1785.11.1.

 (a) A consumer may elect to place a security alert in his or her credit report by making a request in writing or by telephone to a consumer credit reporting agency. “Security alert” means a notice placed in a consumer’s credit report, at the request of the consumer, that notifies a recipient of the credit report that the consumer’s identity may have been used without the consumer’s consent to fraudulently obtain goods or services in the consumer’s name.

(b) A consumer credit reporting agency shall notify each person requesting consumer credit information with respect to a consumer of the existence of a security alert in the credit report of that consumer, regardless of whether a full credit report, credit score, or summary report is requested.

(c) Each consumer credit reporting agency shall maintain a toll-free telephone number to accept security alert requests from consumers 24 hours a day, seven days a week.

(d) The toll-free telephone number shall be included in any written disclosure by a consumer credit reporting agency to any consumer pursuant to Section 1785.15 and shall be printed in a clear and conspicuous manner.

(e) A consumer credit reporting agency shall place a security alert on a consumer’s credit report no later than five business days after receiving a request from the consumer.

(f) The security alert shall remain in place for at least 90 days, and a consumer shall have the right to request a renewal of the security alert.

(g) A consumer credit reporting agency shall notify each consumer who has requested that a security alert be placed on his or her consumer credit report of the expiration date of the alert.

(h) Notwithstanding Section 1785.19, any consumer credit reporting agency that recklessly, willfully, or intentionally fails to place a security alert pursuant to this section shall be liable for a penalty in an amount of up to two thousand five hundred dollars ($2,500) and reasonable attorneys’ fees.

1785.11.1.

 (a) A consumer may elect to place a security alert in his or her credit report by making a request in writing or by telephone to a consumer credit reporting agency. “Security alert” means a notice placed in a consumer’s credit report, at the request of the consumer, that notifies a recipient of the credit report that the consumer’s identity may have been used without the consumer’s consent to fraudulently obtain goods or services in the consumer’s name.

(b) A consumer credit reporting agency shall notify each person requesting consumer credit information with respect to a consumer of the existence of a security alert in the credit report of that consumer, regardless of whether a full credit report, credit score, or summary report is requested.

(c) Each consumer credit reporting agency shall maintain a toll-free telephone number to accept security alert requests from consumers 24 hours a day, seven days a week.

(d) The toll-free telephone number shall be included in any written disclosure by a consumer credit reporting agency to any consumer pursuant to Section 1785.15 and shall be printed in a clear and conspicuous manner.

(e) A consumer credit reporting agency shall place a security alert on a consumer’s credit report no later than five business days after receiving a request from the consumer.

(f) The security alert shall remain in place for at least 90 days, and a consumer shall have the right to request a renewal of the security alert.

(g) A consumer credit reporting agency shall notify each consumer who has requested that a security alert be placed on his or her consumer credit report of the expiration date of the alert.

(h) Any person who uses a consumer credit report in connection with the approval of credit based on an application for an extension of credit, or with the purchase, lease, or rental of goods or non-credit-related services and who receives notification of a security alert pursuant to subdivision (a) may not lend money, extend credit, or complete the purchase, lease, or rental of goods or non-credit-related services without taking reasonable steps to verify the consumer’s identity, in order to ensure that the application for an extension of credit or for the purchase, lease, or rental of goods or noncredit related services is not the result of identity theft. If the consumer has placed a statement with the security alert in his or her file requesting that identity be verified by calling a specified telephone number, any person who receives that statement with the security alert in a consumer’s file pursuant to subdivision (a) shall take reasonable steps to verify the identity of the consumer by contacting the consumer using the specified telephone number prior to lending money, extending credit, or completing the purchase, lease, or rental of goods or non-credit-related services. If a person uses a consumer credit report to facilitate the extension of credit or for another permissible purpose on behalf of a subsidiary, affiliate, agent, assignee, or prospective assignee, that person may verify a consumer’s identity under this section in lieu of the subsidiary, affiliate, agent, assignee, or prospective assignee.

(i) For purposes of this section, “extension of credit” does not include an increase in the dollar limit of an existing open-end credit plan, as defined in Regulation Z issued by the Board of Governors of the Federal Reserve System (12 C.F.R. 226.2), or any change to, or review of, an existing credit account.

