain specified means)
and through its customer service telephone number that a
person has a right to access personally identifiable
information and receive the prompt correction of errors; the
website must contain additional notice such as whether
specific data (e.g. four or more digits of the social security
number) may be communicated to a third party.
5)Requires a data broker to have a secure and dependable
authentication process for each third party to whom the data
broker permits to access the consumer data files.
6)Provides that any individual injured by a violation of the Act
and other existing security provisions may institute a civil
action to recover civil damages not to exceed $3,000 and to
enjoin the data broker.
EXISTING LAW :
�
SB 550
Page 3
1)Provides in the California Constitution that, among other
rights, all people have an inalienable right to pursue and
obtain privacy. (California Constitution, Article I, Section
1.)
2)Provides in the federal Fair Credit Reporting Act (FCRA) (15
U.S.C. 1681 et seq.), as amended by the Fair and Accurate
Credit Transactions Act of 2003 (FACT Act) (Public Law
108-159), consumers, upon their request, with one free credit
report from each consumer reporting agency in every 12-month
period. Consumers are entitled to all information in the
consumer's file at the time of the request, except as
specified, and the companies are responsible for correcting
inaccuracies. The FCRA covers credit bureaus and other
issuers of consumer reports such as tenant screening services
and employment screening services. Use of consumer credit
reports is limited under FCRA to "permissible purposes" which
include employment, credit, insurance, rental housing, child
support enforcement and collection purposes.
3)Requires a business that owns or licenses personal information
about a California resident to implement and maintain
reasonable security procedures and practices appropriate to
the nature of the information, to protect the information from
unauthorized access, destruction, use, modification or
disclosure. (Civil Code Section 1798.81.5.)
4)Requires that a business must either: 1) disclose to
customers, upon request, what categories of personal
information the business shares with third parties for
marketing purposes, or 2) provide customers with the ability
to opt-out of having their information shared for marketing
purposes. (Civil Code Section 1798.83.)
FISCAL EFFECT : As currently in print, this bill is keyed
nonfiscal.
COMMENTS : Recent database breaches have highlighted the amount
of information collected about individuals by data brokers, and
supporters argue that SB 550 is necessary to give consumers more
control over their personal information that is collected,
compiled, and sold by commercial data brokers. According to the
author:
SB 550 would extend consumer access requirements that
�
SB 550
Page 4
currently apply to consumer reporting agencies under the
federal Fair Credit Reporting Act ?. Specifically, the
bill would give consumers the right to view all of the
information about them held by "data brokers," businesses
that collect information for the purpose of selling it to
third parties. The bill would also establish a process
analogous to the one established in the FCRA whereby a
consumer could dispute the accuracy of the information
collected and sold by data brokers.
The author explains why this bill is necessary:
California consumers have a basic right to know what
personal information about them is held by businesses. In
general, individuals are aware of the type of information
they provide to banks, for example, and other businesses
with which they have a customer relationship, but ? [t]he
more attenuated ? the customer-business relationship
becomes, the greater the need to provide consumers with
information about where their information is flowing and
how it is being used.
"Data brokers" are similar to credit reporting agencies and
distinguished from financial institutions and retailers
because they collect information on individuals without
those individuals' knowledge or consent. Because the
individual consumer is not involved in the data collection,
it is critical that he or she have the right to see the
data once it is collected for sale to third parties.
The bill targets several problems in the data broker world.
First, the bill requires data brokers to have a process of
client authentication to guard against identity thieves posing
as legitimate clients, as occurred in the ChoicePoint breach.
Second, the author indicates that employers, financial
institutions, law enforcement officials and others make
decisions about consumers based on files purchased from data
brokers, but consumers have no opportunity to know what
information is shared and to ensure that it is accurate.
Therefore, the bill allows consumers to receive one free report
of their data file each year, and requires data brokers to
establish a process by which a consumer can correct errors on
the report. Finally, existing law gives customers a private
right of action for breaches of security procedures related to
the collection of personal information. However, because an
�
SB 550
Page 5
individual consumer is generally not the customer of a data
broker, an individual consumer generally does not have a private
right of action to recover damages if injured by a violation of
these laws. This bill would provide a cause of action to an
individual who was injured by an unauthorized disclosure of
personal information by an entity's failure to maintain security
procedures.
ARGUMENTS IN SUPPORT : Supporters of the bill state that
consumers consistently report that they want to be in control of
who can obtain information about them and have voiced concern
that "the robust data profiles compiled about them are not held
securely." CALPIRG states:
When ChoicePoint revealed that certain Californians were at
risk because it sold their data to identity thieves, the
most shocking aspect of the revelation may have been that a
heretofore unknown company maintained and distributed
sensitive data on roughly 19 million Americans. It's not
just the fact that the ChoicePoint debacle put Americans at
risk of having their identities stolen; it's also the fact
that these brokers maintain and sell dossiers on Americans,
and we have no right to inspect them for accuracy or to see
who is purchasing our information.
