Welcome to Consumer Reports Advocacy

For 85 years CR has worked for laws and policies that put consumers first. Learn more about CR’s work with policymakers, companies, and consumers to help build a fair and just marketplace at TrustCR.org

California Identity Theft and Privacy Laws

Compiled by Privacy Rights Clearinghouse and Consumers Union, West Coast Regional Office - April 2003. Updated October 2003

California Identity Theft and Privacy Laws

Compiled by Privacy Rights Clearinghouse
and Consumers Union, West Coast Regional Office
April 2003. Updated October 2003


Credit report can be corrected with a police report

If the victim submits police report to a credit bureau listing the fraudulent accounts, the credit bureau must promptly block the information about those accounts and inform the credit grantors that the information has been removed. California Civil Code § 1785.16(k)

Security alert

Credit bureau must place security alert within five business days of receipt of the alert from the consumer. California Civil Code § 1785.11.1. Effective January 1, 2004, civil penalty of $2,500 plus attorneys fees for failure to place the alert. California Civil Code § 1785.11.1(k), SB 602, text of new bills is available at www.leginfo.gov

Any person who uses a credit report in connection with credit approval may not extend credit or complete a purchase, lease, or rental of goods or services, after notice of a security alert without taking reasonable steps to verify the consumer’s identity, in order to ensure that the application is not the result of identity theft. If the consumer has specified a phone number in the security alert, the consumer should be contacted at that number. California Civil Code § 1785.11.1, SB 25, effective July 1, 2004

Security freeze

Credit bureau must enable consumer to establish a “freeze,” prohibiting the credit bureau from giving report to anyone without the consumer’s consent. California Civil Code §§ 1785.11.2 (effective Jan. 1, 2003). Effective January 1, 2004, a credit reporting agency cannot charge more than $10 to place or remove the freeze, or $12 to temporarily lift the freeze. California Civil Code § 1785.11.2(m), SB 602

Monthly free credit reports for identity theft victims

An identity theft victim who provides the credit bureau with a copy of a police report is entitled to 12 free credit reports, one per month, in the 12 months from the date of the police report. California Civil Code § 1785.15.3, effective July 1, 2003

Duty to cooperate with ID theft victims

Banks, credit unions, savings associations, trust companies, mobile radio services, utilities, and as of January 1, 2004, mail forwarding services and office or desk rental services, must provide on request of law enforcement or of an ID theft victim copies of applications, checks, account statements, and records of transactions initiated by an imposter. California Penal Code § 530.8, AB 1772, On January 1, 2004, this duty is expanded to include the addition of a new user of an existing account, renewal of accounts, and other changes to existing accounts. California Penal Code § 530.8, SB 602, SB 684

Credit reporting agency must match information

Where prospective user of a consumer report is a retail seller and intends to issue credit in person to a consumer who applied in person, credit reporting agency must match at least three categories of information. California Civil Code § 1785.14(a)(1)

Creditor must verify a change of address on a mailed solicitation

Where credit is to be extended by mail pursuant to a mailed solicitation, requirement to mail the extension of credit to the same address as the solicitation unless the creditor verifies any address change by contacting the consumer. California Civil Code § 1785.14(a)(3)

User of a credit report must verify that there was no ID theft where address is mismatched

Requirement for user of credit report to verify requested extension of credit is not an instance of identity theft, where the address on the application does not match the address on the credit report. Civil Code § 1785.20.3 06

Address verification by creditor

Credit issuer must verify address if both of the following occur: an application of credit shows a different address than the one on the preapproved offer, and a request for an additional credit card comes within 10 days of a request for a change of address. California Civil Code § 1747.06

Truncation of credit card number on transaction slip

No more than the last 5 digits of a credit card number may be printed on electronic receipts. California Civil Code § 1747.9. Effective January 1, 2004

Contact info must be included in credit report

Credit report must contain names, addresses, and if provided, phone numbers for customer service, of those who furnished information from the credit report. California Civil Code § 1785.10(c)

No forwarding of instant loan checks

Requirement that “instant loan checks” be mailed in envelope that does not indicate a negotiable instrument is enclosed and that is marked “do not forward”: California Financial Code § 22342

Credit reporting agency must get certification of identification from retailer

Credit reporting agency doesn’t meet requirement to take reasonable steps to verify the identity of user of a credit report where the prospective user of a consumer report is a retail seller and intends to issue credit in person to a consumer who applied in person, unless the retail seller certifies in writing to the credit reporting agency that the seller instructs employees to inspect photo identification at the time of application. California Civil Code § 1785.14(a)(2)

Right to sue to clear your name

Right of ID theft victim to bring action or assert defense against anyone claiming a right to money or property in connection with a transaction procured through ID theft. California Civil Code § 1798.93

Crime defined

Use of personal information for unlawful purposes is a misdemeanor / felony “wobbler.” Requires notation of court record if an imposter is convicted in victim’s name. Penal Code § 530.5