(j) If reasonable steps are taken to verify the identity of the consumer pursuant to subdivision (b) of Section 1785.20.3, those steps constitute compliance with the requirements of this section, except that if a consumer has placed a statement including a telephone number with the security alert in his or her file, his or her identity shall be verified by contacting the consumer using that telephone number as specified pursuant to subdivision (g).

(k) Notwithstanding Section 1785.19, any consumer credit reporting agency that recklessly, willfully, or intentionally fails to place a security alert pursuant to this section shall be liable for a penalty in an amount of up to two thousand five hundred dollars ($2,500) and reasonable attorneys’ fees.

1785.11.2.

 (a) A consumer may elect to place a security freeze on his or her credit report by making a request in writing by certified mail to a consumer credit reporting agency. “Security freeze” means a notice placed in a consumer’s credit report, at the request of the consumer and subject to certain exceptions, that prohibits the consumer credit reporting agency from releasing the consumer’s credit report or any information from it without the express authorization of the consumer. If a security freeze is in place, information from a consumer’s credit report may not be released to a third party without prior express authorization from the consumer. This subdivision does not prevent a consumer credit reporting agency from advising a third party that a security freeze is in effect with respect to the consumer’s credit report.

(b) A consumer credit reporting agency shall place a security freeze on a consumer’s credit report no later than five business days after receiving a written request from the consumer.

(c) The consumer credit reporting agency shall send a written confirmation of the security freeze to the consumer within 10 business days and shall provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of his or her credit for a specific party or period of time.

(d) If the consumer wishes to allow his or her credit report to be accessed for a specific party or period of time while a freeze is in place, he or she shall contact the consumer credit reporting agency, request that the freeze be temporarily lifted, and provide the following:

(1) Proper identification, as defined in subdivision (c) of Section 1785.15.

(2) The unique personal identification number or password provided by the credit reporting agency pursuant to subdivision (c).

(3) The proper information regarding the third party who is to receive the credit report or the time period for which the report shall be available to users of the credit report.

(e) A consumer credit reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report pursuant to subdivision (d), shall comply with the request no later than three business days after receiving the request.

(f) A consumer credit reporting agency may develop procedures involving the use of telephone, fax, the Internet, or other electronic media to receive and process a request from a consumer to temporarily lift a freeze on a credit report pursuant to subdivision (d) in an expedited manner.

(g) A consumer credit reporting agency shall remove or temporarily lift a freeze placed on a consumer’s credit report only in the following cases:

(1) Upon consumer request, pursuant to subdivision (d) or (j).

(2) If the consumer’s credit report was frozen due to a material misrepresentation of fact by the consumer. If a consumer credit reporting agency intends to remove a freeze upon a consumer’s credit report pursuant to this paragraph, the consumer credit reporting agency shall notify the consumer in writing prior to removing the freeze on the consumer’s credit report.

(h) If a third party requests access to a consumer credit report on which a security freeze is in effect, and this request is in connection with an application for credit or any other use, and the consumer does not allow his or her credit report to be accessed for that specific party or period of time, the third party may treat the application as incomplete.

(i) If a consumer requests a security freeze, the consumer credit reporting agency shall disclose the process of placing and temporarily lifting a freeze, and the process for allowing access to information from the consumer’s credit report for a specific party or period of time while the freeze is in place.

(j) A security freeze shall remain in place until the consumer requests that the security freeze be removed. A consumer credit reporting agency shall remove a security freeze within three business days of receiving a request for removal from the consumer, who provides both of the following:

(1) Proper identification, as defined in subdivision (c) of Section 1785.15.

(2) The unique personal identification number or password provided by the credit reporting agency pursuant to subdivision (c).

(k) A consumer credit reporting agency shall require proper identification, as defined in subdivision (c) of Section 1785.15, of the person making a request to place or remove a security freeze.

(l) The provisions of this section do not apply to the use of a consumer credit report by any of the following:

(1) A person or entity, or a subsidiary, affiliate, or agent of that person or entity, or an assignee of a financial obligation owing by the consumer to that person or entity, or a prospective assignee of a financial obligation owing by the consumer to that person or entity in conjunction with the proposed purchase of the financial obligation, with which the consumer has or had prior to assignment an account or contract, including a demand deposit account, or to whom the consumer issued a negotiable instrument, for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract, or negotiable instrument. For purposes of this paragraph, “reviewing the account” includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.

