California SB 25 - Recent Law on the Use of Social Security Numbers
The intent of recent amendments to law concerning the use of Social Security numbers (SSN) is to protect SSNs from being stolen and to prevent identity theft. These guidelines highlight requirements of the law.
The Law: Civil Code Section 1798.85
- Amending legislation made CSU subject to these provisions.
January 1, 2004, unless otherwise indicated below.
Under the law, the following actions are prohibited:
- Publicly post or publicly display in any manner an individual's SSN. "Publicly post" or "publicly display" means to intentionally communicate or otherwise make available to the general public.
- Print an individual's SSN on any card required for the individual to access products or services provided by the person or entity.
- Require an individual to transmit his or her SSN over the Internet, unless the connection is secure or the SSN is encrypted.
- Require an individual to use his or her SSN to access an Internet Web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet Web site. (Effective January 1, 2005)
- Print an individual's SSN on any materials that are mailed to the individual, unless state or federal law requires the SSN to be on the document to be mailed. Notwithstanding this paragraph, SSNs may be included in applications and forms sent by mail, including documents sent as part of an application or enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the SSN. An SSN that is permitted to be mailed under this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened. (Effective January 1, 2005)
- Encode or embed the SSN in or on a card or document, including, but not limited to, using a bar code, chip, magnetic strip, or other technology, in place of removing the SSN as an effort to comply with these new provisions.
Allowable Uses of the SSN
As a Requirement of Law or for Administrative Purposes: Social Security numbers may be
- collected, used, or released as required by state or federal law,
- or used for internal verification or administrative purposes.
Grandfather Clause: If a state or local agency used an individual's SSN in the manner prohibited above prior to January 1, 2004, it is allowed to continue to use that individual's SSN in the same manner on or after January 1, 2004, if all of the following conditions are met:
- The use of the SSN is continuous. If the use is stopped for any reason, the prohibitions apply.
- The individual is provided an annual disclosure that informs the individual that he or she has the right to stop the use of his or her SSN in a manner prohibited under the law.
- A written request by an individual to stop the use of his or her SSN in the manner prohibited by the law is implemented within thirty days of the receipt of the request. There may not be a fee or charge for implementing the request.
- The person or entity does not deny services to an individual because the individual makes a written request to stop the use of his or her SSN.
This grandfather clause concerns the use of an individual's SSN and not the practice of using SSNs in general.
Guidance about Truncating the SSN
The law does not prohibit printing a truncated SSN on a document to be mailed to the individual. If an SSN is truncated, however, only the last four digits should be displayed, e.g., XXX-XX-1234.