Welcome to Consumer Reports Advocacy

For 85 years CR has worked for laws and policies that put consumers first. Learn more about CR’s work with policymakers, companies, and consumers to help build a fair and just marketplace at TrustCR.org

Protect your Social Security Number

The Consumers Union/U.S. PIRG Model State SSN Protection Law

  • Stops most requests for, collection of, and mailing of the SSN. Stops collection of the SSN by private businesses for purposes beyond credit, taxes, employment, investment, new bank accounts, child support and criminal record checks unless the SSN is required by law.
  • Stops these practices unless required by law:
    • Placing SSNs on identification and membership cards
    • Posting, displaying, or making SSNs available to the general public
    • Using the SSN as a password or access code for goods and services.
    • Inviting input of the SSN on the web for unencrypted transmission.
  • Tailors exceptions for true need. Some of the early state laws restricting SSN use included a variety of exceptions. Too many exceptions will undermine the usefulness of a state law restricting SSN collection and use.

This simple measure focuses on a going-forward basis on reducing the risk of identity theft from stolen SSNs by reducing the instances in which SSNs can be requested, collected, mailed, printed on wallet cards, used as passwords, and solicited over the Internet without encryption. There are other areas for further work on SSNs. These other areas include reducing the appearance of SSNs in public records, reducing government agency use of SSNs, requiring all types of companies holding SSNs to safeguard that data, restricting the practices of database companies that sell information about individuals including or using SSNs, and restricting the internal uses and sharing of SSNs by private companies. Consumers Union is ready to work with states who wish to tackle these additional issues.

Specific Language Of Model State SSN Law on Private Collection, mailing and certain uses of SSNs

 1. A person doing business in this State may not request, collect, or mail to the individual the Social Security number of an individual residing in this State unless one of the following exceptions applies.

(a) The SSN is expressly required by federal, state, or local law or regulation.

(b) The SSN is requested, collected or mailed in connection with a request for credit or a credit transaction initiated by the consumer or in connection with a lawful request for a consumer credit report.

(c) The SSN is requested, collected or mailed in connection with the opening of a deposit account or in connection with an investment.

(d) The SSN is requested, collected or mailed for purposes of employment, including in the course of the administration of a claim, benefit, or procedure related to the individual’s employment by the person, including the individual’s termination from employment, retirement from employment, injury suffered during the course of employment; or to check on an unemployment insurance claim of the individual.

(e) The SSN is requested, collected or mailed for purposes of tax compliance.

(f) The SSN is requested, collected, or mailed for the purpose of: interaction with a governmental law enforcement agency; the collection of child or spousal support; or to determine whether an individual has a criminal record.

(g) Nothing in this section or section 2(d) prohibits a person from including his or her own Social Security number on materials sent through the mail. Nothing in this Act applies to the mailing of a copy of a public record which contains a Social Security number.

2. A person doing business in this State may not do any of the following with the Social Security number of an individual residing in this State unless expressly required to do so by federal, state, or local law or regulation:

(a) Place the Social Security number of an individual on any card, tag, badge, or other device issued or used for identification or membership, or on other any card, tag or device issued to an individual, including one issued for the purpose of providing access to products or services. This section includes printing, embedding, encoding within a magnetic strip or on a chip, and any other means of placing the Social Security number on a card, tag, badge, or other device issued for identification or membership.

(b) Solicit or require the use of the SSN as a password for computerized service, telephone customer service, or an Internet web site, or require that an individual provide his or her SSN as a condition to access goods, services, or a website.

(c) Solicit or require an individual to transmit his or her Social Security number over the Internet unless the connection is secure or the Social Security number is encrypted, and the request or collection of the Social Security number is otherwise permitted under section (1).

(d) Where mailing of a Social Security number is otherwise permitted under section (1), the Social Security number may not be printed on a postcard or other mailer that does not require an envelope, or in any other manner that makes the Social Security number visible on the envelope or without the envelope being opened.

(e) Publicly post or display, or otherwise make available to the general public, including by sale to the general public, the Social Security number of another individual.

(3) Definitions. For purposes of this Act, the following terms have the following meanings:

(a) “Social Security number” means any portion of three or more consecutive digits of a Social Security number.

(b) “Person” means any individual, firm, partnership, association, corporation, limited liability company, organization or other entity, but does not include the state or any political subdivision of the state, or any agency thereof.

(4) Penalties for violations of this Act.

(a) A person who violates this section is responsible for the payment of a civil fine of not more than $3,000 per violation.

(b) A person who knowingly violates this section is guilty of a misdemeanor punishable by imprisonment for not more than 60 days or a fine of not more than $3,000 or both.

(c) A person who violates this section is liable to each person whose Social Security number is treated in violation of this Act for all of the following: $5,000 per person, actual damages, and reasonable court costs and attorney’s fees to a prevailing plaintiff.

(5) The provisions of this act are severable. If any phase, clause, sentence, provision or section is declared to be invalid or preempted in whole or in part by any federal law or regulation, the validity of the remainder of this Act shall not be affected.

For a discussion of state laws restricting private use of Social Security numbers, click here.

IssuesMoney