(2) A subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted under subdivision (d) of Section 1785.11.2 for purposes of facilitating the extension of credit or other permissible use.

(3) Any state or local agency, law enforcement agency, trial court, or private collection agency acting pursuant to a court order, warrant, or subpoena.

(4) A child support agency acting pursuant to Chapter 2 of Division 17 of the Family Code or Title IV-D of the Social Security Act (42 U.S.C. et seq.).

(5) The State Department of Health Services or its agents or assigns acting to investigate Medi-Cal fraud.

(6) The Franchise Tax Board or its agents or assigns acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities.

(7) The use of credit information for the purposes of prescreening as provided for by the federal Fair Credit Reporting Act.

(8) Any person or entity administering a credit file monitoring subscription service to which the consumer has subscribed.

(9) Any person or entity for the purpose of providing a consumer with a copy of his or her credit report upon the consumer’s request.

(m) This act does not prevent a consumer credit reporting agency from charging a fee of no more than ten dollars ($10) to a consumer for each freeze, removal of the freeze, or temporary lift of the freeze for a period of time, or a fee of no more than twelve dollars ($12) for a temporary lift of a freeze for a specific party, regarding access to a consumer credit report, except that a consumer credit reporting agency may not charge a fee to a victim of identity theft who has submitted a valid police report or valid Department of Motor Vehicles investigative report that alleges a violation of Section 530.5 of the Penal Code.

1798.90.1.

 (a) (1) Any business may swipe a driver’s license or identification card issued by the Department of Motor Vehicles in any electronic device for the following purposes:

(A) To verify age or the authenticity of the driver’s license or identification card.

(B) To comply with a legal requirement to record, retain, or transmit that information.

(C) To transmit information to a check service company for the purpose of approving negotiable instruments, electronic funds transfers, or similar methods of payments, provided that only the name and identification number from the license or the card may be used or retained by the check service company.

(D) To collect or disclose personal information that is required for reporting, investigating, or preventing fraud, abuse, or material misrepresentation.

(2) A business may not retain or use any of the information obtained by that electronic means for any purpose other than as provided herein.

(b) As used in this section, “business” means a proprietorship, partnership, corporation, or any other form of commercial enterprise.

(c) A violation of this section constitutes a misdemeanor punishable by imprisonment in a county jail for no more than one year, or by a fine of no more than ten thousand dollars ($10,000), or by both.

1799.1b.

 (a) Any credit card issuer that receives a change of address request, other than for a correction of a typographical error, from a cardholder who orders a replacement credit card within 60 days before or after that request is received shall send to that cardholder a change of address notification that is addressed to the cardholder at the cardholder’s previous address of record. If the replacement credit card is requested prior to the effective date of the change of address, the notification shall be sent within 30 days of the change of address request. If the replacement credit card is requested after the effective date of the change of address, the notification shall be sent within 30 days of the request for the replacement credit card.

(b) Any business entity that provides telephone accounts that receives a change of address request, other than for a correction of a typographical error, from an accountholder who orders new service, shall send to that accountholder a change of address notification that is addressed to the accountholder at the accountholder’s previous address of record. The notification shall be sent within 30 days of the request for new service.

(c) The notice required pursuant to subdivision (a) or (b) may be given by telephone or e-mail communication if the credit card issuer or business entity that provides telephone accounts reasonably believes that it has the current telephone number or e-mail address for the accountholder or cardholder who has requested a change of address. If the notification is in writing it may not contain the consumer’s account number, social security number, or other personal identifying information, but may contain the consumer’s name, previous address, and new address of record. For business entities described in subdivision (b), the notification may also contain the accountholder’s telephone number.

(d) A credit card issuer or a business entity that provides telephone accounts are not required to send a change of address notification when a change of address request is made in person by a consumer who has presented valid identification, or is made by telephone and the requester has provided a unique alpha-numeric password.

(e) The following definitions shall apply to this section:

(1) “Credit account” has the same meaning as “credit card,” as defined in subdivision (a) of Section 1747.02.

