Intellectual Property Society Seminar, January 20, 2004 1

CA Privacy Law: Resources & Protections

Joanne McNabb, ChiefOffice of Privacy ProtectionCalifornia Department of Consumer Affairs

2

Constitutional Right All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.

Article 1, Section 1, Constitution of the State of California

3

Office of Privacy ProtectionCA is only state with such an agencyCreated by law passed in 2000Purpose:

“protecting the privacy of individuals’ personal information in a manner consistent with the California Constitution by identifying consumer problems in the privacy area and facilitating development of fair information practices”

4

Office of Privacy ProtectionOffice functions

Consumer assistanceEducation and informationCoordination with law enforcementBest practice recommendations

5

Concerns of Contacts to OPP

17%

9% 8% 6%2% 3% 3%

38%

15%

0%

10%

20%

30%

40%

ID Theft

Concerns

ID Theft

Victim

s

Policies

& Practices

Telemarketi

ng

Financial

Other Unsolici

ted

Medical

General

OPP

11/01-12/03

6

Education and InformationConsumer Information Sheets

ID theft prevention, victim checklist, “criminal” ID theftProtecting SSNs, reading privacy policies, controlling unwanted communicationsHealth info privacy

Workshops and presentations86 for consumers, 64 for business (11/01-12/03)

7

Work with Law EnforcementAdvisory Committee to High Tech Crimes/Identity Theft Task Force

5 regional task forces of local, state and federal law enforcement

Provide information on new laws via web siteMake case referrals

8

“Best Practice” RecommendationsRecommendations of “best practices,” beyond legal requirements By phone in response to requestsWritten sets developed with advisory groups

SSN ConfidentialityNotification of Security Breach

9

CA Privacy Laws Enacted 1999-2003

5

97

1615

02468

1012141618

1999 2000 2001 2002 2003

10

Fair Information Practice Principles (FIPS)TransparencyCollection LimitationPurpose SpecificationUse LimitationData QualityIndividual ParticipationSecurityAccountability

11

CA Privacy Laws & FIPsLimits on collection of personal infoLimits on use of personal infoRequirements of notice of privacy rightsLimits on unwanted commercial communications Requirements for data securityRequirements for individual access to personal infoRights & remedies for identity theft victims

12

Limits on Collection of Personal Information

Ban on recording any personal info when accepting payment by credit cardBan on recording DL # when accepting payment by checkBan on collecting DL# and SSN for supermarket club cardsBan on wiretapping, CATV/satellite TV monitoringBan on state agency collecting personal info not authorized by law or regulation (IPA)

13

Limits on Use of Personal Information 1Info “swiped” from drivers licenses (except for age verification, etc.)Onward sharing of “marketing info” of credit card holders subject to opt-out rightPublic display of Social Security numbersOnward sharing of personal info collected for supermarket club cards

14

Limits on Use of Personal Information 2Printing of >5 digits of credit card numbers on electronic customer receiptsOnward sharing of residential telephone customer calling patterns, financial info, etc.Use by state agency other than as authorized by law (IPA, but cf. Public Records Act)

15

Limits on Use of Personal Information 3

Onward sharing of medical info, other than for TPO, subject to prior consentUse of medical info for marketing purposes, as defined Limited access to birth/death certificates, no SSNs or MMNs on publicly available birth/death record indices

16

Limits on Use of Personal Information 4Sharing of consumer credit & background info, except for specified purposes, by CRAs, Investigative RAs (but cf. FCRA/FACTA)Sharing of personal financial info w/ 3rd

parties by financial institutions (SB 1, eff. 7/1/04)Use of auto “black box” data for other than vehicle safety, etc. (AB 213, eff. 7/1/04)

17

Notice Requirements 1Notice of security breach involving specified personal infoNotice to vets from county recorder re DD214s as public recordsNotice on collection of personal info by state agencies (IPA)Privacy policy notice in state offices and on agency web sites

18

Notice Requirements 2Notice of privacy policies/practices on commercial web sites collecting personal info on CA residents (AB 68, eff. 7/04)Upon request, notice to customer of info sharing details or opt-out opportunity (SB 27, eff. 1/05)Notice of presence of auto “black box” in owner’s manual or subscription contract (AB 213, eff. 7/04)

19

Data SecurityDestruction of customer records by businesses by shredding, etc.Activation process required on substitute credit cards mailed to consumersCredit/debit card “skimmers” outlawedState agencies must use security safeguards to protect personal info (IPA)

20

Individual Access to InformationAccess to and right to correct personal info in records of state agencies (IPA)Access to and right to dispute personal info in medical records (PAHRA, cf. federal HIPAA)

21

Limits on Commercial CommunicationsDo-Not-Call Registry (state/federal laws)Ban on unsolicited commercial text messages sent to cell phones/pagersBan on spam sent in violation of ISP’s policyBan on spam sent w/out prior consent of recipient (but cf. federal CAN SPAM Act)

22

Identity Theft Rights & RemediesDefinition of crime, including possession of documents with intent to defraudRequirement of local police to take reportExpedited judicial process for victimsDatabase for victims of “criminal” ID theft Victim rights in debt collection and against claimantsVictim access to documents on fraudulent accounts (but cf. FCRA/FACTA)

23

Joanne McNabb, ChiefOffice of Privacy ProtectionCalifornia Department of Consumer Affairs400 R Street, Suite 3080Sacramento, CA 95814916-322-4420www.privacy.ca.gov866-785-9663