Refinancing And Consolidation - Information Practices Act Of 1977 - CA Civil Law

Section § 1798.25

This section of the law requires agencies to keep detailed records whenever they share personal records with others. They must note the date, nature, and purpose of each disclosure, including who received the information. This applies especially when sharing with law enforcement or regulatory agencies for investigations or licensing discussions. Routine crime-related information sharing with governmental agencies is also covered under these requirements.

(a) Each agency shall keep an accurate accounting of the date, nature, and purpose of each disclosure of a record made pursuant to subdivision (i), (k), (l), (o), or (p) of Section 1798.24. This accounting shall also be required for disclosures made pursuant to subdivision (e) or (f) of Section 1798.24 unless notice of the type of disclosure has been provided pursuant to Sections 1798.9 and 1798.10. The accounting shall also include the name, title, and business address of the person or agency to whom the disclosure was made. For the purpose of an accounting of a disclosure made under subdivision (o) of Section 1798.24, it shall be sufficient for a law enforcement or regulatory agency to record the date of disclosure, the law enforcement or regulatory agency requesting the disclosure, and whether the purpose of the disclosure is for an investigation of unlawful activity under the jurisdiction of the requesting agency, or for licensing, certification, or regulatory purposes by that agency.

(b) Routine disclosures of information pertaining to crimes, offenders, and suspected offenders to law enforcement or regulatory agencies of federal, state, and local government shall be deemed to be disclosures pursuant to subdivision (e) of Section 1798.24 for the purpose of meeting this requirement.

record disclosure personal information law enforcement sharing regulatory agencies crime information record keeping disclosure date disclosure purpose recipient identification routine disclosure unlawful activity investigation licensing purposes federal state local agencies

(Amended by Stats. 2018, Ch. 92, Sec. 36. (SB 1289) Effective January 1, 2019.)

Section § 1798.26

This law section requires the California Department of Motor Vehicles (DMV) to create rules for handling requests for personal vehicle registration and driver’s license information. Anyone requesting this information must identify themselves and explain why they want it. The DMV verifies their identity and may wait 10 days before giving out the information. They must also inform the person whose information is being shared about what was shared and who requested it. These rules don't apply to government bodies, approved requesters with special codes, or courts.

With respect to the sale of information concerning the registration of any vehicle or the sale of information from the files of drivers’ licenses, the Department of Motor Vehicles shall, by regulation, establish administrative procedures under which any person making a request for information shall be required to identify himself or herself and state the reason for making the request. These procedures shall provide for the verification of the name and address of the person making a request for the information and the department may require the person to produce the information as it determines is necessary in order to ensure that the name and address of the person are his or her true name and address. These procedures may provide for a 10-day delay in the release of the requested information. These procedures shall also provide for notification to the person to whom the information primarily relates, as to what information was provided and to whom it was provided. The department shall, by regulation, establish a reasonable period of time for which a record of all the foregoing shall be maintained.

The procedures required by this subdivision do not apply to any governmental entity, any person who has applied for and has been issued a requester code by the department, or any court of competent jurisdiction.

Department of Motor Vehicles vehicle registration information drivers' license files request for information identity verification notification procedures government exemption requester code information disclosure delay personal data protection

(Amended by Stats. 1989, Ch. 1213, Sec. 2.)

Section § 1798.27

Agencies have to keep a record of disclosures they make for at least three years or until the original record is destroyed, whichever comes first. However, they don't need to keep the original documents for three years as long as they meet the requirements of this rule another way.

Each agency shall retain the accounting made pursuant to Section 1798.25 for at least three years after the disclosure for which the accounting is made, or until the record is destroyed, whichever is shorter.

Nothing in this section shall be construed to require retention of the original documents for a three-year period, providing that the agency can otherwise comply with the requirements of this section.

record retention disclosure accounting three-year period record destruction document retention agency compliance original documents accounting of disclosures Section 1798.25 compliance record keeping

(Added by Stats. 1977, Ch. 709.)

Section § 1798.28

This law requires agencies in California to notify anyone who has received information containing personal details about a person if there has been a correction or dispute related to that record. This must be done if such disclosure records are required to be kept, the recipient's name is available, or if the person concerned can identify the disclosure recipient. This applies to corrections or disputes made after July 1, 1978, and within the last three years.

