(a) An investigative consumer reporting agency shall maintain reasonable procedures designed to avoid violations of Section 1786.18 and to limit furnishing of investigative consumer reports for the purposes listed under Section 1786.12. These procedures shall require that prospective users of the information identify themselves, certify the purposes for which the information is sought and that the information will be used for no other purposes, and make the certifications described in paragraph (4) of subdivision (a) of Section 1786.16. From the effective date of this title, the investigative consumer reporting agency shall keep a record of the purposes for which information is sought, as stated by the user. The investigative consumer reporting agency may assume that the purpose for which a user seeks information remains the same as that which a user has previously stated. The investigative consumer reporting agency shall inform the user that the user is obligated to notify the agency of any change in the purpose for which information will be used. An investigative consumer reporting agency shall make a reasonable effort to verify the identity of a new prospective user and the uses certified by the prospective user prior to furnishing the user any investigative consumer reports. An investigative consumer reporting agency may not furnish an investigative consumer report to a person unless it has a written agreement that the investigative consumer reports will be used by that person only for purposes listed in Section 1786.12.
(b) Whenever an investigative consumer reporting agency prepares an investigative consumer report, it shall follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates. An investigative consumer reporting agency shall retain the investigative consumer report for two years after the report is provided.
(c) An investigative consumer reporting agency may not make an inquiry for the purpose of preparing an investigative consumer report on a consumer for employment purposes if the making of the inquiry by an employer or prospective employer of the consumer would violate applicable federal or state equal employment opportunity law or regulation.
(d) (1) An investigative consumer reporting agency doing business in this state shall conspicuously post, as defined in subdivision (b) of Section 22577 of the Business and Professions Code, on its primary Internet Web site information describing its privacy practices with respect to its preparation and processing of investigative consumer reports. If the investigative consumer reporting agency does not have an Internet Web site, it shall, upon request, mail a written copy of the privacy statement to consumers. The privacy statement shall conspicuously include, but not be limited to, both of the following:
(A) A statement entitled “Personal Information Disclosure: United States or Overseas,” that indicates whether the personal information will be transferred to third parties outside the United States or its territories.
(B) A separate section that includes the name, mailing address, e-mail address, and telephone number of the investigative consumer reporting agency representatives who can assist a consumer with additional information regarding the investigative consumer reporting agency’s privacy practices or policies in the event of a compromise of his or her information.
(2) For purposes of this subdivision, “third party” shall include, but not be limited to, a contractor, foreign affiliate, wholly owned entity, or an employee of the investigative consumer reporting agency.
(e) An investigative consumer reporting agency shall be liable to a consumer who is the subject of a report if the consumer is harmed by any unauthorized access of the consumer’s personally identifiable information, act, or omission that occurs outside the United States or its territories as a result of the investigative consumer reporting agency negligently preparing or processing an investigative consumer report, or portion thereof, outside of the United States or its territories. Liability shall be in an amount equal to the sum of (1) any actual damages sustained by the consumer as a result of the unauthorized access, and (2) in the case of any successful action to enforce any liability under this section, the costs of the action together with reasonable attorney’s fees, as determined by the court.
(Amended by Stats. 2010, Ch. 481, Sec. 2. (SB 909) Effective January 1, 2011.)