(2) “Telephone account” means an account with a telephone corporation, as defined in Section 234 of the Public Utilities Code.

530.6.

 (a) A person who has learned or reasonably suspects that his or her personal identifying information has been unlawfully used by another, as described in subdivision (a) of Section 530.5, may initiate a law enforcement investigation by contacting the local law enforcement agency that has jurisdiction over his or her actual residence, which shall take a police report of the matter, provide the complainant with a copy of that report, and begin an investigation of the facts. If the suspected crime was committed in a different jurisdiction, the local law enforcement agency may refer the matter to the law enforcement agency where the suspected crime was committed for further investigation of the facts.

(b) A person who reasonably believes that he or she is the victim of identity theft may petition a court, or the court, on its own motion or upon application of the prosecuting attorney, may move, for an expedited judicial determination of his or her factual innocence, where the perpetrator of the identity theft was arrested for, cited for, or convicted of a crime under the victim’s identity, or where a criminal complaint has been filed against the perpetrator in the victim’s name, or where the victim’s identity has been mistakenly associated with a record of criminal conviction. Any judicial determination of factual innocence made pursuant to this section may be heard and determined upon declarations, affidavits, police reports, or other material, relevant, and reliable information submitted by the parties or ordered to be part of the record by the court. Where the court determines that the petition or motion is meritorious and that there is no reasonable cause to believe that the victim committed the offense for which the perpetrator of the identity theft was arrested, cited, convicted, or subject to a criminal complaint in the victim’s name, or that the victim’s identity has been mistakenly associated with a record of criminal conviction, the court shall find the victim factually innocent of that offense. If the victim is found factually innocent, the court shall issue an order certifying this determination.

(c) After a court has issued a determination of factual innocence pursuant to this section, the court may order the name and associated personal identifying information contained in court records, files, and indexes accessible by the public deleted, sealed, or labeled to show that the data is impersonated and does not reflect the defendant’s identity.

(d) A court that has issued a determination of factual innocence pursuant to this section may at any time vacate that determination if the petition, or any information submitted in support of the petition, is found to contain any material misrepresentation or fraud.

(e) The Judicial Council of California shall develop a form for use in issuing an order pursuant to this section.

530.8.

 (a) If a person discovers that an application in his or her name for a loan, credit line or account, credit card, charge card, public utility service, or commercial mobile radio service has been filed with any person or entity by an unauthorized person, or that an account in his or her name has been opened with a bank, trust company, savings association, credit union, public utility, or commercial mobile radio service provider by an unauthorized person, then, upon presenting to the person or entity with which the application was filed or the account was opened a copy of a police report prepared pursuant to Section 530.6 and identifying information in the categories of information that the unauthorized person used to complete the application or to open the account, the person, or a law enforcement officer specified by the person, shall be entitled to receive information related to the application or account, including a copy of the unauthorized person’s application or application information and a record of transactions or charges associated with the application or account. Upon request by the person in whose name the application was filed or in whose name the account was opened, the person or entity with which the application was filed shall inform him or her of the categories of identifying information that the unauthorized person used to complete the application or to open the account. The person or entity with which the application was filed or the account was opened shall provide copies of all forms and information required by this section, without charge, within 10 business days of receipt of the person’s request and submission of the required copy of the police report and identifying information.

(b) Any request made pursuant to subdivision (a) to a person or entity subject to the provisions of Section 2891 of the Public Utilities Code shall be in writing and the requesting person shall be deemed to be the subscriber for purposes of that section.

(c) (1) Before a person or entity provides copies to a law enforcement officer pursuant to subdivision (a), the person or entity may require the requesting person to submit a signed and dated statement by which the requesting person does all of the following:

(A) Authorizes disclosure for a stated period.

(B) Specifies the name of the agency or department to which the disclosure is authorized.

(C) Identifies the types of records that the requesting person authorizes to be disclosed.

(2) The person or entity shall include in the statement to be signed by the requesting person a notice that the requesting person has the right at any time to revoke the authorization.

