(a) A state agency shall not send any outgoing United States mail to an individual that contains personal information about that individual, including, but not limited to, the individual’s social security number, telephone number, driver’s license number, or credit card account number, unless that personal information is contained within sealed correspondence and cannot be viewed from the outside of that sealed correspondence.
(b) (1) Notwithstanding any other law, commencing on or before January 1, 2023, a state agency shall not send any outgoing United States mail to an individual that contains the individual’s social security number unless the number is truncated to its last four digits, except in the following circumstances:
(A) Federal law requires inclusion of the social security number.
(B) The documents are mailed to a current or prospective state employee.
(C) An individual erroneously mailed a document containing a social security number to a state agency, and the state agency is returning the original document by certified or registered United States mail.
(D) The Controller is returning documents to an individual previously submitted by the individual pursuant to Chapter 7 (commencing with Section 1500) of Title 10 of Part 3 of the Code of Civil Procedure.
(E) The document is sent in response to a valid request for access to personal information, pursuant to Section 1798.34 of the Civil Code.
(2) (A) On or before September 1, 2021, each state agency that mails an individual’s full or truncated part of a social security number to that individual, other than as permitted by paragraph (1), shall report to the Legislature regarding when and why it does so.
(B) A state agency that, in its own estimation, is unable to comply with the requirements of paragraph (1) of this subdivision shall submit an annual corrective action plan to the Legislature until it is in compliance with that paragraph.
(C) A report required by subparagraph (A) of this paragraph or corrective action plan required by subparagraph (B) of this paragraph and communications made in connection with these documents that bear on what mailings do and do not contain an individual’s social security number, are confidential and shall not be disclosed to the public pursuant to any state law, including, but not limited to, the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1 of the Government Code).
(3) (A) The requirement for submitting a report imposed under subparagraph (A) of paragraph (2) is inoperative on January 1, 2024, pursuant to Section 10231.5 of the Government Code.
(B) A report to be submitted pursuant to subparagraph (A) or (B) of paragraph (2) shall be submitted in compliance with Section 9795 of the Government Code.
(c) “Outgoing United States mail” for the purposes of this section includes correspondence sent via a common carrier, including, but not limited to, a package express service and a courier service.
(d) Notwithstanding subdivision (a) of Section 11000, “state agency” includes the California State University.
(Amended by Stats. 2020, Ch. 155, Sec. 1. (AB 499) Effective January 1, 2021.)