Consumer Federation of California explains that experts who have
inspected records held by data brokers report widespread
inaccuracies, which can have serious consequences:
When this data is provided to prospective employers,
landlords, creditors, or government agencies, harm to the
individual may result. In 2000, a subsidiary of
ChoicePoint erroneously reported to Florida election
officials that 8000 Florida voters were convicted of
felons, when they, in fact, had no felony convictions.
Several reports have criticized the accuracy of data brokers'
files. For example, an MSNBC article profiled several persons
with inaccurate information in their files, including false
criminal reports and a false death report. (See
http://www.msnbc.msn.com/id/7118767/ , last accessed June 28,
2005). Privacy Activism looked at 11 reports from ChoicePoint
and Acxiom and found that all of them had at least one error.
( http://www.privacyactivism.org/DataAggregatorsStudy )
�
SB 550
Page 6
Supporters of the bill state that the provisions of SB 550
conform to fair information principles, such as allowing
consumers to find out what is on file about them and how the
record can be corrected or amended. Consumer Action states,
"These elements provide a foundation of fairness for consumers,
giving them the tools to have more control over uses of their
sensitive personal information."
ARGUMENTS IN OPPOSITION : Opponents of the bill state that they
are already committed to the responsible use of personally
identifiable information. They have objected that the
definition of "data broker" is vaguely defined and "is broad
enough to include virtually every business that utilizes
personal information even for such routine operations as billing
and processing of payrolls." The bill defines data broker as
any person, other than a governmental entity, that regularly
engages in compiling or maintaining consumer data files used for
the purpose of providing consumer data files to nonaffiliated
third parties for monetary fees. The bill also clarifies that a
data broker does not include financial institutions, a covered
entity as defined under HIPAA regulations, and a person that
only furnishes personal information found in public records
relating to property interests or characteristics (i.e. title
companies).
In response to other opposition, the author has made several
amendments. For example, although consumers have a right to
dispute inaccuracies in their personal information, data brokers
do not have to correct the information if the source of the
information fails to confirm the accuracy of the information or
the record accurately reflects information contained in the
public record. This responds to the argument that a data broker
only compiles information, rather than creating it. Also in
response to opposition, the author deleted a notice requirement
(which would have been given whenever a report was issued about
a person) and an opt-out provision (which would have enabled
individuals to be excluded from a report). The author
significantly narrowed the definition of "consumer data file" in
light of opposition's concerns, and took several other
amendments. It is unclear whether the numerous amendments have
removed some of the opposition.
Companies who continue to oppose the bill state that it would
"place unnecessary regulatory burdens on many commercial
databases." They state that the bill would seriously impact
�
SB 550
Page 7
customers and the general public that depend on data broker
services. They elaborate, "For example, SB 550 would require
the implementation of an extremely costly consumer dispute
statement system that could be used widely by fraudsters,
deadbeat parents and other criminals to escape detection."
The FCRA has a nearly identical consumer dispute statement
process. The Committee is unaware of "fraudsters, deadbeat
parents and other criminals" using the dispute process to escape
detection. Opponents also state that the bill would make data
broker products less useful and more expensive. These fears
also seem to stem from a consumers' ability to verify and
dispute the information in the data base. However, the
provisions of the bill are very similar to the access
requirements found in the FCRA, and the Committee is unaware of
data supporting that the FCRA has made credit reporting agencies
less reliable and more expensive.
Opponents argue that SB 550 will impose a number of other
onerous requirements. They also object to amending existing
laws to permit private causes of action for individuals injured
by breaches of security procedures. They state that this
provision would impact a wide range of businesses.
Prior Related Legislation: AB 1950 (Wiggins), Chapter 877,
Statutes of 2004, required businesses to maintain reasonable
security procedures. SB 27 (Figueroa), Chapter 505, Statutes of
2003, related to disclosure by businesses of certain categories
of personal information. SB 1386 (Peace), Chapter 915, Statutes
of 2002, added existing law's requirements regarding notice of
security breach. SB 168 (Bowen), Chapter 720, Statutes of 2001
added protections allowing consumers to place a security freeze
on their credit reports.
REGISTERED SUPPORT / OPPOSITION :
Support
CalPIRG
Consumer Action
Consumer Federation of California
Consumers Union
Privacy Rights Clearinghouse
World Privacy Forum
�
SB 550
Page 8
Opposition
Acxiom
American Electronics Association
Association of California Insurance Companies
Association of California Insurance Companies
California Association of Collectors
California Association of Licensed Investigators
California Bankers Association
California Chamber of Commerce
California Financial Services Association
California Mortgage Bankers Association
California Retailers Association
ChoicePoint
Experian
First American Corporation
LexisNexis
NetChoice
TransUnion
Analysis Prepared by : Elizabeth Linton / JUD. / (916)
319-2334