Each agency, after July 1, 1978, shall inform any person or agency to whom a record containing personal information has been disclosed during the preceding three years of any correction of an error or notation of dispute made pursuant to Sections 1798.35 and 1798.36 if (1) an accounting of the disclosure is required by Section 1798.25 or 1798.26, and the accounting has not been destroyed pursuant to Section 1798.27, or (2) the information provides the name of the person or agency to whom the disclosure was made, or (3) the person who is the subject of the disclosed record provides the name of the person or agency to whom the information was disclosed.

personal information record correction dispute notification disclosure accounting name of recipient agency obligations error correction California agencies record disclosure recipient notification data accuracy record keeping information correction disclosure history California privacy requirements

(Amended by Stats. 1985, Ch. 595, Sec. 13.)

Section § 1798.29

This law mandates that if any agency in California has a data breach involving personal information, they must inform affected residents quickly. If they handle data they don't own, they must immediately alert the data's owner. Notification can be delayed if law enforcement thinks it could disrupt an investigation. The notice must be clear, labeled 'Notice of Data Breach,' and include details like what happened, who it affected, and what is being done. If the breach impacts over 500 people, the agency must also notify the Attorney General. Personal information includes things like social security numbers, driver’s licenses, medical info, and even biometric data. Notice can be sent by mail, email, or other methods depending on the situation. The law applies to all agencies, including local ones, and even impacts the State Bar of California.

(a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

(b) Any agency that maintains computerized data that includes personal information that the agency does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

(c) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation.

(d) Any agency that is required to issue a security breach notification pursuant to this section shall meet all of the following requirements:

(1) The security breach notification shall be written in plain language, shall be titled “Notice of Data Breach,” and shall present the information described in paragraph (2) under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” Additional information may be provided as a supplement to the notice.

(A) The format of the notice shall be designed to call attention to the nature and significance of the information it contains.

(B) The title and headings in the notice shall be clearly and conspicuously displayed.

(C) The text of the notice and any other notice provided pursuant to this section shall be no smaller than 10-point type.

(D) For a written notice described in paragraph (1) of subdivision (i), use of the model security breach notification form prescribed below or use of the headings described in this paragraph with the information described in paragraph (2), written in plain language, shall be deemed to be in compliance with this subdivision.

[NAME OF INSTITUTION / LOGO] _____ _____ Date: [insert date]

NOTICE OF DATA BREACH

What Happened?

What Information Was Involved?

What We Are Doing.

What You Can Do.

Other Important Information.

[insert other important information]

For More Information.

Call [telephone number] or go to [internet website]

(E) For an electronic notice described in paragraph (2) of subdivision (i), use of the headings described in this paragraph with the information described in paragraph (2), written in plain language, shall be deemed to be in compliance with this subdivision.

(2) The security breach notification described in paragraph (1) shall include, at a minimum, the following information:

(A) The name and contact information of the reporting agency subject to this section.

(B) A list of the types of personal information that were or are reasonably believed to have been the subject of a breach.

(C) If the information is possible to determine at the time the notice is provided, then any of the following: (i) the date of the breach, (ii) the estimated date of the breach, or (iii) the date range within which the breach occurred. The notification shall also include the date of the notice.

(D) Whether the notification was delayed as a result of a law enforcement investigation, if that information is possible to determine at the time the notice is provided.

(E) A general description of the breach incident, if that information is possible to determine at the time the notice is provided.

(F) The toll-free telephone numbers and addresses of the major credit reporting agencies, if the breach exposed a social security number or a driver’s license or California identification card number.

(3) At the discretion of the agency, the security breach notification may also include any of the following:

(A) Information about what the agency has done to protect individuals whose information has been breached.

(B) Advice on steps that people whose information has been breached may take to protect themselves.

(e) Any agency that is required to issue a security breach notification pursuant to this section to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. A single sample copy of a security breach notification shall not be deemed to be within Article 1 (commencing with Section 7923.600) of Chapter 1 of Part 5 of Division 10 of Title 1 of the Government Code.

(f) For purposes of this section, “breach of the security of the system” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the agency. Good faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.

(g) For purposes of this section, “personal information” means either of the following:

(1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

(A) Social security number.

(B) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

(C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(D) Medical information.

(E) Health insurance information.

(F) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.

(G) Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.

(H) Genetic data.

(2) A username or email address, in combination with a password or security question and answer that would permit access to an online account.

(h)

(1) For purposes of this section, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

(2) For purposes of this section, “medical information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.

(3) For purposes of this section, “health insurance information” means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.

(4) For purposes of this section, “encrypted” means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.

