By Privacy Rights Clearinghouse
and Consumers Union, West Coast Regional Office
www.privacyrights.org
www.consumersunion.org
The laws cited below can be found in their entirety at:
www.leginfo.ca.gov/calaw.html
Note: Congress recently enacted the Fair and Accurate Credit
Transactions Act of 2003 (FACTA) into law, which will amend the Fair Credit Reporting Act (FCRA).
The National Consumer Law Center (NCLC) and Consumers' Union have analyses of the how FACTA will change the FCRA. See:
www.consumerlaw.org/initiatives/facta/nclc_analysis.shtml
www.consumersunion.org/pub/core_financial_services/000745.html
We have additional information including how FACTA may affect identity theft laws at: www.privacyrights.org/califfinpriv.htm and in our Fact Sheet 6a, FACTA, the Fair and Accurate Credit Transactions Act: Consumers Win Some, Lose Some
Crime defined
Use of personal information for unlawful purposes is a misdemeanor / felony "wobbler." Requires notation of court record if an imposter is convicted in victim's name. California Penal Code § 530.5
Credit report can be corrected with a police report
If the victim submits police report to a credit bureau listing the fraudulent accounts, the credit bureau must promptly block the information about those accounts and inform the credit grantors that the information has been removed. California Civil Code § 1785.16(k)
Security alert
Credit bureau must place security alert within five business days of receipt of the alert from the consumer. California Civil Code § 1785.11.1. Effective January 1, 2004, civil penalty of $2,500 plus attorneys fees for failure to place the alert. California Civil Code § 1785.11.1(k), SB 602.
Any person who uses a credit report in connection with credit approval may not extend credit or complete a purchase, lease, or rental of goods or services, after notice of a security alert without taking reasonable steps to verify the consumer's identity, in order to ensure that the application is not the result of identity theft. If the consumer has specified a phone number in the security alert, the consumer should be contacted at that number. California Civil Code § 1785.11.1, SB 25, effective July 1, 2004
Security freeze
Credit bureau must enable consumer to establish a "freeze," prohibiting the credit bureau from giving report to anyone without the consumer's consent. California Civil Code §§ 1785.11.2 (effective Jan. 1, 2003). Effective January 1, 2004, a credit reporting agency cannot charge more than $10 to place or remove the freeze, or $12 to temporarily lift the freeze. California Civil Code § 1785.11.2(m), SB 602
Monthly free credit reports for identity theft victims
An identity theft victim who provides the credit bureau with a copy of a police report is entitled to 12 free credit reports, one per month, in the 12 months from the date of the police report. California Civil Code § 1785.15.3, effective July 1, 2003
Duty to cooperate with ID theft victims
Banks, credit unions, savings associations, trust companies, mobile radio services, utilities, and as of January 1, 2004, mail forwarding services and office or desk rental services, must provide on request of law enforcement or of an ID theft victim copies of applications, checks, account statements, and records of transactions initiated by an imposter. California Penal Code § 530.8, AB 1772, On January 1, 2004, this duty is expanded to include the addition of a new user of an existing account, renewal of accounts, and other changes to existing accounts. California Penal Code § 530.8, SB 602, SB 684
Credit reporting agency must match information
Where prospective user of a consumer report is a retail seller and intends to issue credit in person to a consumer who applied in person, credit reporting agency must match at least three categories of information. California Civil Code § 1785.14(a)(1)
Creditor must verify a change of address on a mailed solicitation
Where credit is to be extended by mail pursuant to a mailed solicitation, requirement to mail the extension of credit to the same address as the solicitation unless the creditor verifies any address change by contacting the consumer. California Civil Code § 1785.14(a)(3)
User of a credit report must verify that there was no ID theft where address is mismatched
Requirement for user of credit report to verify requested extension of credit is not an instance of identity theft, where the address on the application does not match the address on the credit report. Civil Code § 1785.20.3 06
Address verification by creditor
Credit issuer must verify address if both of the following occur: an application of credit shows a different address than the one on the preapproved offer, and a request for an additional credit card comes within 10 days of a request for a change of address. California Civil Code § 1747.06
Truncation of credit card number on transaction slip
No more than the last 5 digits of a credit card number may be printed on electronic receipts. California Civil Code § 1747.09. Effective January 1, 2004
Contact info must be included in credit report
Credit report must contain names, addresses, and if provided, phone numbers for customer service, of those who furnished information from the credit report. California Civil Code § 1785.10(c)
No forwarding of instant loan checks
Requirement that "instant loan checks" be mailed in envelope that does not indicate a negotiable instrument is enclosed and that is marked "do not forward":
California Financial Code § 22342
Credit reporting agency must get certification of identification from retailer
Credit reporting agency doesn't meet requirement to take reasonable steps to verify the identity of user of a credit report where the prospective user of a consumer report is a retail seller and intends to issue credit in person to a consumer who applied in person, unless the retail seller certifies in writing to the credit reporting agency that the seller instructs employees to inspect photo identification at the time of application. California Civil Code § 1785.14(a)(2)
