CA Privacy Law: Resources

1
CA Privacy Law Resources Protections

• Dana F. Winterrowd, Staff Counsel
• California Department of Consumer Affairs

2
Constitutional Right

• All people are by nature free and independent and
  have inalienable rights. Among these are enjoying
  and defending life and liberty, acquiring,
  possessing, and protecting property, and pursuing
  and obtaining safety, happiness, and privacy.
• Article 1, Section 1, Constitution of the State
  of California

3
Office of Privacy Protection

• CA is only state with such an agency
• Created by law passed in 2000
• Purpose
• protecting the privacy of individuals personal
  information in a manner consistent with the
  California Constitution by identifying consumer
  problems in the privacy area and facilitating
  development of fair information practices

4
Education and Information

• Consumer Information Sheets
• ID theft prevention, victim checklist, criminal
  ID theft
• Protecting SSNs, reading privacy policies,
  controlling unwanted communications
• Health info privacy
• Workshops and presentations
• 86 for consumers, 64 for business (11/01-12/03)

5
Work with Law Enforcement

• Advisory Committee to High Tech Crimes/Identity
  Theft Task Force
• 5 regional task forces of local, state and
  federal law enforcement
• Provide information on new laws via web site
• Make case referrals

6
Best Practice Recommendations

• Recommendations of best practices, beyond legal
  requirements
• By phone in response to requests
• Written sets developed with advisory groups
• SSN Confidentiality
• Notification of Security Breach

7
Fair Information Practice Principles (FIPS)

• Transparency
• Collection Limitation
• Purpose Specification
• Use Limitation
• Data Quality
• Individual Participation
• Security
• Accountability

8
CA Privacy Laws FIPs

• Limits on collection of personal info
• Limits on use of personal info
• Requirements of notice of privacy rights
• Limits on unwanted commercial communications
• Requirements for data security
• Requirements for individual access to personal
  info
• Rights remedies for identity theft victims

9
Limits on Collection of Personal Information

• Ban on recording any personal info when accepting
  payment by credit card
• Ban on recording DL when accepting payment by
  check
• Ban on collecting DL and SSN for supermarket
  club cards
• Ban on wiretapping, CATV/satellite TV monitoring
• Ban on state agency collecting personal info not
  authorized by law or regulation (IPA)

10
Limits on Use of Personal Information 1

• Info swiped from drivers licenses (except for
  age verification, etc.)
• Onward sharing of marketing info of credit card
  holders subject to opt-out right
• Public display of Social Security numbers
• Onward sharing of personal info collected for
  supermarket club cards

11
Limits on Use of Personal Information 2

• Printing of gt5 digits of credit card numbers on
  electronic customer receipts
• Onward sharing of residential telephone customer
  calling patterns, financial info, etc.
• Use by state agency other than as authorized by
  law (IPA, but cf. Public Records Act)

12
Limits on Use of Personal Information 3

• Onward sharing of medical info, other than for
  TPO, subject to prior consent
• Use of medical info for marketing purposes, as
  defined
• Limited access to birth/death certificates, no
  SSNs or MMNs on publicly available birth/death
  record indices

13
Limits on Use of Personal Information 4

• Sharing of consumer credit background info,
  except for specified purposes, by CRAs,
  Investigative RAs (but cf. FCRA/FACTA)
• Sharing of personal financial info w/ 3rd parties
  by financial institutions (SB 1, eff. 7/1/04)
• Use of auto black box data for other than
  vehicle safety, etc. (AB 213, eff. 7/1/04)

14
Notice Requirements 1

• Notice of security breach involving specified
  personal info
• Notice to vets from county recorder re DD214s as
  public records
• Notice on collection of personal info by state
  agencies (IPA)
• Privacy policy notice in state offices and on
  agency web sites

15
Notice Requirements 2

• Notice of privacy policies/practices on
  commercial web sites collecting personal info on
  CA residents (AB 68, eff. 7/04)
• Upon request, notice to customer of info sharing
  details or opt-out opportunity (SB 27, eff. 1/05)
• Notice of presence of auto black box in owners
  manual or subscription contract (AB 213, eff.
  7/04)

16
Data Security

• Destruction of customer records by businesses by
  shredding, etc.
• Activation process required on substitute credit
  cards mailed to consumers
• Credit/debit card skimmers outlawed
• State agencies must use security safeguards to
  protect personal info (IPA)

17
Individual Access to Information

• Access to and right to correct personal info in
  records of state agencies (IPA)
• Access to and right to dispute personal info in
  medical records (PAHRA, cf. federal HIPAA)

18
Limits on Commercial Communications

• Do-Not-Call Registry (state/federal laws)
• Ban on unsolicited commercial text messages sent
  to cell phones/pagers
• Ban on spam sent in violation of ISPs policy
• Ban on spam sent w/out prior consent of recipient
  (but cf. federal CAN SPAM Act)

19
Identity Theft Rights Remedies

• Definition of crime, including possession of
  documents with intent to defraud
• Requirement of local police to take report
• Expedited judicial process for victims
• Database for victims of criminal ID theft
• Victim rights in debt collection and against
  claimants
• Victim access to documents on fraudulent accounts
  (but cf. FCRA/FACTA)

20
Dana F. Winterrowd, Staff Counsel Legal Affairs
Division California Department of Consumer
Affairs 400 R Street, Suite 3090 Sacramento, CA
95814 ? 916-445-4216 Office of Privacy
Protection ltwww.privacy.ca.govgt