(d) (1) A failure to produce records pursuant to subdivision (a) shall be addressed by the court in the jurisdiction in which the victim resides or in which the request for information was issued. At the victim’s request, the Attorney General, the district attorney, or the prosecuting city attorney may file a petition to compel the attendance of the person or entity in possession of the records, as described in subdivision (a), and order the production of the requested records to the court. The petition shall contain a declaration from the victim stating when the request for information was made, that the information requested was not provided, and what response, if any, was made by the person or entity. The petition shall also contain copies of the police report prepared pursuant to Section 530.6 and the request for information made pursuant to this section upon the person or entity in possession of the records, as described in subdivision (a), and these two documents shall be kept confidential by the court. The petition and copies of the police report and the application shall be served upon the person or entity in possession of the records, as described in subdivision (a). The court shall hold a hearing on the petition no later than 10 court days after the petition is served and filed. The court shall order the release of records to the victim as required pursuant to this section.

(2) In addition to any other civil remedy available, the victim may bring a civil action against the entity for damages, injunctive relief or other equitable relief, and a penalty of one hundred dollars ($100) per day of noncompliance, plus reasonable attorneys’ fees.

(e) As used in this section, “application” includes the addition of authorized users to an existing account or any other changes made to an existing account.

(f) As used in this section, “law enforcement officer” means a peace officer as defined by Section 830.1 of the Penal Code.

(g) As used in this section, “commercial mobile radio service” means “commercial mobile radio service” as defined in section 20.3 of Title 47 of the Code of Federal Regulations.

530.8.

 (a) If a person discovers that an application in his or her name for a loan, credit line or account, credit card, charge card, public utility service, mail receiving or forwarding service, office or desk space rental service, or commercial mobile radio service has been filed with any person or entity by an unauthorized person, or that an account in his or her name has been opened with a bank, trust company, savings association, credit union, public utility, mail receiving or forwarding service, office or desk space rental service, or commercial mobile radio service provider by an unauthorized person, then, upon presenting to the person or entity with which the application was filed or the account was opened a copy of a police report prepared pursuant to Section 530.6 and identifying information in the categories of information that the unauthorized person used to complete the application or to open the account, the person, or a law enforcement officer specified by the person, shall be entitled to receive information related to the application or account, including a copy of the unauthorized person’s application or application information and a record of transactions or charges associated with the application or account. Upon request by the person in whose name the application was filed or in whose name the account was opened, the person or entity with which the application was filed shall inform him or her of the categories of identifying information that the unauthorized person used to complete the application or to open the account. The person or entity with which the application was filed or the account was opened shall provide copies of all paper records, records of telephone applications or authorizations, or records of electronic applications or authorizations required by this section, without charge, within 10 business days of receipt of the person’s request and submission of the required copy of the police report and identifying information.

(b) Any request made pursuant to subdivision (a) to a person or entity subject to the provisions of Section 2891 of the Public Utilities Code shall be in writing and the requesting person shall be deemed to be the subscriber for purposes of that section.

(c) (1) Before a person or entity provides copies to a law enforcement officer pursuant to subdivision (a), the person or entity may require the requesting person to submit a signed and dated statement by which the requesting person does all of the following:

(A) Authorizes disclosure for a stated period.

(B) Specifies the name of the agency or department to which the disclosure is authorized.

(C) Identifies the types of records that the requesting person authorizes to be disclosed.

(2) The person or entity shall include in the statement to be signed by the requesting person a notice that the requesting person has the right at any time to revoke the authorization.

(d) (1) A failure to produce records pursuant to subdivision (a) shall be addressed by the court in the jurisdiction in which the victim resides or in which the request for information was issued. At the victim’s request, the Attorney General, the district attorney, or the prosecuting city attorney may file a petition to compel the attendance of the person or entity in possession of the records, as described in subdivision (a), and order the production of the requested records to the court. The petition shall contain a declaration from the victim stating when the request for information was made, that the information requested was not provided, and what response, if any, was made by the person or entity. The petition shall also contain copies of the police report prepared pursuant to Section 530.6 and the request for information made pursuant to this section upon the person or entity in possession of the records, as described in subdivision (a), and these two documents shall be kept confidential by the court. The petition and copies of the police report and the application shall be served upon the person or entity in possession of the records, as described in subdivision (a). The court shall hold a hearing on the petition no later than 10 court days after the petition is served and filed. The court shall order the release of records to the victim as required pursuant to this section.

