AB 1303 adds Section 876.5 to the Public Utilities Code and amends Section 2891 to sharply limit when information supplied by applicants or subscribers to California’s lifeline telephone service may be shared with government entities. The bill bars the Public Utilities Commission, its staff, the lifeline program’s third-party administrator, lifeline service providers, and their contractors from disclosing applicant or subscriber data to any local, state, or federal agency — including immigration authorities — unless the disclosure is compelled by a court-ordered subpoena or judicial warrant.
The measure also makes social security numbers optional (entities may request but not require them), permits only aggregated non-identifiable data for program analysis, and explicitly defines “lawful process” in the communications privacy statute to mean a court-ordered subpoena or judicial warrant. Those changes tighten privacy protections for low-income and potentially non‑lawfully-present applicants while imposing new operational constraints on program administrators, providers, and agencies that previously obtained records without judicial process.
At a Glance
What It Does
Prohibits the PUC, its staff, the lifeline third-party administrator, lifeline providers, and their contractors from sharing applicant or subscriber information with any government agency or immigration authority except upon a court-ordered subpoena or judicial warrant, while allowing required eligibility data exchanges, the use of aggregated non-identifiable data, and voluntary collection of social security numbers.
Who It Affects
Directly affects the California Public Utilities Commission, the lifeline program’s third‑party administrator, telephone and lifeline service providers, and contractors that handle applicant/subscriber data. It also affects low-income applicants and subscribers — including undocumented individuals — and the state or local agencies that previously used lifeline records for outreach, verification, or enforcement.
Why It Matters
The bill resets the default on government access to telecom-based benefit data in favor of privacy and immigrant protections, which reduces routine administrative access and forces agencies and providers to rely on narrow judicial process or on defined eligibility exchanges. That shift will change how lifeline eligibility is verified, how providers handle identity data (like SSNs), and how agencies pursue investigations that historically used telecom records.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 1303 inserts a new Section 876.5 into the Public Utilities Code that creates a strong presumption against sharing any information supplied by lifeline applicants or subscribers with government entities. The rule is simple in structure: the commission, its staff, the lifeline program’s third‑party administrator, lifeline service providers, and their contractors may not disclose applicant or subscriber information to local, state, or federal agencies — including immigration authorities — unless disclosure is compelled by a court‑ordered subpoena or a judicial warrant.
The statute, however, preserves a narrow operational allowance: it does not bar furnishing applications, records, or data to public agencies to the extent that those disclosures are required to verify eligibility for lifeline service.
The new section also curbs identity collection practices. It permits program actors to request social security numbers but forbids making SSNs a condition of applying for or receiving lifeline service.
For analytical and management purposes, the bill allows use of aggregated subscriber or applicant data only if those aggregates cannot be used, alone or combined with other data, to identify individuals. The statute further defines “immigration authority” and “immigration enforcement” broadly, signaling that the nondisclosure rule is intended to prevent use of lifeline records in immigration investigations.Separately, the bill amends existing communications privacy law (Section 2891) by providing a concrete definition of “lawful process” as an action taken pursuant to a court‑ordered subpoena or judicial warrant.
Section 2891’s long list of exceptions (directory listings, 911 responses, certain collection activities, information required by the commission or the FCC, and a limited lifeline outreach exception) remains in place, as do subscriber rights to rescind consent for disclosures (the statute requires a corporation to stop making available personal information within 30 days of a rescission notice).Taken together, those changes tighten the legal standard for when government actors can access telecom data tied to lifeline, while leaving narrow channels for necessary program administration and low-income outreach. Practically, the bill forces program administrators and providers to implement clear policies for handling voluntary SSN submissions, for segregating aggregatable analytics from identifiable records, and for processing any government disclosure requests through judicial channels — or, when permitted, through specified eligibility verification exchanges.
The Five Things You Need to Know
Section 876.5(a) forbids the PUC, its staff, the lifeline third‑party administrator, lifeline service providers, and their contractors from sharing applicant or subscriber information with any government agency or immigration authority unless a court‑ordered subpoena or judicial warrant is presented.
Section 876.5(d) permits program actors to request social security numbers but explicitly prohibits requiring SSNs as a condition of lifeline application or participation.
Section 876.5(c) allows use of aggregated subscriber or applicant data for analysis or program management only if the aggregated data cannot reidentify individual persons, alone or in combination with other data.
Amendment to Section 2891 redefines “lawful process” to mean a court‑ordered subpoena or judicial warrant, preserves existing exceptions (e.g.
911, directory services, commission‑required reporting), and keeps the 30‑day rule for withdrawing consent to data release.
Because violations of Public Utilities Code requirements can be criminal, the bill creates new enforcement exposure for covered entities and is treated as a state‑mandated local program under California law (the act states no state reimbursement is required).
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
General prohibition on sharing lifeline applicant/subscriber information with government or immigration authorities
This subsection establishes the core rule: the commission, its staff, the lifeline third‑party administrator, lifeline providers, and their contractors, agents, successors, or assignees may not share, disclose, or otherwise make accessible any applicant or subscriber information to any local, state, or federal agency or to any immigration authority unless the disclosure is compelled by a court‑ordered subpoena or a judicial warrant. Practically, that elevates judicial process as the primary gateway for government access to these records and restricts ad hoc or administrative data transfers for investigative or enforcement purposes.