Criminal statute of limitations

The statute of limitations begins to run when the crime is discovered. California Penal Code § 803, AB 1105, effective January 1, 2004

Penalties for trafficking in personal information

Every person who, with the intent to defraud, acquires, transfers, or retains possession of personal identifying information of another person, is guilty of a crime punishable by up to $1,000 and one year in county jail. California Penal Code § 530.5

Local police department must take a victim’s police report

Local police department must take a police report, even if crime is committed elsewhere. California Penal Code § 530.6

Clearing up criminal identity theft

Judicial process for clearing your name –California Penal Code § 530.6(b)
Data base of criminal ID theft victims – California Penal Code § 530.7
California Attorney General ID Theft Hotline– (888) 880-0240

Streamlined process for showing identity error in criminal case. California Penal Code §§ 853.5, 853.6, Vehicle Code §§ 40303, 40305, 40305.5, 40500, 40504, SB 752, effective January 1, 2004

Debt collection

Creditor cannot sell a debt to a debt collector once the individual has reported to the credit bureau that the debt resulted from fraud. California Civil Code § 1785.16.2

Victim of identity theft may seek an injunction against a creditor or debt collector who pursues payment from the victim of a debt incurred by a thief. California Civil Code §§ 1798.92-97

Debt collector must stop temporarily collecting a debt after written certification by the consumer that an identity thief incurred the debt. Collection may resume only if the collector makes a good faith determination that the information provided does not establish that the consumer does not owe the debt. California Civil Code § 1788.18, AB 1294, effective January 1, 2004

Destruction of customer records — the “shredding” law

Businesses are required to take reasonable steps to destroy records containing personal information upon disposal of the records by shredding, erasing, or modifying the information to make it unreasonable. California Civil Code §§ 1798.80-82

Hacker law — disclosure of computer security breaches

Requires business and government agencies to notify individuals when unencrypted personal information in the categories of Social Security Number, driver’s license number, account number, or credit or debit card number has been accessed in a computer security breach. California Civil Code § 1798.29

Confidentiality of Social Security Numbers

California Civil Code § 1798.85, phased in from July 2002 – July 2005. Timeline changed by SB 25.

Individuals and commercial entities, and under a phase-in from January 1, 2004 to January 1, 2007, certain government entities, including public colleges and universities, may not:
 publicly display or post SSNs

 print SSNs on ID cards or badges

 require people to transmit SSNs over the Internet unless the connection is secure or the number is encrypted

 require people to use the SSN to logon to the Internet without a password

 print SSNs on mailed documents, unless required by state or federal law

 embed or encode a SSN on a card or document where it cannot otherwise be printed. This includes chips, magnetic technology and bar coding

 Mail SSN where number visible without opening envelope California Civil Code § 1798.85(a), AB 763, effective January 1, 2004

In addition, a Social Security Number which is part of a family court proceeding must be place in a confidential portion of the court file. California Family Code § 2024.5, SB 660, effective January 1, 2004

Birth and death certificates

Sworn statement required for issuance of certified copies of birth or death records. California Health & Safety Code § 103526


Increased privacy is one key element in the fight against identity theft. The fewer places your financial information is sent, stored or used, the less likely it is to be stolen or abused.

Financial Privacy

Prohibits financial institutions from sharing or selling personally identifiable nonpublic information without obtaining a consumer’s consent. The bill (SB 1) requires affirmative consent for sharing with an unaffiliated third party, the opportunity to opt out of information sharing with a financial institution’s affiliates that are in a different line of business. California Financial Code §§ 4050-4060, effective July 1, 2004

Statement of consumer rights from credit bureau

Credit bureau must give consumers a statement of statutory rights with respect to credit reporting. California Civil Code §§ 1785(f) and 1785.15.3

Right to remove name

Consumer has right to remove name from credit card solicitation lists furnished by the credit bureau. California Civil Code § 1785.11.8

Credit card consumer may not be required to pay by check

Prohibition on recording credit card number where consumer pays by negotiable instrument (a check). California Civil Code § 1725

Personal info may not be required to use credit card

Person accepting credit card may not record personal information. California Civil Code § 1748.8

Notice that warranty card is unnecessary

Requirement that “warranty” cards clearly and conspicuously disclose that the card is a product registration card and failure to complete and return the card does not affect warranty rights. Effective Jan. 1, 2004. California Civil Code § 1793.1

Swiping of drivers’ licenses

Restricts certain uses and retention of data encoded on drivers’ licenses. California Civil Code § 1798.90.1, SB 602, effective January 1, 2004

Marketing Disclosure

A business that disclose a consumer’s personal information to a third party for direct-marketing purposes must give the customer, upon request, the recipients of that information and a description of the categories of the information disclose. Financial institutions may be exempt. California Civil Code § 1798.83, SB 27, effective January 1, 2005

For more information, contact:

Beth Givens, Director, Privacy Rights Clearinghouse

Gail Hillebrand, Senior Attorney, Consumers Union
www.financial privacynow.org