DPI16_Banner_300x250 WITH COPY

Luis Salazar

A California Court of Appeal decision issued October 30, 2006, could have a dramatic impact on the constitutionality of more than 20 other state credit freeze laws that lawmakers and consumer advocates have touted as a mainstay of prevention against identity theft.

The court, in the case of The U.D. Registry, Inc. v. The State of California, ruled that California's Security Freeze Act violates the First Amendment because it precludes credit reporting agencies from reporting information contained in public records, including court files. Passage of Security Freeze Acts has been the centerpiece of the Consumers Union's National Financial Privacy Now campaign. In fact, the California Security Freeze Act's provisions are similar to the statutory language the group recommends for other states considering freeze legislation. Given its constitutional dimensions and California's leadership on privacy issues, the decision is certain to have repercussions throughout the U.S.

The Freeze Act

In 2003, California became the first to enact a Security Freeze Act, but it has since been followed by some 24 other states. The California Act's legislative history shows two primary concerns motivating the legislature. First, the prevention of identity theft, which statistics demonstrated was a rapidly growing problem in the state, and second, the unfair burden placed upon consumers - as opposed to reporting agencies - to protect their personal financial information and clean up damaged credit reports. The security freeze was intended to empower consumers and allow them to control the use of their credit history.

The author of the law, former California State Sen. Debra Bowen (D-Redondo Beach), was outraged by the appeals court decision.

"This is a major setback, not just for the people who are concerned about becoming identity theft victims, but for anyone who believes that they, and not the giant credit reporting bureaus, should have control over who has access to their personal financial information," Bowen said in a statement.

Bowen's statement noted that the decision may ultimately have an impact on freeze laws in other states.

"This decision turns the entire concept of the freeze on its head, because it essentially says a credit bureau's right to profit from selling access to your personal information trumps your right to restrict access to that information to avoid becoming an identity theft victim," Bowen said. "I don't agree with that rationale and I don't think anyone who cares about privacy rights and who wants to avoid becoming an identity theft victim would agree with it either."

As enacted, California's Freeze Act, like those enacted in most states, allows any consumer - not just victims of ID theft - to place a notice in their consumer credit report that prohibits the consumer credit reporting agency from releasing the consumer's credit report, or any information from it, without the consumer's permission. If a security freeze is in place, information from a consumer's credit report may not be released to any third party. By barring that access, the Security Freeze Act protects consumers against identity thieves that seek to open accounts in their names.

Going Too Far?

These are certainly laudable goals, but did the legislature go too far? The U.D. Registry, Inc. (UDR), which maintains information on tens of millions of people in California and elsewhere and provides landlords and property managers with reports about prospective tenants, believed the bill went overboard.

Because UDR primarily uses public information in its reports, it challenged California's Freeze law,(Cal. Civil Code Sec. 1785.11.2), as unconstitutional. More specifically, UDR collects credit-related background information about individuals, including unlawful detainer, foreclosure, bankruptcy and tax lien data. It then sells these consumer credit reports to its members, which include landowners, property managers, and others. Obviously, UDR's members use these reports to determine whether to lease property to a prospective tenant. The members agree in advance not to use the report for any other purpose nor to disclose the information to others. UDR's reports may also include a record of all inquiries (all who have asked for the consumer's report in the last several years), a summary of the information containing credit reports obtained by UDR from the better-known consumer reporting agencies, Trans Union, Experian, and/or Equifax. UDR boasts tens of millions of prospective tenants in its database.

UDR's Lawsuit

UDR sued the California Attorney General, seeking a declaration that the Freeze Law violated the First and Fourteenth Amendments of the U.S. Constitution, as well as similar provisions of the California Constitution. In challenging the law, UDR argued that a security freeze was a content-based regulation that violated its First Amendment Freedom of Speech, which provides that "Congress shall make no law abridging the freedom of speech" rights and is applicable to the states through the 14th Amendment's due process clause. It also violated California's comparable provision, Article I, Section 2, Subdivision (a) of the California Constitution, which states that "every person may freely speak, right and publish his or her sentiments on all subjects, being responsible for the abuse of this right. A law may not restrain or abridge liberty of speech or press." UDR's challenge, therefore, was a facial one - that the text of the measure itself was unconstitutional, not merely its application.