Eligibility verification and aggregated data carveouts
Subsection (b) preserves a functional exception: furnishing applications, records, or data to other public agencies is allowed to the extent necessary to verify an applicant’s or subscriber’s lifeline eligibility. Subsection (c) separately permits the use of aggregated subscriber or applicant data for reporting and program management, but only if the aggregates cannot be used to determine individual identities, alone or combined with other data. These two carveouts create two distinct operational paths — one for necessary eligibility checks and another for non‑identifying program analytics — and require administrators to draw firm technical and policy lines between identifiable records and permitted aggregates.
Social security numbers voluntary, immigration definitions, and federal‑law declaration
Subsection (d) states entities may request SSNs but may not demand them as a condition of participation. Subsections (e) and (f) declare that, insofar as federal law (8 U.S.C. § 1621) is relevant, this article is a state law that may provide assistance to individuals not lawfully present, and they define ‘immigration authority’ and ‘immigration enforcement’ broadly. Those definitions make explicit that the nondisclosure rule targets a wide set of immigration‑related activities and signals legislative intent to protect undocumented applicants from program data being used for immigration enforcement.
Narrow definition of lawful process and preservation of existing exceptions
The amendment to Section 2891 keeps the longstanding consent requirement for disclosure of subscriber information but adds a clear statutory definition: ‘lawful process’ is an action taken pursuant to a court‑ordered subpoena or judicial warrant. The section preserves the statutory exceptions — directory listings, 911 responses, certain collection activities, commission‑mandated reporting, information exchanges required by FCC rules, and a narrowly tailored lifeline outreach exception (telephone corporations may provide the names and addresses of lifeline customers to a public utility for outreach and may charge for search and release costs). The amendment also reiterates the subscriber’s right to rescind consent, with the corporation required to stop disclosures within 30 days of notice.
State‑mandated local program and reimbursement statement
Section 3 treats the bill as creating a state‑mandated local program because provisions alter criminal liability under the Public Utilities Act (violations of PUC requirements can be crimes). The statute states no state reimbursement is required under the constitutional provision cited, which signals that local agencies may face fiscal impacts tied to enforcement or compliance without an offsetting state payment.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Low‑income lifeline applicants and subscribers (including non‑lawfully‑present individuals): the new rules reduce the risk that program application or subscription data will be disclosed to immigration authorities or other government actors without judicial process, lowering the privacy and enforcement risks associated with participation.
- Privacy and immigrant‑rights advocates: the bill creates a statutory shield around telecommunication records tied to a benefits program, giving advocates clearer legal grounds to challenge or block non‑judicial disclosures and to advise clients about program safety.
- Lifeline program participants generally: the ability to request but not require SSNs and the prohibition on routine data sharing may increase enrollment willingness among eligible households who previously avoided the program over privacy concerns.
Who Bears the Cost
- California Public Utilities Commission and the lifeline third‑party administrator: they must revise policies, contracts, and intake procedures to ensure non‑disclosure rules are followed, develop processes to segregate aggregated data, and implement subpoena/warrant review workflows.
- Lifeline service providers and telephone corporations: providers must adjust customer intake forms and verification workflows (e.g., treat SSNs as voluntary), train staff on new disclosure rules, and potentially face criminal liability for violations, increasing legal and compliance costs.
- State and local agencies (including law enforcement and immigration authorities): agencies that previously relied on administrative access to telecom records will need to seek judicial process more often, adding time and expense to investigations and program verification efforts.
Key Issues
The Core Tension
The central dilemma is straightforward: protect the privacy and safety of low‑income (and potentially undocumented) lifeline applicants by forcing government actors to obtain judicial process to access telecom records, or preserve administrative ease and program‑integrity tools that rely on faster, non‑judicial data exchanges; the bill favors privacy, but that choice increases verification burdens, slows investigations, and pushes difficult technical and legal questions to implementers and the courts.
The bill resolves one problem — routine government access to lifeline application and subscriber records — by requiring judicial process for most disclosures. That solution creates immediate implementation questions.
First, the statutory carveout for “furnishing applications, records, and data to other public agencies to the extent required for verifying an applicant’s or subscriber’s eligibility” is essential for administering benefits but is inherently vague. Agencies and providers will need operational guidance or rulemaking to determine which types of eligibility checks qualify, which third‑party verification databases are acceptable, and how to handle cross‑agency queries without triggering the subpoena requirement.
Second, the bill narrows “lawful process” to subpoenas and warrants, excluding other instruments (administrative demands, civil investigatory demands, or informal information requests) that government actors commonly use. That narrowing increases the likelihood of friction and litigation when agencies seek records; courts will likely be asked to determine whether particular administrative instruments meet the new standard.
Requiring judicial process can protect privacy but also slows investigations and outreach and may raise costs for both government and providers. The prohibition on requiring SSNs strengthens privacy but raises program‑integrity questions: without mandatory unique identifiers, providers may need alternative verification methods to prevent duplicate enrollments or fraud, increasing administrative burden or error risk.
Finally, the aggregation exception (use of non‑identifiable aggregates) depends on strong technical safeguards against reidentification. In practice, combining datasets can reidentify individuals unless strict thresholds and deidentification techniques are enforced.
The statute leaves those technical boundaries undefined, meaning the PUC or administrators will have to translate policy into concrete data‑management standards. Taken together, the bill advances privacy for a vulnerable population but shifts the work and risk to administrators, providers, and courts to sort out what verification, disclosure, and analytics look like in operation.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.