Two New California Privacy Protection Laws Go Into Effect

Every year the Consumer Federation of California monitors, supports, and opposes numerous bills related to privacy protection. Each year many of these bills are “killed” in the legislature while many others reach the Governor’s desk to either be signed into law or vetoed.

I recently wrote an article for the California Progress Report detailing about six consumer protection bills that we vigorously supported that became official California law on January 1st, 2009. Of those, I'm happy to report two were related to the issue of privacy.

Let me detail what I wrote about these two new laws, one related to RFID regulation and the other to identity theft (with a little bit of additional info):

SB 31 (Simitian) - Prohibiting Reading of RFID without an Individual’s Knowledge and Prior Consent

Radio Frequency Identification Devices (RFIDs) are tiny chips with miniature antennae that are embedded within documents or objects for tracking and identification purposes. When a RFID reader emits a radio signal, the devices in the vicinity respond by automatically transmitting their stored information to the reader.

RFID technology has many useful and promising applications, such as inventory tracking and automatic toll-road payment systems. At the same time, however, it can pose serious privacy and security risks. When embedded in identification documents, for example, information can be scanned off a RFID device at a distance and with no indication to the holder of the RFID device that any information has been remotely transmitted or recorded.

Without adequate protections, unauthorized readers can surreptitiously read and skim the personal information stored on a device—such as a birth date, digital picture, or unique identifier number—all without the knowledge of the RFID holder. This skimmed data can be used to facilitate identity theft or to stalk and track the whereabouts of an individual.

In fact, the very nature of RFID, which is a contactless technology, means that when the system has been breached, the device holder won’t know and therefore won’t know to take steps to protect him or herself.

Thanks to SB 31 - “skimming” information from RFID-enabled IDs without the knowledge and consent of the ID holder is now illegal, and violators of this law will face ‘imprisonment in a county jail for up to one year, a fine of not more than USD 1,500, or both that fine and imprisonment’.

AB 372 (Salas) - Consumer Credit Reports, Security Freezes

Identity theft is one of the fastest growing financial crimes in the U.S. – with nearly 10 million Americans falling victim to it each year. Unfortunately, most consumers are unaware that one of the best ways to protect against identity theft is to place a security freeze on their credit report.

AB 372 - signed by the Governor in July 2008 - reduces fees and shortens the time for consumer security freezes on credit reports. A consumer who has reason to suspect that personal financial information has been breached can place a security freeze that prevents the credit agency from releasing the consumer’s credit report to a third party. A credit freeze can prevent identity theft if is placed promptly.

AB 372 makes it easier and less costly for a consumer to place a security freeze on his credit report. The new law require a credit reporting agency to disclose the right of consumers to place a security freeze on their credit report, reduces from five days to three days the time that a credit agency has to implement the requested freeze, allows consumers to request a freeze by regular written mail instead of certified mail and lowers the fee a credit reporting agency may charge to place a freeze from $12 dollars to $10, or $5 for consumers 65 and older.