Right to sue to clear your name
Right of ID theft victim to bring action or assert defense against anyone claiming a right to money or property in connection with a transaction procured through ID theft. California Civil Code § 1798.93
Criminal statute of limitations
The statute of limitations begins to run when the crime is discovered. California Penal Code § 803, AB 1105, effective January 1, 2004
Penalties for trafficking in personal information
Every person who, with the intent to defraud, acquires, transfers, or retains possession of personal identifying information of another person, is guilty of a crime punishable by up to $1,000 and one year in county jail. California Penal Code § 530.5
Local police department must take a victim's police report
Local police department must take a police report, even if crime is committed elsewhere. California Penal Code § 530.6
Clearing up criminal identity theft
Judicial process for clearing your name -California Penal Code § 530.6(b)
Data base of criminal ID theft victims - California Penal Code § 530.7
California Attorney General ID Theft Hotline-- (888) 880-0240
Streamlined process for showing identity error in criminal case. California Penal Code §§ 853.5, 853.6, Vehicle Code §§ 40303, 40305, 40305.5, 40500, 40504, SB 752, effective January 1, 2004
Debt collection
Creditor cannot sell a debt to a debt collector once the individual has reported to the credit bureau that the debt resulted from fraud. California Civil Code § 1785.16.2
Victim of identity theft may seek an injunction against a creditor or debt collector who pursues payment from the victim of a debt incurred by a thief. California Civil Code §§ 1798.92-97
Debt collector must stop temporarily collecting a debt after written certification by the consumer that an identity thief incurred the debt. Collection may resume only if the collector makes a good faith determination that the information provided does not establish that the consumer does not owe the debt. California Civil Code § 1788.18, AB 1294, effective January 1, 2004
Destruction of customer records -- the "shredding" law
Businesses are required to take reasonable steps to destroy records containing personal information upon disposal of the records by shredding, erasing, or modifying the information to make it unreasonable. California Civil Code §§ 1798.80-82
Hacker law -- disclosure of computer security breaches
Requires business and government agencies to notify individuals when unencrypted personal information in the categories of Social Security Number, driver's license number, account number, or credit or debit card number has been accessed in a computer security breach. California Civil Code § 1798.29
Confidentiality of Social Security Numbers
California Civil Code § 1798.85, phased in from July 2002 - July 2005. Timeline changed by SB 25.
Individuals and commercial entities, and under a phase-in from January 1, 2004 to January 1, 2007, certain government entities, including public colleges and universities, may not:
Publicly display or post SSNs
Print SSNs on ID cards or badges
Require people to transmit SSNs over the Internet unless the connection is secure or the number is encrypted
Require people to use the SSN to logon to the Internet without a password
Print SSNs on mailed documents, unless required by state or federal law
Embed or encode a SSN on a card or document where it cannot otherwise be printed. This includes chips, magnetic technology and bar coding
Mail SSN where number visible without opening envelope California Civil Code § 1798.85(a), AB 763, effective January 1, 2004
In addition, a Social Security Number which is part of a family court proceeding must be place in a confidential portion of the court file. California Family Code § 2024.5, SB 660, effective January 1, 2004
Birth and death certificates
Sworn statement required for issuance of certified copies of birth or death records. California Health & Safety Code § 103526
Financial Privacy
Prohibits financial institutions from sharing or selling personally identifiable nonpublic information without obtaining a consumer's consent. The bill (SB1) requires affirmative consent for sharing with an unaffiliated third party, the opportunity to opt out of information sharing with a financial institution's affiliates that are in a different line of business. California Financial Code §§ 4050-4060, effective July 1, 2004
Statement of consumer rights from credit bureau
Credit bureau must give consumers a statement of statutory rights with respect to credit reporting. California Civil Code §§ 1785(f) and 1785.15.3
Right to remove name
Consumer has right to remove name from credit card solicitation lists furnished by the credit bureau. California Civil Code § 1785.11.8
Credit card consumer may not be required to pay by check
Prohibition on recording credit card number where consumer pays by negotiable instrument (check). California Civil Code § 1725
Personal info may not be required to use credit card
Person accepting credit card may not record personal information. California Civil Code § 1748.8
Notice that warranty card is unnecessary
Requirement that "warranty" cards clearly and conspicuously disclose that the card is a product registration card and failure to complete and return the card does not affect warranty rights. Effective Jan. 1, 2004. California Civil Code § 1793.1
Swiping of drivers' licenses
Restricts certain uses and retention of data encoded on drivers' licenses. California Civil Code § 1798.90.1, SB 602, effective January 1, 2004.
Marketing Disclosure
A business that disclose a consumer's personal information to a third party for direct-marketing purposes must give the customer, upon request, the recipients of that information and a description of the categories of the information disclose. Financial institutions may be exempt. California Civil Code § 1798.83, SB 27, effective January 1, 2005.