(2) In addition to any other civil remedy available, the victim may bring a civil action against the entity for damages, injunctive relief or other equitable relief, and a penalty of one hundred dollars ($100) per day of noncompliance, plus reasonable attorneys’ fees.

(e) For the purposes of this section, the following terms have the following meanings:

(1) “Application” means a new application for credit or service, the addition of authorized users to an existing account, the renewal of an existing account, or any other changes made to an existing account.

(2) “Commercial mobile radio service” means “commercial mobile radio service” as defined in section 20.3 of Title 47 of the Code of Federal Regulations.

(3) “Law enforcement officer” means a peace officer as defined by Section 830.1.

2891.

 (a) No telephone or telegraph corporation shall make available to any other person or corporation, without first obtaining the residential subscriber’s consent, in writing, any of the following information:

(1) The subscriber’s personal calling patterns, including any listing of the telephone or other access numbers called by the subscriber, but excluding the identification to the person called of the person calling and the telephone number from which the call was placed, subject to the restrictions in Section 2893, and also excluding billing information concerning the person calling which federal law or regulation requires a telephone corporation to provide to the person called.

(2) The residential subscriber’s credit or other personal financial information, except when the corporation is ordered by the commission to provide this information to any electrical, gas, heat, telephone, telegraph, or water corporation, or centralized credit check system, for the purpose of determining the creditworthiness of new utility subscribers.

(3) The services which the residential subscriber purchases from the corporation or from independent suppliers of information services who use the corporation’s telephone or telegraph line to provide service to the residential subscriber.

(4) Demographic information about individual residential subscribers, or aggregate information from which individual identities and characteristics have not been removed.

(b) Any residential subscriber who gives his or her written consent for the release of one or more of the categories of personal information specified in subdivision (a) shall be informed by the telephone or telegraph corporation regarding the identity of each person or corporation to whom the information has been released, upon written request. The corporation shall notify every residential subscriber of the provisions of this subdivision whenever consent is requested pursuant to this subdivision.

(c) Any residential subscriber who has, pursuant to subdivision (b), given written consent for the release of one or more of the categories of personal information specified in subdivision (a) may rescind this consent upon submission of a written notice to the telephone or telegraph corporation. The corporation shall cease to make available any personal information about the subscriber, within 30 days following receipt of notice given pursuant to this subdivision.

(d) This section does not apply to any of the following:

(1) Information provided by residential subscribers for inclusion in the corporation’s directory of subscribers.

(2) Information customarily provided by the corporation through directory assistance services.

(3) Postal ZIP Code information.

(4) Information provided under supervision of the commission to a collection agency by the telephone corporation exclusively for the collection of unpaid debts.

(5) Information provided to an emergency service agency responding to a 911 telephone call or any other call communicating an imminent threat to life or property.

(6) Information provided to a law enforcement agency in response to lawful process.

(7) Information which is required by the commission pursuant to its jurisdiction and control over telephone and telegraph corporations.

(8) Information transmitted between telephone or telegraph corporations pursuant to the furnishing of telephone service between or within service areas.

(9) Information required to be provided by the corporation pursuant to rules and orders of the commission or the Federal Communications Commission regarding the provision over telephone lines by parties other than the telephone and telegraph corporations of telephone or information services.

(10) The name and address of the lifeline customers of a telephone corporation provided by that telephone corporation to a public utility for the sole purpose of low-income ratepayer assistance outreach efforts. The telephone corporation receiving the information request pursuant to this paragraph may charge the requesting utility for the cost of the search and release of the requested information. The commission, in its annual low-income ratepayer assistance report, shall assess whether this information has been helpful in the low-income ratepayer assistance outreach efforts.

(11) Information provided in response to a request pursuant to subdivision (a) of Section 530.8 of the Penal Code.

(e) Every violation is a grounds for a civil suit by the aggrieved residential subscriber against the telephone or telegraph corporation and its employees responsible for the violation.

(f) For purposes of this section, “access number” means a telex, teletex, facsimile, computer modem, or any other code which is used by a residential subscriber of a telephone or telegraph corporation to direct a communication to another subscriber of the same or another telephone or telegraph corporation.