And the trial court agreed. It ruled in favor of UDR, issuing an injunction barring enforcement of the Freeze Act to the extent that it sought to prevent the dissemination and reporting by consumer-credit reporting agencies of any information contained in and/or obtained from matters of public record, and to the extent that it sought to preclude UDR from disseminating and reporting information contained in the public record. It found that the Freeze Act was overbroad and violated both the First Amendment of the Constitution, and similar provisions of the California Constitution.

UDR's attorney, Michael Saltz, a partner at Jacobson, Russell, Saltz & Fingerman LLP, lauded the appeals court's decision.

"The statute was based on failed logic, and gives consumers the power of a gag order on public information, a power held not even by the government," Saltz told Credit & Collections World.

Appellate Review

In reviewing the Trial Court's decision, the Appellate Court noted that the mere fact that UDR sells information does not transform its speech into a "commercial speech, any more than the fact that a magazine or a newspaper sold makes its contents commercial speech." Nonetheless, because it ultimately believed the law unconstitutional anyway, the court applied the more stringent commercial speech standard, in effect making its decision more appeal-resistant.

It then employed the four-part intermediate scrutiny analysis developed by the United States Supreme Court in Central Hudson Gas & Elec. Corp. v. Public Serv. Comm'n, 447 U.S. at 557 (1980), to determine whether the act violated UDR's "commercial" freedom of speech: (i) does the dispute concern unlawful activity; (ii) is it misleading; (iii) is the asserted governmental interest substantial; and (iv) does the regulation directly advance the governmental interest asserted, or is it more extensive than necessary.

Addressing these factors in the case of the California Freeze Act, the Court first noted that UDR's "Credit" reports were neither unlawful nor misleading, but were culled from public sources, which, in a case of court records, are presumptively open for public examination. Second, the trial courts found, and all the parties conceded, that protecting consumers from identity theft is a substantial governmental interest. Third, although expressing some doubt, the Appellate Court agreed to accept that the government's interest in protecting consumers does directly and materially advance the asserted governmental interest.

Finally, the fourth Central Hudson factor requires that the restriction not be excessive, and, if the governmental interest could be served as well by a more limited restriction of commercial speech, the excessive restrictions cannot survive. It was on this last factor that the law floundered. The Freeze Act included a bar on plaintiff's truthful reporting of lawfully available and obtained public record information, including the disclosure of data contained in court records that are constitutionally, presumptively available to journalists and the public. For this reason, the Freeze Act violated the First Amendment.

Further, the Appellate Court found, as did the trial court, that the Freeze Act could not be judicially reformed so as to permit the statute to apply to UDR and others. In effect, the court was unwilling to reform the Freeze Act to allow the dissemination of publicly available information, as that in no way appeared to have been the legislature's intent in passing this provision.

But because there was no underlying evidence presented as to the manner or content of credit reports produced by other businesses, the Appellate Court held that a facial challenge could not be sustained as to every potentially affected party. Thus, it remanded with directions that the trial court's blanket injunction as to the enforcement of the Freeze Act be limited to the plaintiff, UDR.


Given the similarities between California's Security Freeze Act and those of other states, the California Appellate Court's decision can - and will likely - be relied upon to challenge Freeze Acts in other states. To the extent that those laws try to stop a reporting agency that relies on public documentation freely accessible by the press and the public, they are subject to a constitutional challenge. Although the Attorney General has not decided whether to pursue an appeal, the deadline to petition for review by California's Supreme Court is December 11.

Luis Salazar is a shareholder with Greenberg Traurig and a founding member of the firm's Privacy and Data Security Practice Group. Salazar is also the drafter of the recently enacted Privacy Policy Enforcement in Bankruptcy Act, an amendment to the Bankruptcy Code that prohibits bankrupt companies from misusing consumers' personally identifying information and provides for the appointment of a Consumer Privacy Ombudsman to advise Bankruptcy Courts on privacy issues. He is also a member of the Editorial Board of The Privacy & Data Protection Legal Reporter. Salazar is based in the firm's Miami office and can be reached by email.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»