Five Laws You Should Know

Identifying the laws with the greatest compliance impact is difficult. From my perspective, though, there are at least five statutes in California, apart from the Security Breach Notice Law, that require watching and careful review:

The Online Privacy Protection Act of 2003
This is known as the new "privacy policy" law and went into effect July 1. Under this law, all commercial Web sites and online services that collect personal information from California residents must have a conspicuous privacy policy at the site. A violation under this law results only if the site or service refuses to post a privacy policy within 30 days of being notified of its obligation to do so.

Social Security Number Confidentiality
This law restricts a commercial entity (or governmental agency) from publicly displaying a Social Security number, using it on an identification card or similar access card, or requesting it online without the requisite secure link. This law phases in from 2002 to 2007.

Destruction of Customer Records
This law governs the methods under which documents and records that contain any personal information of a consumer must be destroyed. They must be shredded, erased, or otherwise modified in such a way that they are no longer recoverable.

Note that this law may be superseded by the Federal Fair Credit Reporting Act amendments. The Federal Trade Commission has requested comments to its proposed rule on the disposal requirements. The comment period ended June 15. Essentially, "Section 216 of the FACT Act requires the Commission, Federal banking agencies, National Credit Union Administration, and Securities and Exchange Commission (the 'Agencies'), to issue regulations requiring 'any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose to properly dispose of any such information or compilation.' The purpose of this section is to prevent unauthorized disclosure of consumer information and to reduce the risk of fraud or related crimes, including identity theft, by ensuring that records containing sensitive financial or personal information are appropriately redacted or destroyed before being discarded. The Agencies are required to consult and coordinate with each other so that, to the extent possible, regulations implementing this section are consistent and comparable. In addition, the Agencies' regulations must be consistent with the Gramm-Leach-Bliley Act and other provisions of federal law.

"The Commission has conferred with the Agencies and now offers for public comment this proposed rule regarding the disposal of consumer report information and records ('Disposal Rule' or 'Rule')." (From the FTC request for comments, Proposed Rules, Federal Register April 20.)

Check with your counsel on whether the California law still applies to your data destruction and keep an eye on the rulemaking by the FTC to see the federal standards.

California's Fair Debt Collection Act
Among other things, this law forbids a creditor from trying to collect a debt from a victim of identity theft. There are various procedures required on the victim's part as well as on the creditor's part before this becomes a ban on collection of the debt.

Employment Of Offenders--Penal Code
This law prohibits prison inmates from being employed in a situation in which personal information is made available. In many cases, prisoners across the United States are being used for data input. In at least one case I'm aware of, a woman was cyberstalked by a prisoner who got her information while working from prison. This law was designed to prevent that kind of abuse.

Return to main story: "What You Don't Know About Privacy Can Hurt You"

Return to the sidebar: "The Law Itself"