Skip to Main Content

Identity Theft Protections for Minors Signal New Area of Privacy Obligations for Companies

Identity theft protection isn't just for adults anymore. As stories of data breaches and identity theft have become part of the daily news cycle, a recent law enacted by Congress provides increased protection to minors from such attacks. Under Pub. L. 115-175, better known as the Economic Growth, Regulatory Relief, and Consumer Protection Act (the Act), parents and legal guardians now have the ability to implement free credit freezes for children under 16. The Act amends Section 605A of the Fair Credit Reporting Act (FCRA). While the law also provides similar protections for adults, the new safeguards afforded to children are indicative of an increased focus on protecting the personal data of minors. As more states begin to pass their own data protection laws, it is a near certainty that all businesses will need to examine their privacy and security protocols in order to ensure compliance with new protections afforded to children.

The highlights of the Act include these elements:

  • Adults and children can request a free credit freeze from all three nationwide credit reporting agencies: Equifax, Experian, and TransUnion. Once a credit freeze is implemented, a credit reporting agency is prohibited from disclosing the contents of your credit report to any person or entity requesting it. The credit freeze can be requested once every calendar year.
  • If a request for a credit freeze is made online or by phone, it must be implemented within one business day. If the request is made by mail, it must be implemented within three business days. The freeze can be removed at any time and, in most cases, must be removed within one hour after the request has been received by the agency.
  • If a credit freeze request is made on behalf of a child under 16, the person making the request must be able to demonstrate authority to act on the child's behalf through a court order, a power of attorney or a government document showing proof of parentage (i.e., a birth certificate). If a credit reporting agency does not have a file for a child under 16, the agency is required to create one, but it cannot be used for credit purposes.
  • As an alternative to a credit freeze, consumers can request a fraud alert on their credit file for up to one year. The prior maximum time limit for fraud alerts was 90 days. While a credit freeze generally limits all access to your credit report, a fraud alert allows creditors to access your credit report after your identity has been verified.

The Act is likely just the tip of the iceberg for identity theft and security protections for children. Recent studies have shown that the average age of a child identity theft victim is 12 years old. These events have resulted in families spending more than $500 million in out-of-pocket costs annually to try to resolve them. While the new credit freeze laws may only directly impact credit reporting agencies, businesses must be aware of the evolving landscape and expect increased regulations when it comes to protecting the data of children. The full text of the Act can be found here.

If you have any questions regarding these issues or any other data privacy or security matters, please contact Alex Koskey or any member of Baker Donelson's Data Protection, Privacy and Cybersecurity Group.

Email Disclaimer

NOTICE: The mailing of this email is not intended to create, and receipt of it does not constitute an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.
Cancel Accept