(5) For purposes of this section, “genetic data” means any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from analysis of the biological sample or other source, and any information extrapolated, derived, or inferred therefrom.

(i) For purposes of this section, “notice” may be provided by one of the following methods:

(1) Written notice.

(2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code.

(3) Substitute notice, if the agency demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or that the affected class of subject persons to be notified exceeds 500,000, or the agency does not have sufficient contact information. Substitute notice shall consist of all of the following:

(A) Email notice when the agency has an email address for the subject persons.

(B) Conspicuous posting, for a minimum of 30 days, of the notice on the agency’s internet website, if the agency maintains one. For purposes of this subparagraph, conspicuous posting on the agency’s internet website means providing a link to the notice on the home page or first significant page after entering the internet website that is in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the link.

(4) In the case of a breach of the security of the system involving personal information defined in paragraph (2) of subdivision (g) for an online account, and no other personal information defined in paragraph (1) of subdivision (g), the agency may comply with this section by providing the security breach notification in electronic or other form that directs the person whose personal information has been breached to promptly change the person’s password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the agency and all other online accounts for which the person uses the same username or email address and password or security question or answer.

(5) In the case of a breach of the security of the system involving personal information defined in paragraph (2) of subdivision (g) for login credentials of an email account furnished by the agency, the agency shall not comply with this section by providing the security breach notification to that email address, but may, instead, comply with this section by providing notice by another method described in this subdivision or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet Protocol address or online location from which the agency knows the resident customarily accesses the account.

(j) Notwithstanding subdivision (i), an agency that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this part shall be deemed to be in compliance with the notification requirements of this section if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.

(k) Notwithstanding the exception specified in paragraph (4) of subdivision (b) of Section 1798.3, for purposes of this section, “agency” includes a local agency, as defined in Section 7920.510 of the Government Code.

(l) For purposes of this section, “encryption key” and “security credential” mean the confidential key or process designed to render the data usable, readable, and decipherable.

(m) Notwithstanding any other law, the State Bar of California shall comply with this section. This subdivision shall not be construed to apply other provisions of this chapter to the State Bar.

data breach notification personal information unencrypted data encryption key unauthorized access law enforcement delay Notice of Data Breach breach disclosure requirements agency responsibilities security breach impact affected California residents contact information credit reporting agencies unique biometric data law enforcement investigation

(Amended by Stats. 2022, Ch. 419, Sec. 14. (AB 2958) Effective September 18, 2022.)

Section § 1807.1

This section discusses the rules for extending or deferring payments on a retail installment contract. If both the buyer and the contract holder agree, it's possible to delay scheduled payments, but this must be in writing. If the contract has a finance charge based on precomputed interest, the holder can charge up to 1% per month on the delayed amount, but not less than $1. If the contract uses simple interest, the charge can't exceed $25 or 10% of the remaining balance, whichever is less. The agreement may also require the buyer to cover costs for keeping any insurance active during the extension.

(a) The holder of a retail installment contract may, upon agreement with the buyer, extend the scheduled due date or defer the scheduled payment of all or of any part of any installment or installments payable thereunder. No charge shall be made for any such extension or deferment unless the agreement for such extension or deferment is in writing and signed by the parties thereto.

(b) Where the contract includes a finance charge determined on the precomputed basis, the holder may charge and contract for the payment of an extension or deferral agreement charge by the buyer and collect and receive the same, but such charge may not exceed an amount equal to 1 percent per month simple interest on the amount of the installment or installments, or part thereof, extended or deferred for the period of extension or deferral. Such period shall not exceed the period from the date when such extended or deferred installment or installments, or part thereof, would have been payable in the absence of such extension or deferral, to the date when such installment or installments, or part thereof, are made payable under the agreement of extension or deferment; except that a minimum charge of one dollar ($1) for the period of extension or deferral may be made in any case where the extension or deferral agreement charge, when computed at such rate, amounts to less than one dollar ($1).

(c) Where the contract includes a finance charge determined on the simple-interest basis, the holder may charge and contract for the payment of an extension or deferral agreement charge by the buyer and collect and receive the same, but the charge for the extension or deferral agreement may not exceed the lesser of twenty-five dollars ($25) or 10 percent of the then unpaid balance of the contract. Such charge shall be in addition to any finance charges which accrue because such extended or deferred payments are received at a time other than as originally scheduled.

