Privacy Bulletin, November 8, 2007

Currently, more than 25 states have adopted laws restricting or prohibiting the collection, use or disclosure of an individual’s Social Security number (“SSN”), and these laws generally apply to all commercial entities.[1] In addition to the SSN disclosure laws discussed in this article, other state laws also may regulate the collection, use or disclosure of SSN data; for example, this article does not address state laws that regulate the collection, use or disclosure of SSN data by insurance entities, given the specialized nature of those laws.

In response to perceived abuses arising from the widespread use of SSNs as identifiers,[2] California enacted

legislation in 2001 that imposes significant restrictions on the use of SSNs by businesses and, in certain circumstances, state and local agencies.[3] Like the California law, the SSN disclosure laws of a majority of

the states generally apply to any person or entity doing business in the state.[4] However, some state laws,

such as those in Nebraska[5] and Oklahoma,[6] apply to employers who use employees’ SSNs. In addition, the laws of some states exempt certain entities from the SSN disclosure laws. For example, the Colorado law exempts entities covered by the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) [7] and the Pennsylvania law exempts a financial institution covered by the Gramm-Leach-Bliley Act (“GLBA”), a “licensee” regulated under Pennsylvania law, a covered entity under HIPAA or any entity subject to the Fair Credit Reporting Act (“FCRA”).[8]