Aug. 2003: PRC's Privacy Update Newsletter

In this issue . . .

[1] SB 1 -- California Enacts Strongest Financial Privacy Law in the Nation

[2] Federal Fair Credit Reporting Act (FCRA) and Stronger States’ Laws Are Under Attack

[3] PRC Director Givens Testifies at Radio-Frequency ID (RFID) Hearing in Sacramento

[4] PRC’s Newest Fact Sheet Is Posted: 16(b) -- Employment Background Checks: A Guide for Small Business Owners

[5] Compilation of California Identity Theft Laws Now on Our Web Site

[1] SB 1 -- California Enacts Strongest Financial Privacy Law in the Nation

On August 27, California Governor Gray Davis signed Senate Bill 1 into law. The bill’s author Senator Jackie Speier was joined by a coalition that included Consumers Union, AARP, Privacy Rights Clearinghouse, ACLU, Consumer Federation of California, CALPIRG, the California Attorney General, and Bay Area financial company E-Loan.

After years of political wrangling and the threat of a March 2004 ballot initiative with popular consumer support, SB 1 was passed with near-unanimous support from both houses. The law requires California consumers’ permission (called “opt-in”) before financial institutions can share customer information with third parties. The law also enables consumers to stop financial institutions from sharing personal information with most affiliates (called “opt-out”). Information used to complete a transaction can still be shared among affiliates. In some limited cases financial information can still be shared with certain affiliates when both entities are regulated by the same functional regulator and are engaged in the same line of business, among other requirements (called “no-opt”).

In addition, the annual Privacy Notices must be readable, and the California Attorney General and other regulators have authority to penalize institutions that violate the law.

To learn more about the legislative battle and to read the sample opt out notice, go to:

[2] Federal Fair Credit Reporting Act (FCRA) and Stronger States’ Laws Under Attack

HR Bill 2622, the Fair and Accurate Credit Transactions Act of 2003,
was introduced into Congress by Representatives Darlene Hooley, D-Ore., and
Spencer Bachus, R-Ala. Though claimed to prevent identity theft and protect consumers nationwide, the bill in fact weakens provisions of the federal Fair Credit Reporting Act (FCRA). The bill also threatens to undo the progress California and other states have made to protect identity theft victims and consumers’ financial privacy rights.

To view the legislation in its entirety, go to:

In California this would mean that many of the identity theft laws noted in [5] below and SB 1, the landmark California financial privacy law discussed in [1], could be preempted. In fact, laws in any of the fifty states that are stronger than those rights provided in the FCRA could be void under HB 2622 as currently written.

The PRC and the Identity Theft Resource Center sent a letter to California Congressional representatives asking them to oppose HR 2622.

To read the letter, go to

Consumers’ Union has compiled a list of California laws that could be preempted, available on CU’s web site at:

To send your message to Congress, visit the following web site. Don’t delay! Congress is expected to act soon.

[3] PRC Director Givens Testifies at Radio-Frequency ID (RFID) Hearing in Sacramento

On August 18, PRC Director Beth Givens testified at an RFID hearing hosted by state Senator Debra Bowen. Called the next generation of bar codes by industry, an RFID tag is a small radio frequency-activated device containing a unique identification number. Tags can be as small as a speck of dust. When placed in consumer products, they are virtually invisible. When near a radio frequency reader, the device emits a signal that is captured by the reading device and stored in a computer data base. The legislative hearing focused on the profiling, tracking, and privacy implications of RFID.

Givens warned of the “profound privacy and civil liberties implications associated with RFID if indeed all [‘objects’] of the world are uniquely identified and can be located and read at a distance,” as envisioned by industry.

Givens’ testimony, titled “RFID and the Public Policy Void,” recommends that 1) RFID undergo a formal technology assessment involving all stakeholders including consumers; 2) that the development of RFID be guided by strong Fair Information Principles, codified into law; and, 3) that meaningful consumer control be built into the implementation of RFID. Her testimony concludes with a 7-point public policy strategy.

This testimony is available on our website at

[4] PRC’s Newest Fact Sheet: 16(b) -- Employment Background Checks: A Guide for Small Business Owners

The PRC recently posted the newest fact sheet in its background check series. Developed with funding from the Rose Foundation Consumer Privacy Rights Fund, fact sheet 16(b) is titled Employment Background Checks: A Guide for Small Business Owners. It helps small business owners comply with state and federal requirements when performing employee screening.

The fact sheet explains the consent provisions in federal and California law. It defines the difference between a ‘consumer report’ and an ‘investigative consumer report.’ The guide also advises employers on what to look for when hiring an employment screening company to perform background checks on job applicants and existing employees. And it explains when an employer must give a copy of the background report to the prospective or existing employee.

To read the fact sheet, click on

[5] Compilation of California Identity Theft Laws

California leads the nation in implementing laws on identity theft. The PRC has added a compilation of these laws to our website. This resource provides a brief synopsis of the laws, as well as their legal citations. Summaries of new identity theft laws will be added when the current legislative session ends.

To read the compilation, go to

  To subscribe to our free email newsletter, go to