(d) An extension or deferral agreement may also provide for the payment by the buyer of the additional cost to the holder of the contract of premiums for continuing in force, until the end of such period of extension or deferral, any insurance coverages provided for in the contract, subject to the provisions of Section 1803.5.

retail installment contract payment extension payment deferral finance charge precomputed interest simple interest installment delay written agreement extension charge insurance coverage continuation buyer agreement contract holder minimum charge simple interest limit payment deferment terms

(Amended by Stats. 1980, Ch. 1380, Sec. 17. Effective October 1, 1980.)

Section § 1807.2

This law lets you refinance a retail installment contract, which is basically redoing a payment plan for something you've bought. Both you and the contract holder have to agree in writing. You can be charged a fee for this refinancing, and the fee should be based on how much you still owe, plus any extra costs like insurance. The refinancing agreement has to clearly show several things: how much you still owe, any refund credit you're due, the final total to refinance, any additional insurance or official fees, the annual finance charge both as a percentage and in dollars, and finally, when and how much your new payments will be.

The holder of a retail installment contract or contracts may, upon agreement in writing with the buyer, refinance the remaining amount owing on the contract or contracts by providing for a new schedule of installment payments. The holder may charge and contract for the payment of a refinance charge by the buyer and collect and receive the same, but such refinance charge shall be based upon the amount refinanced, plus any additional cost of insurance and of official fees incident to the refinancing, after the deduction of a refund credit in an amount equal to that to which the buyer would have been entitled under Section 1806.3 if he or she had prepaid in full his or her obligations under the contract or contracts. The agreement for refinancing may also provide for the payment by the buyer of the additional cost to the holder of the contract or contracts of premiums for continuing in force, until the maturity of the contract or contracts as refinanced, any insurance coverages provided for therein, subject to Section 1803.5. The refinancing agreement shall set forth:

(a) The amount of the existing outstanding balance to be refinanced, which consists of the remaining amount owing to be refinanced.

(b) The amount of any refund credit.

(d) Any additional cost of insurance and of official fees to the buyer.

(e) The sum of subdivisions (c) and (d), which is the amount financed.

(f) The finance charge (1) as expressed as the annual percentage rate as defined in Regulation Z and (2) expressed in dollars.

(g) The number amount, and due dates or periods of payments scheduled to repay the indebtedness and the sum of those payments.

The items need not be stated in the sequence or order set forth above; additional items may be included to explain the computations made in determining the amount to be paid by the buyer. Where there is a consolidation of two or more contracts then Sections 1808.1 and 1808.2 shall apply. If the finance charge or any portion thereof is calculated on the 365-day basis, the amount of the finance charge shown pursuant to subdivision (f) shall be that amount which will be incurred by the buyer if all payments are received by the seller on their respective due dates.

retail installment contract refinance charge installment payments remaining balance refund credit additional cost of insurance official fees finance charge annual percentage rate payment schedule maturity of contract Regulation Z consolidation 365-day basis due dates

(Amended (as amended by Stats. 1988, Ch. 479, Sec. 6) by Stats. 1991, Ch. 819, Sec. 9.)

Section § 1807.3

This law section deals with contracts that have a big, single payment (called a balloon payment) that is more than twice a regular payment. The contract must clearly state that there is a large balloon payment and give the amount due. If a buyer can't make this large payment, they have the absolute right to ask for a new payment plan. The new payments can't be much higher than the previous ones unless the buyer agrees to it.

(a) If any payment, other than a deferred downpayment, under a contract or refinancing agreement is more than twice the amount of an otherwise regularly scheduled equal payment, the contract or refinancing agreement shall contain the following provision:

“The payment schedule contained in this contract requires that you make a balloon payment of

$(Amount of balloon payment) which is a payment of

more than double the amount of the regular payments. You have an absolute right to obtain a new payment schedule if you default in the payment of any balloon payment.”

(b) If the buyer defaults in the payment of any balloon payment, he or she shall be given an absolute right to obtain a new payment schedule. Unless agreed to by the buyer, the periodic payments under the new schedule shall not be substantially greater than the average of the preceding installments.

balloon payment payment schedule default refinancing agreement new payment schedule absolute right contract provision regular payments deferred downpayment installments buyer rights large payment contract agreement periodic payments scheduled payment amount

(Amended by Stats. 1981, Ch. 1075, Sec. 11. Operative October 1, 1982, or sooner, by Sec. 25 of Ch. 1075, as amended by Stats. 1982, Ch. 129, Sec. 12.)